**************Introductory Note**********************
MIRLN (Misc. IT Related Legal News) is a free product of the American Bar Association’s Cyberspace Law Committee and Dickinson Wright PLLC. Dickinson Wright’s IT & Security Law practice group is described at http://tinyurl.com/joo5y.
Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (vpolley@REMOVETHISSTRINGvip-law.com) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/.
**************End of Introductory Note***************
CONFIDENTIALITY. NOT OK TO LOOK AT METADATA IN ALABAMA (Freivogel on Conflicts, 2 May 2007) -- The [Alabama Ethics] Committee opined that lawyers have a duty under Rule 1.6 to scrub metadata from certain documents. The Committee also opined that it is a violation of Rule 8.4 for lawyers to “mine” metadata from documents received from opponents. The Committee relied specifically upon N.Y. Ops. 749 (2001) & 782 (2004). The Committee did not mention ABA Op. 06-442 (Aug. 2006), which said that mining for metadata was not a violation of ethics rules. http://www.freivogelonconflicts.com/new_page_1.htm Opinion at http://www.alabar.org/ogc/PDF/2007-02.pdf
SUPREME COURT DECISION CHALLENGES SOFTWARE PATENTS (Physorg.com, 4 May 2007) -- When the Supreme Court of the United States ruled for KSR in the case of KSR Int’l Co. v. Teleflex Inc. , it also served notice to the software industry that major changes may be afoot in both the granting and protecting of existing software patents. For several years now, software patents have frequently been seen by many as stifling innovation , granting intellectual property claims for ideas that had been around for decades and awarding the companies that hold them hundreds of millions of dollars - such as in RIM vs. NTP - even when the patents themselves have been rejected by the U.S. Patent and Trademark Office. Now, as Pamela Jones, editor of the intellectual property law news site Groklaw , noted, “The standout paragraph” in the decision written by Supreme Court Justice Anthony Kennedy read: “We build and create by bringing to the tangible and palpable reality around us new works based on instinct, simple logic, ordinary inferences, extraordinary ideas, and sometimes even genius. These advances, once part of our shared knowledge, define a new threshold from which innovation starts once more. And as progress beginning from higher levels of achievement is expected in the normal course, the results of ordinary innovation are not the subject of exclusive rights under the patent laws. Were it otherwise patents might stifle, rather than promote, the progress of useful arts.” Jones, a paralegal, observed, “The court has raised the obviousness bar, or as they probably view it put it back where the founding fathers meant it to be.” Lawrence Rosen, a partner in the law firm Rosenlaw & Einschlag and well-known open-source law expert, is inclined to agree. “As of April 30, many fewer patents will be valid under the Supreme Court’s newly articulated obviousness standard for patentability. Software developers and distributors are at much less risk of being sued over obvious patents.” Another result, according to Rosen, should be that “ [t]he quality of issued software patents will rise, but there will be far fewer of them.” Daniel Ravicher, attorney and the head of the Public Patent Foundation , a nonprofit legal services organization that represents the public’s interests against the harms caused by the patent system, isn’t quite so optimistic: “Well, what the KSR case says is one thing, while what the Federal Circuit - the pro-patent appeals court - does in response to KSR may be quite another. We know the Supreme Court will not take every patent case, so we’ll have to wait and see what the Federal Circuit does with this new instruction.” Ravicher continued, “KSR will make it easier for challengers to prove software patents are invalid for being obvious. But just because the task is easier doesn’t necessarily mean more people will take up the task. It’s still expensive and timely to challenge a software patent, so people need to have the right incentives to do so.” Richard Fontana, counsel for the Software Freedom Law Center , which provides legal representation and other law-related services to protect and advance free and open-source software, agrees with Ravicher on this point. “KSR will make it easier for deep-pockets defendants in patent infringement cases to successfully challenge the validity of software patents,” he said. “Although the KSR case itself dealt with fairly simple mechanical technology, it is peculiarly relevant to software patents, since so many software patents involve combinations of elements that themselves are easily shown to be old technology,” said Fontana. “The overall effect may be a diminution in the value of patents, particularly software patents, and therefore perhaps some reduction in the amount of litigation.” http://pda.physorg.com/lofi-news-software-patents-patent_97495316.html
BUSH WANTS PHONE FIRMS IMMUNE TO PRIVACY SUITS (Washington Post, 4 May 2007) -- The Bush administration is urging Congress to pass a law that would halt dozens of lawsuits charging phone companies with invading ordinary citizens’ privacy through a post-Sept. 11 warrantless surveillance program. The measure is part of a legislative package drafted by the Justice Department to relax provisions in the 1978 Foreign Intelligence Surveillance Act (FISA) that restrict the administration’s ability to intercept electronic communications in the United States. If passed, the proposed changes would forestall efforts to compel disclosure of the program’s details through Congress or the court system. The government asserts that the blanket immunity is necessary to protect sensitive national security information. “If companies are alleged to have cooperated with the government to protect our nation against another attack, they should not be held liable for any assistance they are alleged to have provided,” Justice Department spokesman Dean Boyd said. The immunity would be limited to assistance from Sept. 11, 2001, to the date the measure becomes law. http://www.washingtonpost.com/wp-dyn/content/article/2007/05/03/AR2007050302323.html
-- and --
VERIZON SAYS PHONE RECORD DISCLOSURE IS PROTECTED FREE SPEECH (ArsTechnica, 7 May 2007) -- Verizon is one of the phone companies currently being sued over its alleged disclosure of customer phone records to the NSA. In a response to the court last week, the company asked for the entire consolidated case against it to be thrown out--on free speech grounds. The response also alleges that the case should be thrown out because even looking into the issue could violate state secrets, of course, but a much longer section of the response tries to make the case that Verizon has a First Amendment right to “petition” the government. “Based on plaintiffs’ own allegations, defendants’ right to communicate such information to the government is fully protected by the Free Speech and Petition Clauses of the First Amendment,” argue Verizon’s lawyers. Essentially, the argument is that turning over truthful information to the government is free speech, and the EFF and ACLU can’t do anything about it. In fact, Verizon basically argues that the entire lawsuit is a giant SLAPP (Strategic Lawsuit Against Public Participation) suit, and that the case is an attempt to deter the company from exercising its First Amendment right to turn over customer calling information to government security services. “Communicating facts to the government is protected petitioning activity,” says the response, even when the communication of those facts would normally be illegal or would violate a company’s owner promises to its customers. Verizon argues that, if the EFF and other groups have concerns about customer call records, the only proper remedy “is to impose restrictions on the government, not on the speaker’s right to communicate.” http://arstechnica.com/news.ars/post/20070507-verizon-says-phone-record-disclosure-is-protected-free-speech.html [Wow.]
FORGERY TRADE LOSSES ‘UNDER $200BN’ (Financial Times, 7 May 2007) -- International trade losses due to product counterfeiting and piracy are much lower than estimated by business lobby groups, according to the most detailed global study to date. Trade losses in 2005 were “up to $200bn”, according to the executive summary of a report by the Organisation for Economic Co-operation and Development, obtained by the Financial Times. This compares with the business estimates for international trade losses, ranging upwards from $600bn. The report, due for endorsement by the OECD board later this month, could prove embarrassing for international business lobbies, which have used the higher estimates to lift intellectual property rights up the global political agenda and to demand crackdowns in China and elsewhere. http://www.ft.com/cms/s/acbd064c-fcb9-11db-9971-000b5df10621.html
A BIG STRETCH (New York Times Op-Ed, 7 May 2007) -- I grew up watching my father stand on his head every morning. He was doing sirsasana, a yoga pose that accounts for his youthful looks well into his 60s. Now he might have to pay a royalty to an American patent holder if he teaches the secrets of his good health to others. The United States Patent and Trademark Office has issued 150 yoga-related copyrights, 134 patents on yoga accessories and 2,315 yoga trademarks. There’s big money in those pretzel twists and contortions -- $3 billion a year in America alone. It’s a mystery to most Indians that anybody can make that much money from the teaching of a knowledge that is not supposed to be bought or sold like sausages. Should an Indian, in retaliation, patent the Heimlich maneuver, so that he can collect every time a waiter saves a customer from choking on a fishbone?The Indian government is not laughing. It has set up a task force that is cataloging traditional knowledge, including ayurvedic remedies and hundreds of yoga poses, to protect them from being pirated and copyrighted by foreign hucksters. The data will be translated from ancient Sanskrit and Tamil texts, stored digitally and available in five international languages, so that patent offices in other countries can see that yoga didn’t originate in a San Francisco commune. It is worth noting that the people in the forefront of the patenting of traditional Indian wisdom are Indians, mostly overseas. We know a business opportunity when we see one and have exported generations of gurus skilled in peddling enlightenment for a buck. The two scientists in Mississippi who patented the medicinal use of turmeric, a traditional Indian spice, are Indians. So is the strapping Bikram Choudhury, founder of Bikram Yoga, who has copyrighted his method of teaching yoga -- a sequence of 26 poses in an overheated room -- and whose lawyers sent out threatening notices to small yoga studios that he claimed violated his copyright. But as an Indian, he ought to know that the very idea of patenting knowledge is a gross violation of the tradition of yoga. In Sanskrit, “yoga” means “union.” Indians believe in a universal mind -- brahman -- of which we are all a part, and which ponders eternally. Everyone has access to this knowledge. There is a line in the Hindu scriptures: “Let good knowledge come to us from all sides.” There is no follow-up that adds, “And let us pay royalties for it.” [snip] Drugs and hatha yoga have the same aim: to help us lead healthier lives. India has given the world yoga for free. No wonder so many in the country feel that the world should return the favor by making lifesaving drugs available at reduced prices, or at least letting Indian companies make cheap generics. If padmasana -- a k a the lotus position -- belongs to all mankind, so should the formula for Gleevec, the leukemia drug over whose patent a Swiss pharmaceuticals company is suing the Indian government. But the drug companies are playing rough. Abbott, based in Chicago, has decided to sell no new medicines in Thailand, in retaliation for that country’s producing generic versions of three lifesaving drugs. For decades, Indian law allowed its pharmaceutical companies to replicate Western-patented drugs and sell them at a lower price to countries too poor to afford them otherwise. In this way, India supplied half of the drugs used by H.I.V.-positive people in the developing world. But in March 2005, the Indian Parliament, under pressure to bring the country into compliance with the World Trade Organization’s regulations on intellectual property, passed a bill declaring it illegal to make generic copies of patented drugs. This has put life-saving antiretroviral medications out of reach of many of the nearly 6 million Indians who have AIDS. And yet, the very international drug companies that so fiercely protect their patents oppose India’s attempts to amend World Trade Organization rules to protect its traditional remedies. There’s more at stake than just the money involved in the commercial exploitation of traditional knowledge. There is also the perception that the world trading system is unfair, that the deck is stacked against developing countries. Unless the World Trade Organization and developed countries correct this, the entire project of globalization is at risk. If the copying of Western drugs is illegal, so should be the patenting of yoga. It is also intellectual piracy, stood on its head. http://www.nytimes.com/2007/05/07/opinion/07mehta.html?ex=1336190400&en=086cf83134beb7e5&ei=5090&partner=rssuserland&emc=rss
POLICE USE CELL PHONE-TRACKING TECHNOLOGY TO FIND HEART TRANSPLANT PATIENT (FindLaw, 8 May 2007) -- Pennsylvania Police located a 10-year-old boy awaiting a heart transplant by using global-positioning technology to find his mother’s cell phone, a technique usually used to locate criminals. John Paul May, of Harrisville, had the successful surgery at Children’s Hospital of Pittsburgh on Saturday night, but came dangerously close to being passed over for the donor heart until police tracked down the boy and his mother at a university jazz festival. The hospital called state police Saturday afternoon because officials could not reach May’s parents to let them know a donor heart had been found. When police could not find the boy or reach him by phone, they contacted the cell phone company Sprint to get the coordinates of his mother’s cell phone. “The only time you can use it is life or death, or to track someone wanted in a homicide,” state police Cpl. James Green said. Otherwise, police must get a warrant from a judge. Using the coordinates, state police tracked the phone to a Slippery Rock University building. Police stopped the jazz concert that was happening and announced they were looking for May and his mother, Sue. http://news.findlaw.com/ap/o/51/05-08-2007/218a000882be1865.html
MISSOURI REPORTS COMPUTER BREACH REVEALED OF MORE THAN 22,000 STUDENTS’ PERSONAL INFORMATION (SiliconValley.com, 8 May 2007) -- A computer hacker accessed the Social Security numbers of more than 22,000 current or former students at the University of Missouri, the second such attack this year, school officials said Tuesday. The FBI is investigating. University officials said campus computer technicians confirmed a breach of a database last week by a user or users whose Internet accounts were traced to China and Australia. The hacker accessed personal information of 22,396 University of Missouri-Columbia students or alumni who also worked at one of the system’s four campuses in St. Louis, Kansas City, Rolla or Columbia in 2004. The hacker obtained the information through a Web page used to make queries about the status of trouble reports to the university’s computer help desk, which is based in Columbia. The information had been compiled for a report, but the data had not been removed from the computer system. In January, a hacker obtained the Social Security numbers of 1,220 university researchers, as well as personal passwords of as many as 2,500 people who used an online grant application system. http://www.siliconvalley.com/news/ci_5846931?nclick_check=1
INCLUSIVITY OR TOKENISM? (InsideHigherEd, 10 May 2007) -- The proposed panel seemed like a perfect pitch at a time when scholars in many fields are studying postcolonial identity and diaspora communities. The idea was to have scholars who study different regions and time periods examine issues of collective memory and identity in post-World War II Germany, modern Pakistan, and Japanese diaspora communities. The program committee for the next annual meeting for the American Historical Association liked the idea, too. There was just one little problem: The scholars involved are all men. “Since the AHA has a standing commitment to gender diversity on panels, the Program Committee has decided to require you to find a female participant, perhaps to serve as chair or a second commentator for your session,” said the notification the panel organizer received. Unless an acceptable additional participant is added, “we will be forced to reject your panel.” The response stunned Manan Ahmed, the organizer, who is preparing for his dissertation defense at the University of Chicago. After venting via e-mail with colleagues and joking about proposing that the panelists all appear in drag, he decided to go public with concerns about the AHA’s policy and blogged about it on Cliopatria. In his post, he said that he didn’t know what to do because he thought it would be insulting to ask a woman to join the panel just because she is a woman. Ahmed and his fellow panelists have been rescued. Rebecca A. Goetz, an assistant professor of history at Rice University, is a specialist on early North American history. She wouldn’t normally have put herself forward for the panel, but since it appeared that there was only one relevant qualification (in the eyes of the AHA), and she admires the work of the scholars who might otherwise be shut out of the meeting, she has become the chair of the panel. Ahmed said that he’s a fan of Goetz’s work, too, and has no doubt that she’ll offer some great insights, but when he sent in her name to the AHA, he just gave her name and institutional affiliation -- not including any explanation of how her work would fit into the theme of the panel (the kind of explanation provided about the other panelists). No matter -- the name “Rebecca” did the trick and the panel was immediately approved, no questions asked. While Goetz is happy to help out fellow historians, she’s more than a little annoyed about the historians’ policy -- about which she previously had no idea. “It’s offensive because it installs a woman simply for the sake of having a woman on the panel,” she writes on her blog, Historianess. http://insidehighered.com/news/2007/05/10/panels
CT RULES WEBSITE INTERACTIVITY IRRELEVANT FOR JURISDICTION (BNA’s Internet Law News, 10 May 2007) -- BNA’s Electronic Commerce & Law Report reports that an Illinois court has ruled that an interactive Web page offering out-of-state visitors the ability to set up an appointment and submit comments is merely an advertisement and will not support, consistently with due process, the assertion of general jurisdiction in forums where the Web site is viewed. The court rejected the sliding-scale approach established in Zippo. Case name is Howard v. Missouri Bone and Joint Ctr.
SUIT TARGETS YAHOO! FOR ACTIONS IN CHINA, USING AMERICAN LAW FROM 1789 (Steptoe & Johnson’s E-Commerce Law Week, 10 May 2007) -- What would the Founding Fathers have thought about tech companies’ alleged cooperation with Chinese censors? Thanks to a recent lawsuit invoking the 218-year-old Alien Tort Statute (ATS), the question is no longer academic. Last month, with the help of a U.S. human rights group, Chinese political prisoner Wang Xiaoning, his wife, and additional yet-to-be-identified individuals filed suit against Yahoo! and its Chinese subsidiaries and business partner in a federal court in California. Plaintiffs contend that, by allegedly voluntarily providing Chinese authorities with identifying information about plaintiffs and their communications, the defendants knowingly “aided and abetted” the Chinese government’s detention, torture, and mistreatment of Xiaoning and others. Plaintiffs allege that the defendants thereby contravened the Torture Victim Protection Act, the Electronic Communications Privacy Act, and California law. They also claim that the defendants are liable for violations of international law under the ATS, which grants U.S. courts jurisdiction over “any civil action by an alien for a tort only, committed in violation of the law of nations or a treaty of the United States.” Companies that operate abroad should watch this case closely, since a broad application of the ATS or one of the other laws at issue could significantly increase their risk of liability for cooperating with foreign law enforcement or security agencies. http://www.steptoe.com/publications-4476.html
JUDGES RULE ON HARD-TO-DISCOVER DATA (Law.com, 10 May 2007) -- Federal judges have published opinions for more than 50 e-discovery disputes since the landmark amendments to the Federal Rules of Civil Procedure governing the discovery of electronically stored information went into effect on Dec. 1, 2006. These cases give -- in almost real time -- valuable insight into how judges are interpreting the amendments. These cases provide direction on how to handle the identification, preservation, collection, review and production of ESI in litigation going forward. One commentator noted that these district court decisions serve an important role in providing de facto national standards for e-discovery disputes. This article will focus on two such cases, Best Buy Stores L.P. v. Developers Diversified Realty Corp. and Ameriwood Industries Inc. v. Liberman. These cases tackle a recurring problem -- the discovery of information stored on computer systems and sources that aren’t reasonably accessible. These difficult-to-access sources include backup tapes used for disaster recovery that aren’t catalogued or indexed and legacy data from systems that are currently unreadable. These sources may contain information responsive to a particular discovery request, but it would take considerable time and money to access, cull or produce data from them. …. http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1178701485189
FRANCE SLAPS TYCO ON THE WRIST FOR DATA PROTECTION DECEPTION (Steptoe & Johnson’s E-Commerce Law Week, 10 May 2007) -- Multinational countries spend an increasing amount of time worrying about data protection compliance, and this is indeed an important issue. However, enforcement reality does not necessarily match the level of compliance concern. This is well-illustrated by a recent enforcement action against Tyco Healthcare France (“Tyco”) by French data protection authority the Commission Nationale de l’Informatique et des Libertés (“CNIL”). The CNIL’s enforcement action followed a troubling tale of missteps by Tyco which culminated in an enforcement decision in December 2006, but which was only announced in mid-April this year. Although Tyco made some arguments defending its conduct, the CNIL concluded that “Tyco Healthcare France has clearly not understood the gravity of the failures of which it is accused concerning its lack of cooperation and transparency.” As a result, the CNIL decided to fine Tyco … sit down and hold onto your chair … the princely sum of €30,000. This has to be regarded as a slap on the wrist in the global scheme of regulatory enforcement. And it is reportedly only the second fine that the CNIL has ever issued for breach of French data protection laws. http://www.steptoe.com/publications-4476.html
BUSH’S PRIVACY BOARD NOT DOING ITS JOB? (Washington Post, 10 May 2007) -- The leaders of the Sept. 11 commission say a White House privacy board is not protecting civil liberties because it refuses to investigate allegations of illegal detention at Guantanamo Bay. “We urge they revisit the definition of their mission to include issues relating to the treatment of detainees,” former Rep. Lee Hamilton, D-Ind., said in a telephone interview Thursday. He and former New Jersey Gov. Tom Kean sent a pointed letter to the board this week outlining their concerns. “If they continue to hold to their position, we don’t think they’re doing their job,” Hamilton said. Mark Robbins, the board’s executive director, said board members had received the letter and would respond. The five-member White House privacy board began its work in March 2006 after a recommendation by the Sept. 11 commission. Last month, the board put out a 49-page annual report to Congress where it spelled out its mission and preliminary findings. Some of those conclusions are questionable and need fuller explanation, the Sept. 11 commission leaders wrote after reading the report. They cited the board’s assertion it had no power to review the Bush administration’s plans to limit lawyers’ access to nearly 400 detainees deemed as “enemy combatants” at Guantanamo Bay, as well as allegations of torture and coercive interrogation at the Cuba facility, because the incidents were not taking place on U.S. soil. The American Bar Association has criticized “arbitrary restrictions concerning the number of times and the ways that lawyers may confer with their clients in Guantanamo.” The limits would threaten competent representation without at all advancing national security, according to the lawyers’ group. “We cannot speak to an audience, foreign or domestic, on the question of civil liberties without the topic of Guantanamo coming up,” Hamilton said. “To ignore those and say they are not within the mandate is a too restrictive reading.” Also troubling was the board’s conclusion that two of the administration’s most controversial surveillance programs _ electronic eavesdropping and financial tracking _ do not violate citizens’ civil liberties, the commission leaders said. Hamilton and Kean also said they want to know more about the board’s efforts to review the FBI’s use of national security letters. Earlier this year, a lengthy audit by the Justice Department’s inspector general found that agents sometimes demanded personal data on people without official authorization. http://www.washingtonpost.com/wp-dyn/content/article/2007/05/10/AR2007051001824.html
IT’S NO SECRET: CODE STIRS UP A WEB STORM (ABA Journal, 11 May 2007) -- For most readers, the series of 32 numbers and letters means nothing. But for savvy Internet users, the sequence represents a chance to copy protected DVDs and virtually thumb their noses at various entertainment conglomerates. The secret code, when paired with specific software, overwrites copy protection on Blu-ray and high-definition DVDs. The code showed up on various Web pages earlier this year, which prompted cease-and-desist notices from the Advanced Access Content System, a trade group comprised of corporations such as Sony, Warner Brothers and IBM. Many sites removed the code, including Digg.com, a user-submitted news site. However, some of those users were not pleased, and large numbers of them reposted the code every time it was taken down. So after a few days, the San Francisco-based Web company changed its decision and stopped policing for the sequence. Digg.com did not respond to a request for interview. According to Charles S. Sims, a New York City lawyer who represents AACS, his client is hopeful the site will again comply with its demand. “Almost everyone we contacted has complied,” Sims says. Others aren’t so sure that would have any effect. Besides posting the code outright, some individuals have written songs that incorporate the code; one such work can be viewed on YouTube. T-shirts imprinted with the code are also available, and on one Web page’s comments section, someone has offered $50 to anyone who tattoos the sequence on his or her body. “People are getting creative. It shows the futility of trying to stop this,” says Douglas J. Sorocco, an intellectual property lawyer in Oklahoma City. “Once the information is out there, cease-and-desist letters are going to infuriate this community more.” And the Web site operator usually plays ball. Digg.com’s response, copyright and intellectual property lawyers say, makes the situation a first of sorts. Indeed, some were not sure how the law would cover what happened. Under the federal Digital Millennium Copyright Act, it’s unlawful to circumvent technology designed to protect copyrighted work. But the statute also provides a safe harbor for Web site operators in section 512 (c), when users make questionable posts. “What’s unclear is whether the cease-and-desist notice was sent under 512 or some other rubric we don’t know about, and whether Digg.com, by refusing to honor the notice, lost its eligibility to be protected by safe harbors,” says Eric Goldman, an assistant professor at the Santa Clara University School of Law and director of the school’s High Tech Law Institute. He also mentions another federal statute, passed in 1996, that provides expansive safe harbor from liability for third-party content. The statute, 47 USC § 230, holds that--providing the post in question doesn’t involve intellectual property--online providers can respond to a complaint however it wants. So if the secret code is not intellectual property, Goldman says, Digg.com has no liability. But he stresses that continuing to allow the code posts is risky. “It may have been the only decision available to them,” he adds. “They were caught between one angry intellectual property owner and thousands of angry individual power users.” http://www.abanet.org/journal/ereport/my11blog.html YouTube display at http://www.youtube.com/watch?v=L9HaNbsIfp0 T-Shirt site at http://www.nerdyshirts.com/productdetails.aspx?id=100089931; there, the code appears quite plainly.
MIXING IP WITH MMMMMM (ABA Journal, 11 May 2007) -- There’s a multipage nondisclosure agreement that visitors must sign before they’re allowed in the kitchen at Moto restaurant in Chicago. And some of the food prepared by executive chef Homaro Cantu is served with a copyright notice. Cantu is part culinary pioneer, part prolific inventor--which makes him an intellectual property attorney’s dream client. What worries Cantu most, he says, isn’t chefs or individual diners trying to re-create his signature preparation and presentation. It’s corporations capitalizing on his gastronomic inventions and restaurant management methods without authorization. Hence Cantu’s close relationship with his lawyer, Charles C. Valauskas. The two frequently talk and meet for meals to make sure no opportunity is missed to patent, copyright, trademark or otherwise protect Cantu’s creations from would-be business buccaneers. “He’s got a large intellectual property portfolio, and we talk on a very, very regular basis,” says Valauskas, a principal in the three-lawyer IP boutique Valauskas & Pine in Chicago. “It’s listening to what the new inventions are; it’s strategizing what’s the best way to protect the new techniques.” It would be standard practice, for instance, for an IP attorney to file a patent application once a client has completed a new invention. But because Valauskas and Cantu are in such regular contact, Valauskas can follow Cantu’s ideas as they develop. “We stay on top of that,” Valauskas says, “and we continue to file as he continues to refine his invention.” Those inventions include the whimsical--a spiral-handled fork designed to hold a sprig of basil that adds an aromatic element to each bite of food taken from the business end of the utensil--as well as high-tech business management tools. One of those tools involves a camera set unobtrusively into an upper wall of Moto. The camera is linked to a computer, allowing staff to track important aspects of the restaurant’s operation. The system can warn when usage rates threaten to deplete supplies, notify the kitchen when a diner leaves for the restroom so the chefs can adjust the spacing of their preparations, and anticipate orders from regular customers. And it’s all linked to Cantu’s cell phone so he can be in the loop even when he’s not in the building. Then there’s Cantu’s celebrated edible paper--a soybean and cornstarch concoction that can be imprinted with virtually any image and any flavor. The chef prints his menu on it (along with a copyright notice), and when diners are finished ordering, they can eat it. In addition to the copyright, Valauskas has filed a patent application on the process Cantu uses to create the paper. http://www.abanet.org/journal/ereport/my11ofood.html
ONLINE ADS VS. PRIVACY (New York Times, 12 May 2007) -- For advertisers, and in many ways for consumers, online advertising is a blessing. Customized messages rescue advertisers from the broad reach of traditional media. And consumers can learn about products and services that appeal directly to them. But there are huge costs, and many dangers, warns Jennifer Granick, the executive director for the Stanford Law School Center for Internet and Society. To approach individuals with customized advertising, you have to know who they are. Or at least, you have to gather enough personal information about them that their identity could be easily figured out. This has been an issue for a long time, of course, but as technology has improved and sources of data have multiplied, the problem has, in the eyes of many privacy advocates, reached a tipping point. Last fall, Ms. Granick notes, the Center for Digital Democracy filed a complaint with the Federal Trade Commission calling for “injunctive relief” and detailing how the combination of user profiling, data mining and targeted advertising threaten privacy. That group’s executive director, Jeff Chester, faced off with Mike Zaneis, the Interactive Advertising Bureau’s vice president for public policy, last week at the Computers, Freedom and Privacy conference in Montreal (cfp2007.org). Mr. Chester, she reported, argued that the information collected by many Web sites -- browsing histories, search histories, wish lists, preferences, purchase histories -- is amassed and manipulated in ways consumers never know about. And they often collect Internet Protocol addresses, which usually can be easily traced to individual users. “They don’t need to know your name to know who you are,” Mr. Chester said. Mr. Zaneis * * * “stressed that profiling does not capture” personally identifiable information. Even if that is true, people like Kaliya Hamlin still say that collecting data about the online activities of individuals can amount to an invasion of privacy. Ms. Hamlin, known as The Identity Woman, is a privacy advocate and consultant. “My clickstream data is sensitive information,” she told Mr. Zaneis, “and it belongs to me.” On her blog, though, Ms. Hamlin wrote that she found the whole affair frustrating. It was, she wrote, the “angry, progressive anticonsumer guy vs. the super-corporate marketing guy.” The answers, she wrote, lie somewhere between those positions. “The ‘activist types’ tend to deny that we are people who actually might want to buy things in a marketplace,” she wrote. “The ‘corporate types’ tend to think that we always want to have ‘advertising’ presented to us at all times of day or night because we ‘want it.’ Neither view is really right.” Her solution is essentially to give consumers ownership of their data and the power to decide whether or not to share it with marketers (kaliyasblogs.net/Iwoman). http://www.nytimes.com/2007/05/12/technology/12online.html?ex=1336622400&en=8e8700408d2de5b1&ei=5090&partner=rssuserland&emc=rss
MICROSOFT SAYS OPEN SOURCE VIOLATES 235 PATENTS (CNET, 13 May 2007) -- In an interview with Fortune, Microsoft top lawyer Brad Smith alleges that the Linux kernel violates 42 Microsoft patents, while its user interface and other design elements infringe on a further 65. OpenOffice.org is accused of infringing 45, along with 83 more in other free and open-source programs, according to Fortune. It is not entirely clear how Microsoft might proceed in enforcing these patents, but the company has been encouraging large tech companies that depend on Linux to ink patent deals, starting with its controversial pact with Novell last November. Microsoft has also cited Linux protection playing a role in recent patent swap deals with Samsung and Fuji Xero. xMicrosoft has also had discussions but not reached a deal with Red Hat, as noted in the Fortune article. Microsoft CEO Steve Ballmer is also quoted in the article as saying Microsoft’s open-source competitors need to “play by the same rules as the rest of the business.” http://news.com.com/2100-1014_3-6183437.html
TEXAS MULLS BILL THAT WOULD MAKE PCI REQUIREMENTS A STATE LAW (Computerworld, 14 May 2007) -- Retailers and other entities accepting credit and debit card transactions in Texas may soon have a powerful new incentive for complying with the Payment Card Industry (PCI) data security standard mandated by the major credit card companies. The state’s House of Representatives last week voted 139-0 in favor of a bill that would formally codify PCI requirements into a state law that merchants would be obliged to comply with if passed. Under HB 3222 a breached entity will have to reimburse banks and credit unions the cost associated with blocking and reissuing cards if the merchant was not PCI compliant at the time of the compromise. It also provides a safe harbor against such liability for companies who are PCI compliant and get breached. The proposal needs to win approval in the state Senate before it becomes law. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9019361&source=rss_topic17 Minnesota adopts similar law: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9020923&source=NLT_AM&nlid=1
WHY DOES GOOGLE RETAIN DATA? BECAUSE NONEXISTENT LAWS TELL IT TO (ArsTechnica, 14 May 2007) -- Google wants to know what you search for, and plenty of people have wondered why. The company’s global privacy counsel, Peter Fleischer, recently posted an explanation to this question of Google’s official blog, and his answers are quite simple: logging leads to better search, less fraud, and government compliance. Nothing evil about that, is there? Two months ago, Google announced a plan to anonymize its logs, but only after retaining the data for 18 to 24 months. After that time, user searches will still be stored, but it should be impossible to link search queries up with individual users. Of course, this is what AOL researchers thought when they released their own search logs, but queries often turn out to be highly specific things... the sort of things that can eventually be used to identify individuals. Commentators generally praised Google for at least taking steps to safeguard the privacy of information, but others wondered why Google truly needed to retain this information at all. According to Fleischer, log data is used to improve core Google search services, including the spell check component. “Google’s spell checking software automatically looks at your query and checks to see if you are using the most common version of a word’s spelling,” Fleischer says. “If it calculates that you’re likely to generate more relevant search results with an alternative spelling, it will ask ‘Did you mean: (more common spelling)?’ We can offer this service by looking at spelling corrections that people do or do not click on. Similarly, with logs, we can improve our search results: if we know that people are clicking on the #1 result we’re doing something right, and if they’re hitting next page or reformulating their query, we’re doing something wrong.” Sounds good--though it’s not clear why this couldn’t be done just as well with anonymous data. The company also uses the information to deal with fraud and abuse. “Immediate deletion of IP addresses from our logs would make our systems more vulnerable to security attacks, putting the personal data of our users at greater risk,” says Fleischer. “Historical logs information can also be a useful tool to help us detect and prevent phishing, scripting attacks, and spam, including query click spam and ads click spam.” But when it comes to the issue of government compliance, the argument gets less straightforward. Fleischer claims that retaining personal data for two years is necessary because of European and US data protection laws, even though those laws do not yet exist. The EU’s Data Retention Directive was passed in late 2005 but has yet to be implemented by the various member states (which have until 2009). The law requires each country in the EU to adopt a retention requirement of between six and 24 months. “Since these laws do not yet exist, and are only now being proposed and debated,” Fleischer says, “it is too early to know the final retention time periods, the jurisdictional impact, and the scope of applicability. It’s therefore too early to state whether such laws would apply to particular Google services, and if so, which ones.” Even though the laws are not yet in force in Europe and won’t apply retroactively, Google still uses the law as an argument to retain data now, and to do so for the longest possible period the law provides for. In the US, no general data retention laws have been passed, though the government has mooted numerous proposals for a two-year retention requirement to combat child pornography and other ills. Fleischer suggests that Google’s behavior is proper because the government has simply “called for 24-month data retention laws.” http://arstechnica.com/news.ars/post/20070514-why-does-google-retain-data-because-nonexistent-laws-tell-it-to.html
-- and --
EU PROBES GOOGLE GRIP ON DATA (FT, 24 May 2007) -- European data protection officials have raised concerns that Google could be contravening European privacy laws by keeping data on internet searches for too long. The Article 29 working party, a group of national officials that advises the European Union on privacy policy, sent a letter to Google last week asking the company to justify its policy of keeping information on individuals’ internet searches for up to two years. The letter questioned whether Google had “fulfilled all the necessary requirements” on data protection. The data kept by Google includes the search term typed in, the address of the internet server and occasionally more personal information contained on “cookies”, or identifier programs, on an individual’s computer. This is separate to the personal information Google has begun collecting over the past two years from people who give the group explicit permission to do so. Standard search information is kept about everyone who uses the search engine, and privacy groups are concerned that even this ostensibly non-personal data can be used to identify individuals and create profiles of their political opinions, religious beliefs and sexual preferences. Google previously kept such data indefinitely, but in March announced it would limit the storage time to two years, in an attempt to assuage concerns. But many members of the working party feel that even two years is too long to keep data, and the group has asked Google to justify its policy. http://www.ft.com/cms/s/dc89ec96-0a24-11dc-93ae-000b5df10621.html
-- and --
SPYING ON THE HOME FRONT -- (PBS’s FRONTLINE, 15 May 2007) -- “So many people in America think this does not affect them. They’ve been convinced that these programs are only targeted at suspected terrorists. … I think that’s wrong. … Our programs are not perfect, and it is inevitable that totally innocent Americans are going to be affected by these programs,” former CIA Assistant General Counsel Suzanne Spaulding tells FRONTLINE correspondent Hedrick Smith in Spying on the Home Front. [View the report at http://www.pbs.org/wgbh/pages/frontline/homefront/view/]
WEB SITE IS HELD LIABLE FOR SOME USER POSTINGS (New York Times, 16 May 2007) -- A Web site that matches roommates may be liable for what its users say about their preferences, a fractured three-judge panel of the federal appeals court in San Francisco ruled yesterday. The suit was brought by two California fair housing groups that objected to postings on the matching service, Roommate.com. The groups said the site violated the Fair Housing Act by allowing and encouraging its users to post notices expressing preferences for roommates based on sex, race, religion and sexual orientation. The ruling knocked down the main defense of the site. In 1996, Congress granted immunity to Internet service providers for transmitting unlawful materials supplied by others. Most courts have interpreted the scope of that immunity broadly. Though their rationales varied, all three judges in the decision yesterday agreed that the site could be held liable for soliciting information from users through a series of menus about themselves and their preferred roommates and for posting and distributing profiles created from the menus. The choices on the menus included gender, sexual orientation and whether children were involved. Because Roomate.com created the menus, the court ruled, it cannot claim immunity under the 1996 law, the Communications Decency Act. But Judges Alex Kozinski and Sandra S. Ikuta ruled that postings from users in a part of their profile designated “additional comments” could not subject the site to liability because it was essentially uninvolved in creating them. Judge Stephen Reinhardt dissented on that point, citing examples (“must be a black gay male”) and saying the entire site was “an integral part of one package.” The court, the United States Court of Appeals for the Ninth Circuit, sent the case back to a trial judge for a determination of whether the site had violated the Fair Housing Act, which forbids publishing real estate notices indicating preferences based on race, religion, sex or familial status. The three judges each wrote separately, and piecing together the reasoning for the decision was difficult, said Eric Goldman, a law professor at Santa Clara University. Still, Professor Goldman said, the decision represented a fundamental shift. “To date,” he said, “The law has been almost uniform that a Web site isn’t liable for what its users say. The problem here is that the Web site offered up choices for users to structure their remarks. That creates a hole plaintiffs can exploit.” http://www.nytimes.com/2007/05/16/us/16roomates.html?ex=1336968000&en=efae9d103bb2daed&ei=5090&partner=rssuserland&emc=rss ABA Journal story (25 May 2007) at http://www.abanet.org/journal/ereport/my25room.html
TJX BREACH-RELATED EXPENSES: $17M AND COUNTING (Computerworld, 15 May 2007) -- The TJX Companies Inc. today announced that it took a $12 million after-tax charge for the quarter ending April 28 in connection with the massive data breach it disclosed in January. The charge of 3 cents per share included the costs involved in investigating and containing the intrusion, beefing up computer security, communicating with customers, and various legal and other fees, the company said in its first quarter earnings statement. The company expects to incur a similar charge of 2 cents to 3 cents per share in the second quarter, as well, TJX said. It also warned investors of even more potential costs down the road. “TJX does not yet have enough information to reasonably estimate the losses it may incur arising from this intrusion, including exposure to payment card companies and banks, exposure in various legal proceedings that are pending or may arise, and related fees and expenses, and other potential liabilities and other costs and expenses,” TJX said in its statement. The Framingham, Mass.-based TJX owns several retail brands, including T.J.Maxx, Marshalls and Bob’s Stores. In January, the company announced that someone had broken into its payment systems and illegally accessed card data belonging to customers in the U.S., Canada, Puerto Rico, the U.K. and Ireland. In filings with the U.S. Securities and Exchange Commission in March, the company said 45.6 million credit and debit card numbers were stolen over a period of more than 18 months by an unknown number of intruders. That number eclipsed the 40 million records compromised in a mid-2005 breach at CardSystems Solutions Inc. and made the TJX compromise the worst ever in terms of the loss of payment card data. The $12 million charge comes on top of the $5 million in breach-related costs cited by TJX in the previous quarter. And that may just be the tip of the iceberg, said Khalid Kark, an analyst at Forrester Research Inc. in Cambridge, Mass., who released a report last month on all the factors that need to be included when totaling data breach costs. Apart from direct expenses related to breach discovery, response and notification, companies also incur a variety of other costs such as those stemming from regulatory fines, lawsuits, and additional security and audit requirements. Several lawsuits have already been filed against TJX, including one by the Massachusetts Bankers Association seeking tens of millions in restitution for banks that were forced to block and reissue thousands of debit cards following the breach. There are also somewhat less tangible costs such as lost employee productivity and opportunity costs that need to be factored in, Kark said. The expenses disclosed by TJX could be “just a fraction” of what the breach could eventually end up costing the company. “This is something that is going to play out over years,” he said. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9019464&source=NLT_PM&nlid=8 [Editor: studies suggest that every dollar spent on preparation and planning saves $9 in remediation costs. If security breaches are like hard-disk crashes (everyboy’s gonna have one), many should be doing more.]
-- and --
INFORMATION SECURITY FOR LAW FIRMS (Your ABA, 22 May 2007) -- Failure to implement adequate security measures can come with a price tag that few law firms can pay. At $182 per compromised record, or an average of $4.8 million per breach, why has the legal industry been one of the slowest to implement incident response plans? This question is especially pertinent since law firms are required ethically to maintain the confidentiality of client data. “Information Security for the Small- and Medium-Sized Law Firm,” a recent CLE teleconference sponsored by the Section of Science and Technology, Law Practice Management Section and the ABA Center for Continuing Legal Education explored data security through various case studies. Although a lack of statistics regarding information security in law firms makes it difficult to pinpoint surefire solutions, the expert panel provided suggestions that can help firms reduce the vulnerability of their confidential information. Protecting a client’s confidential information can include steps as simple as resetting default passwords on newly purchased hardware and software. People often fail to change passwords and other factory-set settings, leading to a critical oversight, according to John W. Simek, vice president of Sensei Enterprises and certified forensic technologist. He also suggests regularly updating a firm’s computer system with security patches, which are usually available for download at the manufacturer’s Web site. Providing firm employees with proper training is another critical step that is often overlooked as well. Without training, employees are more likely to trust e-mail messages, going so far as to click links provided in unidentified e-mails. Employees who lack training in technology issues are also likely to visit Web sites that are not secure, increasing the likelihood of outsiders gaining unwanted access to confidential files. http://www.abanet.org/media/youraba/200705/article06.html
COURT RULES GOOGLE SEARCH SMALL IMAGES ARE `FAIR USE’ (SiliconValley.com, 17 May 2007) -- A federal appeals court Wednesday said Google does not infringe the copyrights of adult entertainment company Perfect 10 by displaying small versions of its images in search results. But the 9th U.S. Circuit Court of Appeals said a lower court should reconsider whether Google helps violate copyrights by pointing people to sites that display unauthorized photos. A U.S. District Court judge last year issued a preliminary injunction against Google, finding that Perfect 10 had submitted enough evidence to suggest the search engine directly violated copyrights by displaying the small image, known as a “thumbnail,” even though the full-size image was on a third party’s Web site. But the judge said Google could not be held liable for the actions of a user who clicks on the thumbnail and is directed to a site that contains illegal copies of Perfect 10’s photos. A three-judge panel of the 9th Circuit essentially flipped the earlier ruling. The panel said the lower court erred in granting the preliminary injunction, saying that the display of a thumbnail could be considered “fair use” under copyright law. Still, the panel said the lower court should not have rejected Perfect 10’s claim that search engines can be held liable when they act as the middleman between a Web searcher and a Web site that contains illegal copies. http://www.siliconvalley.com/news/ci_5915967?nclick_check=1 SUMMARY OF PERFECT 10 DECISION (Eric Goldman’s Technology & Marketing Law Blog, article by John Ottaviani, 16 May 2007) -- at http://blog.ericgoldman.org/; Court’s decision at http://lawgeek.typepad.com/LegalDocs/p10vgoogle.pdf
MAGISTRATE RULES TRADEMARKS IN METADATA NOT USE IN COMMERCE (BNA’s Internet Law News, 17 May 2007) -- BNA’s Electronic Commerce & Law Report reports that a magistrate judge in New York has ruled that there is no “use in commerce” of trademarks employed only in Web site metatags and search terms on advertising site. The magistrate follows Second Circuit precedent to hold that a trademark use occurs only when the mark is visibly placed on the goods or in advertisements, or when it is used in a way that indicates source or origin. Case name is Site Pro-1 Inc. v. Better Metal LLC.
PUBLIC ACCESS GROUP DEFIES COPYRIGHT TO POST SMITHSONIAN IMAGES ONLINE (Canada.com, 18 May 2007) -- Grabbing pictures of iconic Smithsonian Institution artifacts just got a whole lot easier. Before, if you wanted to get a picture of the Wright Brothers’ plane, you could go to the Smithsonian Images website and pay for a print or high-resolution image after clicking through several warnings about copyrights and other restrictions - and only if you were a student, teacher or pledging not to use it to make money. Now, you can just go to the free photo-sharing website flickr.com. A nonprofit group is challenging the copyrights and restrictions on images being sold by the Smithsonian. But instead of going to court, the group downloaded all 6,288 photos online and posted them Wednesday night on the free Internet site. “I don’t care if they sell the photos, but then once they sell it, they can’t say you can’t reuse this photo,” said Carl Malamud, co-founder of the group Public.Resource.Org, advocates for posting more government information online. “You’re not allowed to chill debate by telling people they can’t use something because it’s under copyright when that’s not true.” Most images the Smithsonian is selling, including photos of artifacts and historic figures, are not protected by copyright, Malamud said. But the Smithsonian site carries copyright notices and other warnings that would discourage most people from using historic images that should be publicly available, he said. http://www.canada.com/topics/entertainment/story.html?id=613181ff-6704-450f-a2cb-7302f261be0b&k=26986
THE IMPENDING INTERNET ADDRESS SHORTAGE (Information Week, 21 May 2007) -- The coming shortage of Internet Protocol addresses on Monday prompted the American Registry for Internet Numbers (ARIN) to call for a faster migration to the new Internet Protocol, IPv6. The current version of the Internet Protocol, IPv4, allows for over 4 billion (2^32) Internet addresses. Only 19% of the IPv4 address space remains. Somewhere around 2012-2013, the last Internet address bloc will be assigned and the Internet will be full, in a manner of speaking. “We must prepare for IPv4’s depletion, and ARIN’s resolution to encourage that migration to IPv6 may be the impetus for more organizations to start the planning process,” said John Curran, chairman of ARIN’s Board of Trustees, in a statement. IPv6 promises some 16 billion-billion possible addresses (2^128). “Unless action is taken now, a quiet technical crisis will occur, not unlike Y2K in its complications, but without a fixed date or high level public attention,” wrote Stephen M. Ryan, a partner at McDermott Will & Emery LLP and ARIN general counsel, and Raymond A. Plzak, CEO and president of ARIN, in a forthcoming policy paper. http://news.yahoo.com/s/cmp/20070522/tc_cmp/199700668;_ylt=AoNYZm.qEd3Svs322Gk8grME1vAI
DHS SEEKS RESEARCH ON NINE CYBERSECURITY AREAS (FCW.com, 21 May 2007) -- The Homeland Security Department is initiating an ambitious Cyber Security Research Development Center program that entails soliciting input from industry, government labs and academia on how to protect data against the latest threats and intrusions. The Science and Technology Directorate published a 43-page agency announcement seeking white papers on topics such as botnet and malware protection, composable and scaleable systems, cybermetrics, data visualization, routing security, process control security, real-time assessment, data anonymization, and insider threat detection and management. White papers on technologies to address the threats and strengthen protections are due June 27. Final proposals will be due Sept. 17. The directorate will award up to $4.5 million for research related to technologies proposing solutions in nine topic areas. http://www.fcw.com/article102766-05-21-07-Web&printLayout Directorate announcement at http://www.fbo.gov/spg/DHS/OCPO/DHS-OCPO/BAA07%2D09/Attachments.html
WEB SITES LISTING INFORMANTS CONCERN JUSTICE DEPT. (New York Times, 22 May 2007) -- There are three “rats of the week” on the home page of whosarat.com, a Web site devoted to exposing the identities of witnesses cooperating with the government. The site posts their names and mug shots, along with court documents detailing what they have agreed to do in exchange for lenient sentences. Last week, for instance, the site featured a Florida man who agreed in September to plead guilty to cocaine possession but not gun charges in exchange for his commitment to work “in an undercover role to contact and negotiate with sources of controlled substances.” The site says it has identified 4,300 informers and 400 undercover agents, many of them from documents obtained from court files available on the Internet. Federal prosecutors are furious, and the Justice Department has begun urging the federal courts to make fundamental changes in public access to electronic court files by removing all plea agreements from them -- whether involving cooperating witnesses or not. “We are witnessing the rise of a new cottage industry engaged in republishing court filings about cooperators on Web sites such as www.whosarat.com for the clear purpose of witness intimidation, retaliation and harassment,” a Justice Department official wrote in a December letter to the Judicial Conference of the United States, the administrative and policy-making body of the federal court system. In one case described in the letter, a witness in Philadelphia was moved and the F.B.I. was asked to investigate after material from whosarat.com was mailed to his neighbors and posted on utility poles and cars in the area. The federal court in Miami has provisionally adopted the department’s recommendation to remove plea agreements from electronic files, and other courts are considering it and experimenting with alternative approaches. Judge John R. Tunheim, a federal judge in Minneapolis and the chairman of a Judicial Conference committee studying the issue, acknowledged the gravity of the safety threat posed by the Web sites but said it would be better addressed through case-by-case actions. “We are getting a pretty significant push from the Justice Department to take plea agreements off the electronic file entirely,” Judge Tunheim said. “But it is important to have our files accessible. I really do not want to see a situation in which plea agreements are routinely sealed or kept out of the electronic record.” Judge Tunheim said his committee was working on recommendations for a nationwide approach to the issue. He said he favored putting the details of a witness’s cooperation into a separate document and sealing only that document, or withholding it from the court file entirely. For those who want to read the details on cooperating witnesses, whosarat.com charges between $7.99 for a week and $89.99 for life. Defense lawyers are, in fact, hungry for any information about the nature of the case against their clients. “The more information out there, the easier it is for the truth to come out at trial,” said David O. Markus, a criminal defense lawyer in Miami. Defendants who choose to go to trial will, of course, eventually learn the identities of the witnesses who testify against them. But the site also discloses the identities of people engaged in undercover operations and those whose information is merely used to build a case. The widespread dissemination of informants’ identities, moreover, may subject them to retribution from friends and associates of the defendant. Still, Professor Bowman, an authority on federal sentencing law, said he would hate to see the routine sealing of plea agreements. “It certainly is terribly important for the public ultimately to know who’s flipped,” he said. Professor Bowman added that he was studying the deals prosecutors made in the aftermath of the collapse of Enron, the energy company. “To do that effectively,” he said, “I really need to know who flipped and the nature of their plea agreements.” Most legal experts agreed that whosarat.com is protected by the First Amendment. In 2004, a federal judge in Alabama refused to block a similar site created by a criminal defendant, Leon Carmichael Sr., who has since been convicted of drug trafficking and money laundering. http://www.nytimes.com/2007/05/22/washington/22plea.html?ex=1337486400&en=cb9a9783ee21ee95&ei=5090&partner=rssuserland&emc=rss
GOOGLE BANS ESSAY WRITING ADVERTS (BBC, 22 MAY 2007) -- Google is to ban adverts for essay writing services - following claims that plagiarism is threatening the integrity of university degrees. There have been complaints from universities about students being sold customised essays on the internet. The advert ban from the Google search engine has been “warmly welcomed” by university authorities. But it has angered essay writing firms which say this will unfairly punish legitimate businesses. From next month, Google will no longer take adverts from companies which sell essays and dissertations - and the internet company has written to advertisers to tell them about the policy. Google’s forthcoming ban on adverts for “academic paper-writing services and the sale of pre-written essays, theses, and dissertations” means that essay websites join a blacklist of “unacceptable content” including adverts for weapons, prostitution, drugs, tobacco, fake documents and “miracle cures”. The move has been applauded by universities which have struggled with the problem of students dishonestly submitting material copied from the internet. “Making life harder for these cynical web ‘essay mills’ is a step in the right direction,” says Professor Drummond Bone, president of Universities UK. http://news.bbc.co.uk/2/hi/uk_news/education/6680457.stm
MICHIGAN MAN DODGES PRISON IN THEFT OF WI-FI (CNET, 22 May 2007) -- A Michigan man who used a coffee shop’s unsecured Wi-Fi to check his e-mail from his car could have faced up to five years in prison, according to local TV station WOOD. But it seems few in the village of Sparta, Mich., were aware that using an unsecured Wi-Fi connection without the owner’s permission--a practice known as piggybacking--was a felony. Each day around lunch time, Sam Peterson would drive to the Union Street Cafe, park his car and--without actually entering the coffee shop--check his e-mail and surf the Net. His ritual raised the suspicions of Police Chief Andrew Milanowski, who approached him and asked what he was doing. Peterson, probably not realizing that his actions constituted a crime, freely admitted what he was doing. “I knew that the Union Street had Wi-Fi. I just went down and checked my e-mail and didn’t see a problem with that,” Peterson told a WOOD reporter. Milanowski didn’t immediately cite or arrest Peterson, mostly because he wasn’t certain a crime had been committed. “I had a feeling a law was being broken,” the chief said. Milanowski did some research and found Michigan’s “Fraudulent access to computers, computer systems, and computer networks” law, a felony punishable by five years in prison and a $10,000 fine. Milanowski, who eventually swore out a warrant for Peterson, doesn’t believe Milanowski knew he was breaking the law. “In my opinion, probably not. Most people probably don’t.” Indeed, neither did Donna May, the owner of the Union Street Cafe. “I didn’t know it was really illegal, either,” she told the TV station. “If he would have come in (to the coffee shop), it would have been fine.” But apparently prosecutors were more than aware of the 1979 law, which was revised in 2000 to include protections for Wi-Fi networks. “This is the first time that we’ve actually charged it,” Kent County Assistant Prosecutor Lynn Hopkins said, adding that “we’d been hoping to dodge this bullet for a while.” http://news.com.com/8301-10784_3-9722006-7.html [Editor: when I intentionally open my WiFi connection (as I do from time to time), I’m inviting visitors to use it. While my ISP might be unhappy, my actions should constitute an (ex|im)plicit license, no?]
THE MAN WHO OWNS THE INTERNET (CNNmoney.com, 22 May 2007) -- Kevin Ham leans forward, sits up tall, closes his eyes, and begins to type -- into the air. He’s seated along the rear wall of a packed ballroom in Las Vegas’s Venetian Hotel. Up front, an auctioneer is running through a list of Internet domain names, building excitement the same way he might if vintage cars were on the block. As names come up that interest Ham, he occasionally air-types. It’s the ultimate gut check. Is the name one that people might enter directly into their Web browser, bypassing the search engine box entirely, as Ham wants? Is it better in plural or singular form? If it’s a typo, is it a mistake a lot of people would make? Or does the name, like a stunning beachfront property, just feel like a winner? When Ham wants a domain, he leans over and quietly instructs an associate to bid on his behalf. He likes wedding names, so his guy lifts the white paddle and snags Weddingcatering.com for $10,000. Greeting.com is not nearly as good as the plural Greetings.com, but Ham grabs it anyway, for $350,000. Ham is a devout Christian, and he spends $31,000 to add Christianrock.com to his collection, which already includes God.com and Satan.com. When it’s all over, Ham strolls to the table near the exit and writes a check for $650,000. It’s a cheap afternoon. Just a few years ago, most of the guys bidding in this room had never laid eyes on one another. Indeed, they rarely left their home computers. Now they find themselves in a Vegas ballroom surrounded by deep-pocketed bankers, venture-backed startups, and other investors trying to get a piece of the action. And why not? In the past three years alone, the number of dotcom names has soared more than 130 percent to 66 million. Every two seconds, another joins the list. But the big money is in the aftermarket, where the most valuable names -- those that draw thousands of pageviews and throw off steady cash from Google’s and Yahoo’s pay-per-click ads -- are driving prices to dizzying heights. People who had the guts and foresight to sweep up names shed during the dotcom bust are now landlords of some of the most valuable real estate on the Web. http://money.cnn.com/magazines/business2/business2_archive/2007/06/01/100050989/index.htm?postversion=2007052205
UNPATCHED SYMANTEC FLAW LEADS TO U. OF COLORADO BREACH (Computerworld, 24 May 2007) -- An unpatched flaw in a Symantec Corp. anti-virus management console resulted in the compromise of a server containing the names and Social Security numbers of nearly 45,000 students at the University of Colorado at Boulder. The students, enrolled at the university from 2002 to present, are presently being notified about a potential compromise of their information as a result of the breach, according to a statement posted on the school’s Web site. The breached server belonged to the Academic Advising Center of the University’s College of Arts and Science. According to Dan Jones, director for campus IT security, the intrusion was discovered May 12 by the university’s security staff when the compromised server started scanning other Internet-connected systems, including those on campus, for the same Symantec flaw. The vulnerability in question was a previously disclosed flaw for which Symantec had already issued a patch, but which the Advising Center had not applied. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9021059&source=rss_topic17
WHITE HOUSE PUBLISHES BREACH RESPONSE RULES (InfoWorld, 24 May 2007) -- The White House has issued a memo to the heads of all federal government executive departments that establishes new ground rules for responding to potential data incidents and demands that the agencies clean up their information-handling procedures. In the notice -- distributed off the desk of Clay Johnson III, deputy director for management in the White House Office of Management and Budget, on May 22 -- authorities also set forth a requirement for all federal agencies to develop and implement a data breach notification policy within the next 120 days as part of the work of the government’s Identity Theft Task Force. In formulating their respective policies, the White House ordered agencies to review their existing requirements with respect to privacy and security, incident reporting and handling, and external breach notification. The document further requires agencies to develop policies that dictate stricter policies for the types of workers who are given access to sensitive information. Among the most basic advice offered in the executive order is for agencies to:
-Reduce the volume of collected and retained information to the minimum necessary.
-Limit access to sensitive data to only those individuals who must have such access.
-Use encryption and strong authentication procedures.
In his forward to the document, Johnson emphasizes that the requirement should “receive the widest possible distribution” within agencies and that and each affected organization and individual should “understand their specific responsibilities for implementing the procedures and requirements.” http://weblog.infoworld.com/zeroday/archives/2007/05/white_house_pub.html OMB memo at http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf
WHEN “YOU’VE GOT MAIL” MEANS “YOU’VE BEEN SERVED” (Steptoe & Johnson’s E-Commerce Law Week, 25 May 2007) -- Following the Ninth Circuit’s watershed decision in Rio Properties, Inc., v. Rio International Interlink (2002), which upheld service by email on a Costa Rican Internet sports gambling organization, federal courts in New York, Tennessee, and West Virginia have authorized service by email on foreign defendants under Federal Rule of Civil Procedure 4(f)(3), which permits service on those outside the United States “by other means not prohibited by international agreement as may be directed by the court.” Most recently, in Williams-Sonoma Inc. v. FriendFinder Inc., a federal court in California held that the plaintiff could serve foreign owners of allegedly infringing websites by email. These cases suggest that, when foreign defendants prove elusive, plaintiffs may be able to use modern communications technologies, such as email, to effect service. http://www.steptoe.com/publications-4519.html Williams-Sonoma case at http://www.steptoe.com/assets/attachments/2993.pdf
**** RESOURCES ****
FRCP AND METADATA: E-DISCOVERY WHITE PAPER (DennisKennedy.com, May 2007) -- Two of the hottest issues in electronic discovery are metadata and the recent amendments to the Federal Rules of Civil Procedure. It’s no surprise that one of the most interesting places in electronic discovery is at the intersection of metadata and the amendments. Workshare, a leading e-discovery and legal discovery vendor, has just released a new white paper called “FRCP and Metadata: Avoiding the Lurking e-Discovery Disaster” that surveys this important territory, with an emphasis on the practical and a focus on the metadata management and preparation needs of organizations. Outside counsel has not taken a leadership role in metadata and EDD preparation and guidance, so it’s incumbent on those charged with dealing with these issues inside organizations to take charge of this issues. The white paper has practical tips, useful charts, and suggested steps you should take. http://www.denniskennedy.com/blog/2007/05/frcp_and_metadata_ediscovery_white_paper.html White paper at http://www.workshare.com/downloads/whitepapers/frcp-metadata.aspx
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.
MIRLN stands for Miscellaneous IT Related Legal News, since 1997 a free monthly e-newsletter edited by Vince Polley (www.knowconnect.com). Earlier editions, and email delivery subscription information, are at http://www.knowconnect.com/mirln/
Saturday, May 26, 2007
Saturday, May 05, 2007
MIRLN -- Misc. IT Related Legal News [15 April - 5 May 2007; v10.06]
**************Introductory Note**********************
MIRLN (Misc. IT Related Legal News) is a free product of the American Bar Association’s Cyberspace Law Committee and Dickinson Wright PLLC. Dickinson Wright’s IT & Security Law practice group is described at http://tinyurl.com/joo5y.
Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (vpolley@REMOVETHISSTRINGvip-law.com) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/.
**************End of Introductory Note***************
ORDINARY CUSTOMERS FLAGGED AS TERRORISTS (Washington Post, 27 March 2007) -- Private businesses such as rental and mortgage companies and car dealers are checking the names of customers against a list of suspected terrorists and drug traffickers made publicly available by the Treasury Department, sometimes denying services to ordinary people whose names are similar to those on the list. The Office of Foreign Asset Control’s list of “specially designated nationals” has long been used by banks and other financial institutions to block financial transactions of drug dealers and other criminals. But an executive order issued by President Bush after the Sept. 11, 2001, attacks has expanded the list and its consequences in unforeseen ways. Businesses have used it to screen applicants for home and car loans, apartments and even exercise equipment, according to interviews and a report by the Lawyers’ Committee for Civil Rights of the San Francisco Bay Area to be issued today. “The way in which the list is being used goes far beyond contexts in which it has a link to national security,” said Shirin Sinnar, the report’s author. “The government is effectively conscripting private businesses into the war on terrorism but doing so without making sure that businesses don’t trample on individual rights.” The lawyers’ committee has documented at least a dozen cases in which U.S. customers have had transactions denied or delayed because their names were a partial match with a name on the list, which runs more than 250 pages and includes 3,300 groups and individuals. No more than a handful of people on the list, available online, are U.S. citizens. Yet anyone who does business with a person or group on the list risks penalties of up to $10 million and 10 to 30 years in prison, a powerful incentive for businesses to comply. The law’s scope is so broad and guidance so limited that some businesses would rather deny a transaction than risk criminal penalties, the report finds. http://www.washingtonpost.com/wp-dyn/content/article/2007/03/26/AR2007032602088_pf.html
NAVIGATING THE PCI STANDARD (CSOonline, 1 April 2007) -- In mid-December 2006, just as Visa was announcing a $20 million incentive to try to hurry compliance with the credit card industry’s data-security standard, a consultant for TJX was discovering precisely the sort of breach that the standard is supposed to prevent. An undisclosed number of transaction records from TJ Maxx, Marshalls and other TJX stores had been compromised. “Removed” by intruders, even. Exactly which records, when and by whom, the $16 billion retailer was unsure, although The Wall Street Journal later put the number of affected credit cards at more than 40 million. Behind the scenes, TJX executives began working with law enforcement and additional outside security experts to try to identify and fix the problem, prior to a January announcement of the breach. Meanwhile, in San Francisco, Visa was going public with an announcement of its own. Technically, if its merchants aren’t compliant with the Payment Card Industry (PCI) Data Security Standard, Visa can cut off their ability to accept Visa cards—a death sentence for commerce. Despite deadlines that had come and gone, however, only 36 percent of Visa’s largest merchants were following the rules. So starting in April, banks whose retail customers were in compliance and had not suffered security breaches would be eligible to receive funds from a pool of up to $20 million. In addition, Visa warned, it would increase fines to banks whose retail customers were not compliant and make PCI certification a requirement for some pricing discounts. As far as Visa is concerned, the standard is working—if only merchants would adopt it. “To date we have not seen that a PCI-compliant entity has been compromised,” Eduardo Perez, vice president for payment system risk at Visa, told CSO in January. Although he would not comment on the TJX incident specifically, he continued: “In every instance we’ve dealt with, compromised entities have not been compliant with PCI.” For critics, however, the TJX breach proves something else entirely. “It’s a perfect example of where the PCI program is not working,” says Avivah Litan, vice president and research director at Gartner. “It’s a good step. It’s good for the card brands to enforce security, but it’s impractical to expect 5 million retailers to become security experts.” In reality, the TJX breach is not so much an example as it is a test. Corporate America has long insisted that self-regulation, not government intervention, is the cure for what ails information security. Government regulations, they claim, tend to be poorly crafted and difficult to enforce; they turn into needlessly expensive exercises in bureaucratic paperwork. In response to the threat of such legislation, industry sectors have attempted to police themselves by establishing either voluntary guidelines or ones imposed by business partners. (See “Power Play.”) http://www.csoonline.com/read/040107/fea_pci_pf.html [Editor: the PCI DSS is available here: https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf ]
SELLING STUFF ONLINE? HERE COMES THE IRS (CNET, 13 April 2007) -- Americans who sell items through Internet auction sites could be in for an unpleasant surprise at tax time next year, thanks to an IRS proposal designed to identify taxpayers who don’t report income from those sales. The U.S. Treasury Department wants Congress to force auction sites like eBay, Amazon.com and uBid.com to turn over the identities and Social Security numbers of a large portion of their users to the IRS--so tax collectors know how much each person made through online selling. The effort is part of a larger plan, which enjoys enthusiastic support from both Democrats and Republicans, to close what’s known as the “tax gap.” It’s a broad term that covers Americans who don’t file tax returns or those who underreport their income, and the IRS believes it to total around $345 billion for the 2001 tax year. http://news.com.com/2100-1028_3-6176041.html
DOCS POINT TO E-VOTING BUG IN CONTESTED RACE (Wired, 17 April 2007) -- Symptoms consistent with a known software flaw in a popular electronic voting machine surfaced widely in a controversial election in Sarasota County, Florida, last November, despite county officials’ claims that a bug played no role in the election results, according to documents obtained by Wired News. Activists say the flaw might have contributed to the high number of lost or uncast votes in a now-contested congressional race. Incident reports from the election reveal Sarasota County poll workers from at least 19 precincts contacted technicians and election officials to report touch-screen sensitivity problems with the iVotronic voting machine. In those incidents, voters were forced to press the screen harder and repeatedly to register a vote. The complaints mirror the symptoms of a bug that the machine’s maker, Election Systems & Software, revealed prior to the election in a warning unheeded by the county. Additionally, the documents -- obtained through public records requests by Wired News and the Florida Fair Elections Coalition -- show the problems also appeared on a smaller scale during the primary election in Sarasota County two months earlier. This contradicts statements by Sarasota supervisor of elections Kathy Dent, who told Wired News last month that no such problems happened during the primary, and that she only learned voters were having problems with the touch screens after the November election was over and votes were counted. Seven voting machines had touch problems in the September primary, five of which later clocked in an unusually high number of “under votes” in the now-contested race for the U.S. House of Representative’s 13th Congressional District. http://www.wired.com/politics/onlinerights/news/2007/04/evotinganalysis
EU PRIVACY BODY CRITICIZES GOOGLE PRACTICES (MarketWatch, 19 April 2007) -- A European Union advisory body that monitors data privacy has written a letter to Google Inc. warning the No. 1 provider of Internet searches that its practices fall short of EU data protection standards, according to a person familiar with the group’s proceedings. Google confirmed that it received an earlier letter from the Norwegian Data Protection Group, which has a representative on the advisory body known as the Article 29 Working Party. A second letter is expected to be released by the European Commission on behalf of the Working Party, said the source, who spoke on condition of anonymity. Composed of privacy protection authorities from each of the EU’s 27 member nations, the group coordinates European privacy laws, and its member commissioners oversee privacy law in their home countries. If privacy authorities in those nations find Google in violation of data-protection statutes, the company can be fined. Google keeps a record of the Internet search habits of consumers who use its service. The U.S. government last year had asked Google and its search rivals, Yahoo Inc. and Microsoft Corp., for information as part of an investigation into online pornography. While Yahoo and Microsoft complied with the Justice Department subpoena for the data, Google refused the request, citing privacy concerns. A federal judge later ordered the company to release a less-extensive amount of information than U.S. officials had requested. The Mountain View, Calif.-based search giant’s data-collection and storage practices came under renewed scrutiny by the Working Party in the wake of Google’s $3.1 billion agreement to acquire fellow online ad firm DoubleClick, the source said. DoubleClick keeps extensive data on Internet ad campaigns, including who clicks on online banner ads and how often. Rivals of Google, as well as online privacy watchdog groups, have asked U.S. antitrust regulators to examine the combination, which will extend Google’s dominance of the online ad market. http://www.marketwatch.com/news/story/eu-privacy-body-criticizes-google/story.aspx?guid={578CE44F-EDC5-43A8-865A-51960583F9D3
CT RULES INTERNET ARCHIVE PRINTOUTS INADMISSABLE (BNA’s Internet Law News, 19 April 2007) -- BNA’s Electronic Commerce & Law Report reports that a federal court in New York has ruled that printouts of Web pages purporting to indicate how a Web page appeared at a prior point in time, supplied by the Internet Archive’s “Wayback Machine” service, are inadmissible without authenticating testimony from someone familiar with how the pages were created. The court ruled that in the absence of testimony or sworn statements from an employee of the operators of the third-party Web sites attesting to the authenticity of the contested Web page exhibits, the Wayback Machine exhibits cannot be authenticated as required under the Rules of Evidence. Case name is Novak v. Petswarehouse.com
NINTH CIRCUIT HELPS DMCA DEFENDANTS FIND SAFE HARBOR (Steptoe & Johnson’s E-Commerce Law Week, 19 April 2007) -- The Digital Millennium Copyright Act (DMCA) limits service providers’ liability for certain online material, including for “Transitory Digital Network Communications,” “System Caching,” “Information Residing on Systems or Networks At [the] Direction of Users,” and “Information Location Tools” (17 U.S.C. § 512(a-d)). But claiming these safe harbors can be difficult, since online service providers must first show that they have “adopted and reasonably implemented ... a policy that ... terminat[es] in appropriate circumstances ... subscribers ... who are repeat infringers,” and that they have not “interfere[d] with standard technical measures” of “identify[ing] or protect[ing] copyrighted works.” In Perfect 10, Inc. v. CCBill LLC, the Ninth Circuit addressed the plaintiff’s claim that CCBill, an online payment processor, and CWIE, a web hosting service, should not be given safe harbor. By offering a definition of a “reasonably implemented” termination policy, this ruling should help providers of online services more easily determine whether they meet the threshold for claiming DMCA safe harbor. And, for copyright holders, the ruling shows what not to do when giving a service provider notice of infringement. http://www.steptoe.com/publications-4417.html
NY COURT CONVERTS CONVERSION INTO E-TORT (Steptoe & Johnson’s E-Commerce Law Week, 19 April 2007) -- The common law tort of conversion provides a remedy for the theft or other unauthorized interference with the ownership of the plaintiff’s personal property. This cause of action has traditionally been limited to tangible objects. But in Thyroff v. Nationwide Mutual Insurance Co., the New York State Court of Appeals last month explicitly extended the Empire State’s conversion tort to “electronic records,” finding that the tort’s history supported its expansion to “keep pace with the contemporary realities of widespread computer use.” Specifically, the ruling allows an insurance agent to maintain a conversion claim against his former employer, which had allegedly prevented the agent from accessing personal and business information stored on the company computer system. But the conversion tort also gives employers another tool for going after workers who purloin company data. http://www.steptoe.com/publications-4417.html
JUDGE REFUSES TO DISMISS GOOGLE TRADEMARK SUIT (Information Week, 19 April 2007) -- A U.S. judge refused Wednesday to dismiss a lawsuit against Google Inc. that charges the Web search leader’s AdWords program abuses trademarks. In making his decision to allow the case to move forward, U.S. District Court Judge Jeremy Fogel ruled the public has an interest in whether AdWords, the company’s popular pay-per-click advertising system, violates U.S. trademark law. American Blind & Wallpaper Factory Inc., the top U.S. reseller of window blinds, charged in its lawsuit that Google abuses trademarks by allowing rivals of a company to buy ads that appear when consumers search the Web for information on that business. Google has prevailed in two prior trademark suits filed against its pay-per-click ads. Auto insurer GEICO lost a federal case in Virginia, and computer repair site Rescuecom lost a similar federal case, but is appealing. The latest ruling granted some claims while rejecting others in Google’s motion for summary judgment, which asked the judge to dismiss American Blind’s trademark infringement claims against Google’s AdWords ad-selling program. “The large number of businesses and users affected by Google’s AdWords program indicates that a significant public interest exists in determining whether the AdWords program violates trademark law,” Fogel wrote in his decision. A Google spokesman said the company still has a motion for sanctions against American Blinds pending before Magistrate Judge Richard Seeborg, in the same federal court, alleging that American Blinds failed to disclose key evidence. http://www.informationweek.com/story/showArticle.jhtml?articleID=199100854&cid=RSSfeed_IWK_News
YOUTUBE DELETES VIDEO OF MCCAIN SINGING ‘BOMB IRAN’ (CNET, 20 April 2007) -- YouTube confirmed Friday that it had erroneously deleted and would restore a video of presidential candidate John McCain singing an impromptu ditty about starting a war with Iran. The Arizona senator joked about attacking the sovereign nation during a campaign stop in South Carolina this week, singing, to the tune of the Beach Boys song “Barbara Ann”: “That old, that old Beach Boys song, Bomb Iran. Bomb, bomb, bomb, bomb, anyway.” According to a video recorded by what appears to be a camera phone held by someone at the back of the room, the audience laughed at McCain’s rendition of the classic song. But the clip was deleted by YouTube, which is owned by Google. A spokesman for YouTube, who asked that his name not appear in this article, said, “We appreciate the prompt feedback from our community regarding the McCain video. It was flagged by our users, we reviewed it and it was mistakenly removed. We have examined the situation and have since reinstated the video.” The spokesman refused to answer any other questions, such as when, exactly, the video was deleted or what procedures are in place to ensure that political candidates don’t use YouTube’s complaint procedure to squelch critics. The popular video-sharing site permits users to flag videos as “inappropriate.” This is not the first time a controversy has erupted over political videos removed by YouTube. The Electronic Frontier Foundation has documented other videos that it says should not have been deleted. The EFF has filed suit against Viacom on behalf of MoveOn.org and Brave New Films, saying a satire of the The Colbert Report was removed from YouTube following a “baseless” copyright complaint. “It is time to draw a line in the sand and make clear that taking down political speech first and asking questions later is absolutely unacceptable behavior,” Adam Green, civic communications director at MoveOn.org, said in response to the McCain video deletion. Recently, another anti-Bush video surfaced on YouTube. This one pokes fun at World Bank President Paul Wolfowitz--who is currently embroiled in a controversy over a hiring that violates the organization’s policy--in the style of NBC’s popular TV show The Office. Democratic Presidential candidate John Edwards is mocked in a video showing him spending more than two minutes fussing with his hair and camera makeup. http://news.com.com/2100-1025_3-6178173.html [McCain video here: http://www.youtube.com/watch?v=hAzBxFaio1I; Wolfowitz video here: http://www.youtube.com/watch?v=7UlhLLiQo2Y; Edwards video here: http://www.youtube.com/watch?v=2AE847UXu3Q]
WARNER MUSIC REACHES $110 MILLION SETTLEMENT WITH BERTELSMANN RELATED TO NAPSTER ALLIANCE (SiliconValley.com, 24 April 2007) -- Warner Music Group Corp., parent company of record labels such as Bad Boy, Nonesuch, and Rhino, said Tuesday it reached a $110 million settlement with Bertelsmann related to copyright infringement claims after Bertelsmann invested in Napster. Bertelsmann AG invested in the file-swapping site in 2000. Under the settlement, Bertelsmann admitted no liability. http://www.siliconvalley.com/news/ci_5739296?nclick_check=1
YAHOO STRIKES DEAL TO CATALOG LYRICS ONLINE (SiliconValley.com, 24 April 2007) -- Yahoo has teamed up with Gracenote, an Emeryville company, to offer what it is calling “the largest catalog of legal, licensed song lyrics” on the Web. “It fills a huge, gaping hole out there,” said Ian Rogers, general manager of Yahoo Music. While there are plenty of Web sites offering lyrics, Gracenote is the first company to have gone through the painstaking process of negotiating deals with the thousands of publishers who own copyrights to the lyrics. The catalog offered by Yahoo will include lyrics of 400,000 songs owned by more than 10,000 publishers. About 9,000 artists are represented, ranging from classic names such as the Beatles and Bob Dylan to more recent stars like Radiohead and Beyonce. Craig Palmer, chief executive of Gracenote, said it took more than two years and nearly 100 deals to forge the legal framework behind the database. Gracenote then had to create standards for publishing lyrics on the Web and put together an automated system for compensating the songwriters. This can include as many as 10 writers on a single hip-hop song. “The copyrights, the database and the payments issues all had to be solved in order to bring this obvious service to market,” Palmer said. Yahoo’s song lyrics are supposed to be the official versions. Under the licensing agreement, Yahoo will share with copyright holders the revenue from the ads that will be displayed alongside the lyrics. Music publishers such as BMG Music Publishing, EMI Music Publishing, Sony/ATV Music Publishing, Universal Music Publishing Group and Warner/Chappell Music are contributing lyrics. http://www.siliconvalley.com/news/ci_5738001
INTEL PROPOSES PLAN TO RESTORE LOST DOCUMENTS IN AMD SUIT (SiliconValley.com, 24 April 2007) -- Intel Corp. on Tuesday said it came up with a plan to restore documents destroyed as the company braced for massive antitrust litigation, saying it “regrets the lapse in its retention practices.” Rival chip maker Sunnyvale, Calif.-based Advanced Micro Devices Inc. has attacked what it calls Intel’s “grim reaper” email destruction policies, exposed in antitrust litigation in federal court in Delaware. In court papers Tuesday, Santa Clara, Calif.-based Intel cited its recently purchased a new email archive system that automatically saves all messages from designated document custodians as part of a plan to restore the lost materials. Filed in 2005, the case accuses Intel of misusing its market power in semiconductor chip manufacture to keep a lid on competition from AMD. Earlier this year, the long-simmering dispute heated up when Intel admitted to a potentially massive loss of documents that AMD was requesting to prepare its case. The two companies and lawyers for consumers who have joined in the antitrust lawsuit against Intel have been assessing the extent of the damage to documents that could become key evidence in the case. Tuesday, Intel filed a 39-page document setting out its plan to restore and supplement its database to make sure nothing important is left out of the mountain of data that AMD will be mining for evidence. The plan, Intel says, “will involve the processing and review of a huge, and as yet indeterminate volume of data.” The effort will be a costly one, Intel said, but the company wants to set things right. U.S. District Judge Joseph Farnan, who has appointed a special master to review the problem of the missing documents, said he would become personally involved at the stage where the accumulated data are tested to demonstrate whether incurable gaps exist. http://www.siliconvalley.com/news/ci_5740458
BANKS FILE DATA BREACH SUIT AGAINST TJX (CNET, 25 April 2007) -- The Massachusetts Bankers Association, a trade group, announced that it is filing a class action lawsuit against retailer TJX over a data breach that put more than 45 million credit and debit cards holders at risk of having their financial information accessed. The bankers association, along with the Connecticut Bankers Association and Maine Association of Community Banks, filed the lawsuit in the U.S. District Court in Boston. The three banking associations represent almost 300 banks and are seeking to recover “tens of millions of dollars” in damages, according to the filing. Last month, TJX announced it discovered a data breach of its customers’ records that spanned a two-year period. http://news.com.com/2110-7350_3-6179237.html
OHIO U. RESTRICTS FILE SHARING (InsideHigherEd, 26 April 2007) -- Ohio University, under heavy pressure from the recording industry to curtail illegal downloading on campus, announced a plan Wednesday to monitor its campus network for peer-to-peer file sharing and disable Internet access for students violating a new policy restricting the use of all peer-to-peer technology. The university is one of just a handful of institutions, including the University of Florida, to adopt such a broad approach to restricting file sharing, said John C. Vaughn, executive vice president of the Association of American Universities. “The concern is that if the price of restricting illegal file sharing is also to shut off legal transactions, that’s a price that most institutions aren’t willing to pay,” said Vaughn, who has tracked file sharing policies for the association of research universities. But to the extent that institutions can find ways to zero in on peer-to-peer protocols that are “used overwhelmingly for illegal file sharing,” Vaughn said, “then I think some institutions think it’s a reasonable policy.” Ohio University employees will begin monitoring the network Friday for use of such file sharing programs as Ares, Azureus, BitTorrent, BitLord, KaZaA, LimeWire, Shareaza and uTorrent. Any use of peer-to-peer technology under the new policy could result in a loss of Internet access and, upon the second offense, a disciplinary referral — although it’s important to note that the university will be phasing the policy in on a flexible, still undetermined time frame, targeting the biggest users first, according to Sally Linder, a university spokeswoman. http://insidehighered.com/news/2007/04/26/ohio
GERMAN GOVERNMENT ADMITS IT IS ALREADY CONDUCTING ONLINE SEARCHES (Heise Online, 26 April 2007) -- At a meeting of the Bundestag’s Interior Affairs Committee on Wednesday, the Chancellor’s Office admitted that Germany’s secret services have been conducting controversial, covert online searches of computers since 2005 after being given an order to do so by then-Interior Minister Otto Schily (SPD). Gisela Piltz, spokesperson for home affairs from the FDP in the Bundestag, made these announcements after the German government was forced to answer her questions concerning the touchy subject of the monitoring of private PCs and storage units on the Internet. The government said that it does not see any breach of the privacy of telecommunications and the basic right to control personal data. The government did not say how many covert telecommunications investigations had already taken place. Apparently, the government is dealing with practical problems concerning these online searches. For instance, government officials have allegedly been complaining about more data being collected than could be managed. Piltz said that “the cat is out of the bag” now that the government has made this general confession. According to the neoliberal FDP, a mere order from a ministry does not provide any legal basis for such deep intervention in the basic rights of citizens. The party says that the German government’s opinion that such searches in apartments do not constitute a violation of privacy is an outrage as long as the computers are not “in the garden.” In March, the German government reacted to another request for information from the FDP, explaining that the German Office for the Protection of the Constitution already has the right to conduct covert searches of networked PCs and protected data storage media on the Internet. At the beginning of February, the German Supreme Court ruled that state investigators have no legal basis for covert searches via the Internet. In that case, the Court handed down a ruling concerning one of the German Criminal Police Office’s projects. Since then, politicians such as German Interior Minister Wolfgang Schäuble (CDU) and police spokespeople have been calling for a legal basis to be provided quickly so that state criminal prosecutors can search PCs and online data carriers. But support for such measures has not only come from the CDU: Dieter Wiefelspütz, the SPD’s spokesperson for home affairs in the Bundestag, has also repeatedly called for the creation of a legal basis for covert online searches within strictly defined legal boundaries. Recently, he also indirectly admitted that the state was already conducting online searches of hard drives. http://www.heise.de/english/newsticker/news/88895
ARIZ. HIGH COURT REVERSES RULING ON GOVERNMENT E-MAIL PRIVACY (Arizona Republic, 26 April 2007) -- It is up to a judge, not government officials, to decide which messages generated from government e-mail systems are private. The ruling came from the Arizona Supreme Court on Wednesday morning after Phoenix Newspapers Inc. appealed a court decision denying The Arizona Republic access to about 90 e-mails Stanley Griffis sent or received during his time as Pinal county manager. Now a court will review those e-mails to determine which messages should be released as public record to the newspaper. The Arizona Republic requested access to Griffis’ e-mails last year after the Pinal County Sheriff’s Office launched an investigation into the former county manager’s misuse of public funds. Pinal County gave up more than 700 messages but withheld dozens that county officials and Griffis considered confidential or private. A court of appeals ruled that Griffis, and in essence government officials, had the right to decide what e-mails are private and what could be withheld from public record. But the Arizona Supreme Court’s ruling reversed that decision. “In camera (court) review of disputed documents . . . reinforces this Court’s previous holding that the courts, rather than government officials, are the final arbiter of what qualifies as a public record,” states the opinion of the Supreme Court of Arizona. “Griffis bears the burden of establishing that the e-mails are not public records.” David Bodney, an attorney representing the newspaper, said the ruling establishes an “important protocol for public officials who would try to withhold their e-mail communications as purely personal.” “The public has a strong right to know that its top appointed official was not using e-mail to further his own private schemes,” Bodney said. http://www.azcentral.com/news/articles/0426ruling0426.html
THE EUROPEAN PARLIAMENT APPROVES NEW, STRICTER ANTI-PIRACY DIRECTIVE (NordicHardware.com, 26 April 2007) -- The European Parliament voted yes on the new controversial directive Ipred 2 which concludes that all kinds of infringement of the intellectual copyrights will be considered criminal. The directive is actually stricter than that and even criminalizes attempts of infringing on copyrights. In theory this means that basically all video sites, P2P developers and other services used to spread material around the web is criminal. There is an exception though and that is the end-user. If this user downloads pirated material and use this only for his own entertainment, study or research he or she can not be prosecuted through the new directive. Ipred 2 has been harshly criticized from day 1 by people saying it in turn infringes on people freedom of speech and even been considered a lobby directive from the media industry. The goal is to harmonize (EP’s choice of word) the copyright laws of the member countries of the EU through the new directive. The fines and penalties will be adjusted by some countries according to the new directive, but they still vary quite a lot between the European countries where Great Britain are the strictest with up to 10 years in prison, while the same crime only pays three months in Greece. http://www.nordichardware.com/news,6197.html
MUSIC INDUSTRY WINS UW IDS IN FILE-SHARING CASE (Wisconsin State Journal, 26 April 2007) -- As many as 53 UW-Madison students could be slapped with lawsuits by the music recording industry after a federal judge on Wednesday ordered the university to surrender their names and other information for sharing digital music files over the Internet. On Tuesday, 16 record companies represented by the Recording Industry Association of America filed a lawsuit in U.S. District Court seeking the names associated with 53 Internet connections for copyright infringement. On Wednesday, U.S. District Judge John Shabaz signed an order requiring UW-Madison to relinquish the names, addresses, telephone numbers, e-mail addresses and Media Access Control addresses for each of the 53 individuals. The lawsuit and decision came as no surprise to the university, which last month declined to send out “settlement letters” from the RIAA to alleged copyright violators among UW-Madison students. http://www.madison.com/wsj/home/local/index.php?ntid=131102
-- and --
CONGRESS UPS ANTE ON FILE SHARING (InsideHigherEd, 3 May 2007) -- If campus technology officers have been feeling left out as their colleagues in the financial aid office get all the fan mail from Congress, never fear. Now it’s their turn. A bipartisan group of House of Representatives lawmakers said Wednesday that they had written the presidents of 19 colleges and universities asking their officials to complete an expansive survey on the use of their campus networks for illegal downloading of copyrighted music, video or other digital content. The institutions (all universities, a list of which appears at bottom) were singled out because they had received the largest number of copyright infringement notices from the recording and movie industries in the most recent reporting period. The effort was spearheaded by lawmakers on the House Judiciary Committee, which has led Congress’s scrutiny of the campus downloading issue so far. But the fact that the signers of the letter included the chairman and senior Republican on the House Education and Labor Committee suggested — to the dismay of some college officials — that leaders on the education panel might be receptive to dealing with the issue in legislation to renew the Higher Education Act this year. http://insidehighered.com/news/2007/05/03/download
NCAA BARS TEXTING OF RECRUITS (InsideHigherEd, 27 April 2007) -- The Division I Board of Directors of the National Collegiate Athletic Association has voted to ban text-messaging between coaches and recruits. A student advisory group told NACC leaders that text-messaging had become “instusive” and “overused.” http://insidehighered.com/news/2007/04/27/qt
GOOGLE HALTS `HIJACKED’ ADS USED TO STEAL PERSONAL DATA (SiliconValley.com, 27 April 2007) -- Google yanked paid advertisements that online criminals were using to steal banking and other personal information from Web surfers looking for the Better Business Bureau and other sites. The ads, linked to 20 popular search terms, directed those who clicked on them to a booby-trapped site where their information could be captured. It was unclear how many people were affected before the breach was discovered this week, but computer security experts said Thursday the attack appears to be isolated and only targeting Windows XP users who had not properly updated their machines. They said the attack was unlikely to undermine Google’s core business of selling lucrative advertising links, which made up the bulk of the Mountain View-based company’s $3.08 billion in profit in 2006 and $1 billion in the first quarter of 2007 alone. Google said it dismantled the offending links and shut down the problem AdWords accounts Tuesday. The company is working with advertisers to identify any other malware-loaded sites that might be on the network, it said. However, the experts said the infiltration of the Web’s largest marketing network raises questions for the entire search industry about how to screen advertisers for those with nefarious motives. The criminals created their own Web site and outbid legitimate businesses in Google’s AdWords program to secure prime placement of ads linked to popular search terms. Users who clicked on those ads were then routed to the booby-trapped site before being sent on to the legitimate destination. http://www.siliconvalley.com/news/ci_5762859 [Editor: reminds me a bit of the Choicepoint fiasco inasmuch as Google apparently was doing business with unvetted criminal parties. ‘Know-Your-Customer’ may take on a whole new meaning.]
N.Y. AG GETS FIRST SETTLEMENT UNDER SECURITY BREACH NOTIFICATION LAW (Information Week, 27 April 2007) -- The New York Attorney General has obtained the first settlement under the state’s new security breach notification law. Attorney General Andrew Cuomo announced Thursday that it has reached an agreement with CS Stars LLC, a Chicago-based claims management company, to implement precautionary procedures, comply with New York’s notification law in the event of another security breach, and pay $60,000 to the AG’s office for investigation costs. On May 9, 2006, an employee at CS Stars noticed that a computer was missing that held personal information, including the names, addresses, and Social Security numbers of recipients of workers’ compensation benefits, according to the AG’s office. The New York Special Funds Conservation Committee, a not-for-profit organization created to assist in providing benefits to workers under the New York Workers’ Compensation Law, was the owner of the data contained in the missing computer. It was not until June 29, 2006 that CS Stars first notified Special Funds of the security breach, the AG’s office reported. On the same date, the company notified the FBI, as well. The FBI instructed the company to not send out any notifications to people who might be affected by the data breach because it might impede their investigation. According to the AG’s release, CS Stars notified the Attorney General’s office, the Consumer Protection Board, and the state office of Cyber Security about the breach on June 30, 2006. Then on July 18, the company, with the permission of the FBI, the company began sending out notices to the approximately 540,000 potentially affected New York consumers notifying them of the security breach. Under New York’s Information Security Breach and Notification Law, any business that maintains private information which it does not own must notify the owner of the data of any security breach “immediately following discovery” of the breach. They also must notify all affected consumers in the “most expedient time possible.” http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199202218
-- and --
GAO REPORT TARGETS DATA BREACH GUIDELINES (Network World, 30 April 2007) -- A U.S. Government Accountability Office (GAO) report issued Monday in response to a May 2006 data breach at the Department of Veterans Affairs says federal agencies should have uniform guidelines governing when to offer credit monitoring to individuals whose personal information is exposed. Veterans were denied the opportunity to take prompt steps to protect themselves against identity theft last year because internal delays kept key VA officials, including the agency’s secretary, in the dark for up to two weeks, the report states. One lesson learned after the breach is that federal agencies must have rapid internal notification of key officials, the GAO said. Today’s report urges the Office of Management and Budget, which oversees security and privacy for the federal government, to develop guidance agencies can use when determining whether to offer credit monitoring and other services that may reduce the risk of identity theft. Without such guidance, the GAO said, agencies may make inconsistent decisions that leave some people more vulnerable than others. http://www.networkworld.com/news/2007/043007-gao-data-breach-guidelines.html GAO report at http://www.gao.gov/new.items/d07657.pdf
ISO 17799 -- IT’S A CONTROL, NOT A STANDARD (Computerworld, 29 April 2007) -- I’m always interested when I learn that things aren’t the way I thought they were. Mom put “Santa’s” presents under the Christmas tree. Columbus didn’t discover America. Lee, Lifeson, and Peart aren’t equal to the Father, Son, and Holy Spirit. And, most recently, ISO 17799:2005 shouldn’t be used as a list of required controls for organizations to deploy. Don’t get me wrong. For something written by committee, the International Standards Organization and International Electrotechnical Commission Code of Practice for Information Security Management Reference Number 17799:2005 (from here on out ISO 17799) isn’t half bad. As anyone familiar with it knows, it’s a fairly exhaustive list of controls covering 11 major domains of information security (more on that later), from policy to compliance. It’s not perfect. Aside from the Briticisms (it is their language, after all), there are some areas where it doesn’t give enough depth or detail, others where it goes a little overboard, and some terminology that is just plain odd (“Threat Vulnerability Management,” anyone?). But these relatively minor shortcomings are outweighed by the overall benefits for those companies that turn to it for guidance. If your company is adopting ISO 17799 as a “standard,” however, you’re missing the point. ISO 17799 is a list of controls -- nothing more, nothing less. Notice the ample use of the word should throughout the document. Nowhere are there any requirements that an organization do anything. No ‘shall’ or ‘shall not’, no ‘do’ or ‘do not’ -- ISO 17799 is a list of guidelines, not requirements. This is a good thing. ISO 17799 was originally British Standard 7799-1, and meant to be adopted along with the other parts of the 7799 series, namely 7799-2 (Information Security Management Systems) and 7799-3 (Guidelines for Information Security Risk Management). Further muddying the waters, BS 7799-2 was recently adopted as ISO 27001. BS 7799-1/ISO 17799 will eventually be renumbered as ISO 27002 (PDF format). So what’s the point? That’s where ISO 27001 comes in. ISO 27001:2005 is a specification for an Information Security Management System (ISMS): These are things you must do to set up an ISMS. But what is an ISMS? The ISMS is the framework you need to have in place to define, implement and monitor the controls needed to protect the information in your company. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9018158&source=rss_topic146
DOJ BUSTS E-GOLD PAYMENT SERVICE ON MONEY LAUNDERING, CONSPIRACY CHARGES (Computerworld, 30 April 2007) -- A federal grand jury has indicted online payment provider E-gold Ltd. and three men on charges of money laundering and conspiracy. According to a four-count indictment unsealed Friday, Dr. Douglas Jackson, of Satellite Beach, Fla.; Reid Jackson, of Melbourne, Fla.; and Barry Downey, of Woodbine, Md.; and their company, E-gold, transferred funds even though they knew the monies were proceeds of child pornography, credit card fraud and bank fraud. E-gold carried out these transfers over a six-year period from 1999 to 2005, the government said. “Criminals of every stripe gravitated to E-gold as a place to move their money with impunity,” Jeffrey Taylor, U.S. Attorney for the District of Columbia, said in a statement. “The defendants in this case knowingly allowed them to do so and profited from their crimes.” After the indictment was passed down, federal prosecutors seized funds in 58 E-gold accounts and froze the company’s assets. E-gold can continue to operate under government supervision, however, and use existing funds to cash out unaffected accounts. E-gold, which was founded in 1996, has been a favorite of online scammers because it is completely anonymous, said Ron O’Brien, a senior security analyst at Sophos PLC. E-gold required only an e-mail address to register, and as a digital gold exchange it is not required to perform background checks on users. “E-gold has attracted cybercriminals because of the anonymity,” said O’Brien. The service has also been favored because payments are not reversible; once a payment is made, it can’t be retracted by the sender. In fact, several “ransomware” attacks -- malicious code that sneaked onto PCs, encrypted user files and then displayed a message demanding money to unlock the files -- have used E-gold as the payment method between victim and criminal, O’Brien noted. E-gold payments have also been linked to the notorious ShadowCrew identity theft gang. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9018291&source=rss_topic146
J.P. MORGAN CHASE PROBING DATA BREACH SHOWN IN YOUTUBE VIDEO (Computer World, 1 May 2007) -- Financial services firm J.P. Morgan Chase is investigating claims by a Washington, D.C.-based workers union that it dumped documents containing personal financial data belonging to its customers in garbage bags outside five branch offices in New York. Separately, it is also sending out letters to tens of thousands of Chicago-area customers and some employees about the potential compromise of their account information after a tape containing the data was reported missing. The Service Employees International Union, an organization claiming more than 1.8 million members countrywide, has posted a video on YouTube that supposedly shows documents containing account data -- including full customer names, addresses and Social Security numbers -- being discovered in trash bags outside the bank branches in and around New York City. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9018384&source=NLT_AM&nlid=1
RECOVERING THE COSTS OF ELECTRONIC DATA DISCOVERY AS PART OF A BILL OF COSTS (ABA’s Law Technology Today, 1 May 2007) -- In today’s world of exploding digital content, complying with discovery requests often means identifying, preserving, collecting, coding, reviewing and producing gigabytes, if not terabytes, of data. To satisfy these electronic data discovery (EDD) obligations – many of which are now codified in the recent amendments to the Federal Rules of Civil Procedure – litigants regularly turn to a wide variety of electronic discovery specialists to collect data, code it and build sophisticated computerized databases that make it possible for discovery reviews to proceed efficiently and for litigators to prepare for trial. The costs of these activities can be expensive, running from tens of thousands to hundreds and even millions of dollars in a single case, prompting litigants to seek vehicles for shifting this financial burden to their opponents. The recent amendments to the Federal Rules of Civil Procedure now codify the courts’ long-standing authority to shift unduly burdensome production costs to the party requesting the discovery.[1] This authority, however, rarely gets exercised and, at best, addresses only isolated requests for production and not the lion’s share of EDD-related costs. Six years ago, the Sedona Conference advocated that this issue be addressed by allowing prevailing parties to recover electronic discovery costs.[2] The recent decision in Lockheed Martin Idaho Technologies Co. (“LMITCO”)[3]indicates that courts may be increasingly inclined to adopt this approach when exercising their discretion under 28 U.S.C. § 1920 and its state counterparts – at least under certain circumstances. [Editor: LMITCO decision analysis follows.] http://www.abanet.org/lpm/ltt/articles/vol1/is2/Recovering_the_Costs_of_Electronic_Data_Discovery.shtml
THE RIGHT’S EXPLICIT AND CANDID REJECTION OF “THE RULE OF LAW” (Salon.com, 2 May 2007) -- The Wall St. Journal online has today published a lengthy and truly astonishing article by Harvard Government Professor Harvey Mansfield, which expressly argues that the power of the President is greater than “the rule of law.” The article bears this headline: The Case for the Strong Executive -- Under some circumstances, the Rule of Law must yield to the need for Energy. And it is the most explicit argument I have seen yet for vesting in the President the power to override and ignore the rule of law in order to receive the glories of what Mansfield calls “one-man rule.” That such an argument comes from Mansfield is unsurprising. He has long been a folk hero to the what used to be the most extremist right-wing fringe but is now the core of the Republican Party. He devoted earlier parts of his career to warning of the dangers of homosexuality, particularly its effeminizing effect on our culture. [snip] But reading Mansfield has real value for understanding the dominant right-wing movement in this country. Because he is an academic, and a quite intelligent one, he makes intellectually honest arguments, by which I mean that he does not disguise what he thinks in politically palatable slogans, but instead really describes the actual premises on which political beliefs are based. And that is Mansfield’s value; he is a clear and honest embodiment of what the Bush movement is. In particular, he makes crystal clear that the so-called devotion to a “strong executive” by the Bush administration and the movement which supports it is nothing more than a belief that the Leader has the power to disregard, violate, and remain above the rule of law. And that is clear because Mansfied explicitly says that. And that is not just Mansfield’s idiosyncratic belief. He is simply stating -- honestly and clearly -- the necessary premises of the model of the Omnipotent Presidency which has taken root under the Bush presidency. http://www.salon.com/opinion/greenwald/2007/05/02/mansfield/ [Editor: I am *NOT* articulating ABA views in deciding to run this excerpt, only my own. Me? I think there’s nothing more important than the rule of law (slippery slope, and all that). The Journal’s article can be found here: http://opinionjournal.com/federation/feature/?id=110010014]
PERSPECTIVE: EVEN IN NET LITIGATION, IT’S ALL ABOUT LOCATION (CNET, 2 May 2007) -- The Web site DontDateHimGirl.com allows women to make anonymous postings about specific men. So it was that a defamation lawsuit got filed with respect to statements made on the site about one particular man. But the case was just dismissed for failure of personal jurisdiction, offering a signal lesson in why the details of the law matter. Let’s take a closer look at the facts of the case. On May 24, 2006, a profile of the plaintiff appeared on the DontDateHimGirl site. Additional postings about the man appeared later. In a lawsuit filed in state court in Pennsylvania, the plaintiff claimed that the profiles were false and misrepresented him as being a herpes-ridden gay or bisexual who had transmitted a sexually transmitted disease and had sired different children. The court determined that whether the use of an Internet Web site permits it to exercise jurisdiction over an out-of-state company under Pennsylvania’s Long-Arm Act required the court to look to a “sliding scale” of contacts. Namely, the more contacts by the defendants with the state of Pennsylvania, the more likely it is appropriate for the court to decide that it has personal jurisdiction over the defendants. The court then embarked on an analysis of those contacts in this case. The court first noted that the server for the DontDateHimGirl.com site is located in Florida, not Pennsylvania, and that all Web site operations take place in Florida. The court also concluded that the site does not specifically solicit residents of Pennsylvania to post profiles on the site. However, the defendants apparently are aware that Pennsylvania residents will post profiles on the site. The court concluded that the defendants do not perform a “significant amount of commercial business over the Internet” as directly impacting Pennsylvania sufficient to warrant personal jurisdiction over the defendants in the state. The court also found that while DontDateHimGirl.com maintains an online store on its server where users can purchase clothing and accessory items, the store has made sales to only six Pennsylvania residents, for less than five percent of the total sales of the store. After analyzing the foregoing facts, the court concluded that the defendants do not perform a “significant amount of commercial business over the Internet” as directly impacting Pennsylvania sufficient to warrant personal jurisdiction over the defendants in the state. Indeed, the court viewed the defendants’ activities as no more than “general advertising with the added convenience of an online registry.” The court recognized that the DontDateHimGirl.com Web site, like other sites, is accessible to anyone connected to the Internet anywhere in the world. The court rejected the notion that a defendant can be hauled into court in any state for any controversy, regardless of contacts with that particular state. This would violate principles of due process, according to the court. http://news.com.com/Even+in+Net+litigation%2C+its+all+about+location/2010-1028_3-6180169.html?tag=nefd.top
ARMY SQUEEZES SOLDIER BLOGS, MAYBE TO DEATH (Wired, 2 May 2007) -- The U.S. Army has ordered soldiers to stop posting to blogs or sending personal e-mail messages, without first clearing the content with a superior officer, Wired News has learned. The directive, issued April 19, is the sharpest restriction on troops’ online activities since the start of the Iraq war. And it could mean the end of military blogs, observers say. Military officials have been wrestling for years with how to handle troops who publish blogs. Officers have weighed the need for wartime discretion against the opportunities for the public to personally connect with some of the most effective advocates for the operations in Afghanistan and Iraq -- the troops themselves. The secret-keepers have generally won the argument, and the once-permissive atmosphere has slowly grown more tightly regulated. Soldier-bloggers have dropped offline as a result. The new rules obtained by Wired News require a commander be consulted before every blog update. “This is the final nail in the coffin for combat blogging,” said retired paratrooper Matthew Burden, editor of The Blog of War anthology. “No more military bloggers writing about their experiences in the combat zone. This is the best PR the military has -- it’s most honest voice out of the war zone. And it’s being silenced.” Army Regulation 530--1: Operations Security (OPSEC) restricts more than just blogs, however. Previous editions of the rules asked Army personnel to “consult with their immediate supervisor” before posting a document “that might contain sensitive and/or critical information in a public forum.” The new version, in contrast, requires “an OPSEC review prior to publishing” anything -- from “web log (blog) postings” to comments on internet message boards, from resumes to letters home. Active-duty troops aren’t the only ones affected by the new guidelines. Civilians working for the military, Army contractors -- even soldiers’ families -- are all subject to the directive as well. But, while the regulations may apply to a broad swath of people, not everybody affected can actually read them. In a Kafka-esque turn, the guidelines are kept on the military’s restricted Army Knowledge Online intranet. Many Army contractors -- and many family members -- don’t have access to the site. Even those able to get in are finding their access is blocked to that particular file. http://www.wired.com/politics/onlinerights/news/2007/05/army_bloggers New rule at http://blog.wired.com/defense/files/army_reg_530_1_updated.pdf; OPSEC rule at http://blog.wired.com/defense/files/army_reg_530_1_updated.pdf
GUIDELINES FOR OUTSOURCING GROW (National Law Journal, 3 May 2007) -- Responding to a growing trend of outsourcing legal services to other countries, three bar associations in the last year have issued opinions that aim to provide ethical guidelines for lawyers. The Los Angeles County Bar Association was the first to tackle the issue when it delivered an opinion in June 2006. It was followed by the Association of the Bar of the City of New York in August and, most recently, by the San Diego County Bar Association in January. The opinions are meant to guide lawyers considering outsourcing to foreign countries -- a cost-saving strategy an increasing number of law firms are relying on for myriad services. They range from advising attorneys when they must inform clients that work is being outsourced to charging “appropriate” fees. A 2005 study by Forrester Research, a technology and market research company in Cambridge, Mass., predicted that the value of legal outsourcing work to India could rise from $80 million to $4 billion by 2015. Prism Legal Consulting of Arlington, Va., which advises law firms on a number of issues, found more than 60 offshore legal services companies in October, compared with only 20 in March 2005. Paul Dutka, a partner in New York’s Weil, Gotshal & Manges who chairs the New York City bar association’s Committee on Professional and Judicial Ethics, said legal outsourcing will continue to command attention. http://www.law.com/jsp/llf/PubArticleLLF.jsp?id=1178096674507&rss=newswire
GOOGLE LISTS BELGIAN NEWSPAPERS AGAIN AS COPYRIGHT ROW COOLS (SiliconValley.com, 3 May 2007) -- Belgian French-language newspapers were back on Google on Thursday after agreeing that the search engine can link to their Web sites, the first signs of a thaw in a bitter copyright dispute. But neither has so far settled on a key part of the dispute: the use of newspaper story links used on Google News. In February, Google Inc. lost a lawsuit filed by the newspapers that forced it to remove headlines and links to news stories posted on its Google News service and stored in its search engine’s cache without the copyright owners’ permission. Google had earlier removed all reference to the newspapers to avoid legal trouble, meaning that a search for even the name of Belgian daily “Le Soir” would not bring up the publication’s Web site. But searchers will now find that paper and 16 others - although they will not be able to access stored versions of older content that the newspapers want to charge for. It is similar to the system used by The New York Times and others for premium content that marks stories with a “no archive” tag so it won’t be cached. In a joint statement, Google and the newspapers’ copyright group Copiepresse said they had decided that Google could once again list the newspapers on the search engine. But they made no mention of one of the main parts of their dispute, Google News, merely saying they were still in talks. http://www.siliconvalley.com/news/ci_5809436?nclick_check=1
SUPREME COURT MEETS YOUTUBE (ABA Journal, 4 May 2007) -- In a U.S. Supreme Court first, the justices have joined the Internet age, including digital access to videotaped evidence with an opinion. Scott v. Harris, No. 05-1631 (April 30). The grainy clip (Real Player), which can be reached via a hyperlink on the court’s opinions Web page, shows the view from the dashboard of a police car involved in a high-speed chase in suburban Atlanta. Although the video can’t physically be included in the published opinion, it is referenced in a footnote in which the URL is written out, notes Kathy Arberg, a spokeswoman for the court. “Because the video was referred to in the opinion, the court wanted to provide access to the video on its Web site,” Arberg says. This use of new technology is likely to be more interesting to many lawyers than the actual decision. Observers see the decision to post the clip as a milestone for the court, which has been notoriously reluctant to embrace new technology, especially cameras in its courtroom. “It’s about time,” says David Post, a professor at Temple Law School in Philadelphia. That’s because in more and more cases today, he says, “limitations of the print technology make it impossible or very difficult to actually understand the legal issues.” Post cites a Supreme Court case of more than a decade ago that he uses as a teaching tool in his copyright class. It concerned a 2 Live Crew rap cover of a famous Roy Orbison song, “Oh, Pretty Woman.” Orbison sued for copyright infringement, but 2 Live Crew successfully defended its version as a fair-use parody. Campbell v. Acuff-Rose Music 510 U.S. 569 (1994). http://www.abanet.org/journal/ereport/my4video.html
**** RESOURCES ****
PRIVACY’S OTHER PATH: RECOVERING THE LAW OF CONFIDENTIALITY (96 Georgetown Law Journal, 2007) -- Abstract: The familiar legend of privacy law holds that Samuel Warren and Louis Brandeis “invented” the right to privacy in 1890, and that William Prosser aided its development by recognizing four privacy torts in 1960. In this article, Professors Richards and Solove contend that Warren, Brandeis, and Prosser did not invent privacy law, but took it down a new path. Well before 1890, a considerable body of Anglo-American law protected confidentiality, which safeguards the information people share with others. Warren, Brandeis, and later Prosser turned away from the law of confidentiality to create a new conception of privacy based on the individual’s “inviolate personality.” English law, however, rejected Warren and Brandeis’s conception of privacy and developed a conception of privacy as confidentiality from the same sources used by Warren and Brandeis. Today, in contrast to the individualistic conception of privacy in American law, the English law of confidence recognizes and enforces expectations of trust within relationships. Richards and Solove explore how and why privacy law developed so differently in America and England. Understanding the origins and developments of privacy law’s divergent paths reveals that each body of law’s conception of privacy has much to teach the other. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=969495
YOUR IDENTITY HAS BEEN STOLEN: A 24-POINT RECOVERY CHECKLIST (AskTheAdvisor, 20 March 2007) -- If you are between the ages of 18 to 29 and you live in Phoenix or Los Angeles, your chances for identity theft are higher than the national average according to the Federal Trade Commission (FTC). But, if you’re over age thirty and you live in Somerset, Vermont (population 5), don’t wipe the sweat off your brow just yet. Identity theft can occur through numerous methods, and you could be the next victim no matter where you live or your age. Identity theft accounted for 255,000 — or 37 percent — of more than 686,683 complaints registered with the FTC in 2005. These figures mark the sixth year in a row where identity theft has topped the list of complaints filed with this agency. The most commonly reported form of identity theft was credit card fraud, followed by phone or utilities fraud, and bank (electronic funds transfer) and employment fraud. You can reduce your risks for identity theft, but you don’t have control over government agencies, hospitals, or retail stores that manage to lose your personal information. The following list will walk you through the steps that will help you recover your identity and restore your credit rating. [Lots of useful URLs in the web version.] http://www.yourcreditadvisor.com/blog/2007/03/your_identity_h.html
THE BEST AND WORST INTERNET LAWS (Informit.com, 20 April 2007) -- Over the past dozen years, the lure of regulating the Internet has proven irresistible to legislators. For example, in the 109th Congress, almost 1,100 introduced bills referenced the word “Internet.” Although this legislative activity doesn’t always come to fruition, hundreds of Internet laws have been passed by Congress and the states. This body of work is now large enough that we can identify some winners and losers. So in the spirit of good fun, I offer an opinionated list of my personal votes for the best and worst Internet statutes in the United States. http://www.informit.com/articles/printerfriendly.asp?p=717374&rl=1 [Editor: There’s real substance here.]
BLOGGER’S CODE OF CONDUCT (Wikipedia, ongoing) -- Tim O’Reilly called for bloggers to work together to create a Blogger’s Code of Conduct. This wiki is used for the development of this code of conduct. After a week’s discussion, we have decided to split this code into modules. Bloggers can choose the specific modules they want to apply to their new blog. Feel free to edit or add to these any of these nodes or visit the discussion page to discuss your thoughts. You can also join the mailing list to discuss this draft. Please do not simply remove points you disagree with, but discuss them on the talk page. http://blogging.wikia.com/wiki/Blogger%27s_Code_of_Conduct
CONGRESSPEDIA -- Welcome to Congresspedia, the “citizen’s encyclopedia on Congress” that anyone—including you—can edit. Congresspedia is a not-for-profit, collaborative project of the Center for Media and Democracy and the Sunlight Foundation and is overseen by an editor to help ensure fairness and accuracy. Congresspedia is part of SourceWatch, a wiki-based website documenting the people, organizations and issues shaping the public agenda. http://www.sourcewatch.org/index.php?title=Congresspedia
******* PERSONAL NOTE *******
Today my daughter, Elizabeth, graduates from the University of Florida. We’re very proud of her. Go Gators!
SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.
MIRLN (Misc. IT Related Legal News) is a free product of the American Bar Association’s Cyberspace Law Committee and Dickinson Wright PLLC. Dickinson Wright’s IT & Security Law practice group is described at http://tinyurl.com/joo5y.
Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (vpolley@REMOVETHISSTRINGvip-law.com) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/.
**************End of Introductory Note***************
ORDINARY CUSTOMERS FLAGGED AS TERRORISTS (Washington Post, 27 March 2007) -- Private businesses such as rental and mortgage companies and car dealers are checking the names of customers against a list of suspected terrorists and drug traffickers made publicly available by the Treasury Department, sometimes denying services to ordinary people whose names are similar to those on the list. The Office of Foreign Asset Control’s list of “specially designated nationals” has long been used by banks and other financial institutions to block financial transactions of drug dealers and other criminals. But an executive order issued by President Bush after the Sept. 11, 2001, attacks has expanded the list and its consequences in unforeseen ways. Businesses have used it to screen applicants for home and car loans, apartments and even exercise equipment, according to interviews and a report by the Lawyers’ Committee for Civil Rights of the San Francisco Bay Area to be issued today. “The way in which the list is being used goes far beyond contexts in which it has a link to national security,” said Shirin Sinnar, the report’s author. “The government is effectively conscripting private businesses into the war on terrorism but doing so without making sure that businesses don’t trample on individual rights.” The lawyers’ committee has documented at least a dozen cases in which U.S. customers have had transactions denied or delayed because their names were a partial match with a name on the list, which runs more than 250 pages and includes 3,300 groups and individuals. No more than a handful of people on the list, available online, are U.S. citizens. Yet anyone who does business with a person or group on the list risks penalties of up to $10 million and 10 to 30 years in prison, a powerful incentive for businesses to comply. The law’s scope is so broad and guidance so limited that some businesses would rather deny a transaction than risk criminal penalties, the report finds. http://www.washingtonpost.com/wp-dyn/content/article/2007/03/26/AR2007032602088_pf.html
NAVIGATING THE PCI STANDARD (CSOonline, 1 April 2007) -- In mid-December 2006, just as Visa was announcing a $20 million incentive to try to hurry compliance with the credit card industry’s data-security standard, a consultant for TJX was discovering precisely the sort of breach that the standard is supposed to prevent. An undisclosed number of transaction records from TJ Maxx, Marshalls and other TJX stores had been compromised. “Removed” by intruders, even. Exactly which records, when and by whom, the $16 billion retailer was unsure, although The Wall Street Journal later put the number of affected credit cards at more than 40 million. Behind the scenes, TJX executives began working with law enforcement and additional outside security experts to try to identify and fix the problem, prior to a January announcement of the breach. Meanwhile, in San Francisco, Visa was going public with an announcement of its own. Technically, if its merchants aren’t compliant with the Payment Card Industry (PCI) Data Security Standard, Visa can cut off their ability to accept Visa cards—a death sentence for commerce. Despite deadlines that had come and gone, however, only 36 percent of Visa’s largest merchants were following the rules. So starting in April, banks whose retail customers were in compliance and had not suffered security breaches would be eligible to receive funds from a pool of up to $20 million. In addition, Visa warned, it would increase fines to banks whose retail customers were not compliant and make PCI certification a requirement for some pricing discounts. As far as Visa is concerned, the standard is working—if only merchants would adopt it. “To date we have not seen that a PCI-compliant entity has been compromised,” Eduardo Perez, vice president for payment system risk at Visa, told CSO in January. Although he would not comment on the TJX incident specifically, he continued: “In every instance we’ve dealt with, compromised entities have not been compliant with PCI.” For critics, however, the TJX breach proves something else entirely. “It’s a perfect example of where the PCI program is not working,” says Avivah Litan, vice president and research director at Gartner. “It’s a good step. It’s good for the card brands to enforce security, but it’s impractical to expect 5 million retailers to become security experts.” In reality, the TJX breach is not so much an example as it is a test. Corporate America has long insisted that self-regulation, not government intervention, is the cure for what ails information security. Government regulations, they claim, tend to be poorly crafted and difficult to enforce; they turn into needlessly expensive exercises in bureaucratic paperwork. In response to the threat of such legislation, industry sectors have attempted to police themselves by establishing either voluntary guidelines or ones imposed by business partners. (See “Power Play.”) http://www.csoonline.com/read/040107/fea_pci_pf.html [Editor: the PCI DSS is available here: https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf ]
SELLING STUFF ONLINE? HERE COMES THE IRS (CNET, 13 April 2007) -- Americans who sell items through Internet auction sites could be in for an unpleasant surprise at tax time next year, thanks to an IRS proposal designed to identify taxpayers who don’t report income from those sales. The U.S. Treasury Department wants Congress to force auction sites like eBay, Amazon.com and uBid.com to turn over the identities and Social Security numbers of a large portion of their users to the IRS--so tax collectors know how much each person made through online selling. The effort is part of a larger plan, which enjoys enthusiastic support from both Democrats and Republicans, to close what’s known as the “tax gap.” It’s a broad term that covers Americans who don’t file tax returns or those who underreport their income, and the IRS believes it to total around $345 billion for the 2001 tax year. http://news.com.com/2100-1028_3-6176041.html
DOCS POINT TO E-VOTING BUG IN CONTESTED RACE (Wired, 17 April 2007) -- Symptoms consistent with a known software flaw in a popular electronic voting machine surfaced widely in a controversial election in Sarasota County, Florida, last November, despite county officials’ claims that a bug played no role in the election results, according to documents obtained by Wired News. Activists say the flaw might have contributed to the high number of lost or uncast votes in a now-contested congressional race. Incident reports from the election reveal Sarasota County poll workers from at least 19 precincts contacted technicians and election officials to report touch-screen sensitivity problems with the iVotronic voting machine. In those incidents, voters were forced to press the screen harder and repeatedly to register a vote. The complaints mirror the symptoms of a bug that the machine’s maker, Election Systems & Software, revealed prior to the election in a warning unheeded by the county. Additionally, the documents -- obtained through public records requests by Wired News and the Florida Fair Elections Coalition -- show the problems also appeared on a smaller scale during the primary election in Sarasota County two months earlier. This contradicts statements by Sarasota supervisor of elections Kathy Dent, who told Wired News last month that no such problems happened during the primary, and that she only learned voters were having problems with the touch screens after the November election was over and votes were counted. Seven voting machines had touch problems in the September primary, five of which later clocked in an unusually high number of “under votes” in the now-contested race for the U.S. House of Representative’s 13th Congressional District. http://www.wired.com/politics/onlinerights/news/2007/04/evotinganalysis
EU PRIVACY BODY CRITICIZES GOOGLE PRACTICES (MarketWatch, 19 April 2007) -- A European Union advisory body that monitors data privacy has written a letter to Google Inc. warning the No. 1 provider of Internet searches that its practices fall short of EU data protection standards, according to a person familiar with the group’s proceedings. Google confirmed that it received an earlier letter from the Norwegian Data Protection Group, which has a representative on the advisory body known as the Article 29 Working Party. A second letter is expected to be released by the European Commission on behalf of the Working Party, said the source, who spoke on condition of anonymity. Composed of privacy protection authorities from each of the EU’s 27 member nations, the group coordinates European privacy laws, and its member commissioners oversee privacy law in their home countries. If privacy authorities in those nations find Google in violation of data-protection statutes, the company can be fined. Google keeps a record of the Internet search habits of consumers who use its service. The U.S. government last year had asked Google and its search rivals, Yahoo Inc. and Microsoft Corp., for information as part of an investigation into online pornography. While Yahoo and Microsoft complied with the Justice Department subpoena for the data, Google refused the request, citing privacy concerns. A federal judge later ordered the company to release a less-extensive amount of information than U.S. officials had requested. The Mountain View, Calif.-based search giant’s data-collection and storage practices came under renewed scrutiny by the Working Party in the wake of Google’s $3.1 billion agreement to acquire fellow online ad firm DoubleClick, the source said. DoubleClick keeps extensive data on Internet ad campaigns, including who clicks on online banner ads and how often. Rivals of Google, as well as online privacy watchdog groups, have asked U.S. antitrust regulators to examine the combination, which will extend Google’s dominance of the online ad market. http://www.marketwatch.com/news/story/eu-privacy-body-criticizes-google/story.aspx?guid={578CE44F-EDC5-43A8-865A-51960583F9D3
CT RULES INTERNET ARCHIVE PRINTOUTS INADMISSABLE (BNA’s Internet Law News, 19 April 2007) -- BNA’s Electronic Commerce & Law Report reports that a federal court in New York has ruled that printouts of Web pages purporting to indicate how a Web page appeared at a prior point in time, supplied by the Internet Archive’s “Wayback Machine” service, are inadmissible without authenticating testimony from someone familiar with how the pages were created. The court ruled that in the absence of testimony or sworn statements from an employee of the operators of the third-party Web sites attesting to the authenticity of the contested Web page exhibits, the Wayback Machine exhibits cannot be authenticated as required under the Rules of Evidence. Case name is Novak v. Petswarehouse.com
NINTH CIRCUIT HELPS DMCA DEFENDANTS FIND SAFE HARBOR (Steptoe & Johnson’s E-Commerce Law Week, 19 April 2007) -- The Digital Millennium Copyright Act (DMCA) limits service providers’ liability for certain online material, including for “Transitory Digital Network Communications,” “System Caching,” “Information Residing on Systems or Networks At [the] Direction of Users,” and “Information Location Tools” (17 U.S.C. § 512(a-d)). But claiming these safe harbors can be difficult, since online service providers must first show that they have “adopted and reasonably implemented ... a policy that ... terminat[es] in appropriate circumstances ... subscribers ... who are repeat infringers,” and that they have not “interfere[d] with standard technical measures” of “identify[ing] or protect[ing] copyrighted works.” In Perfect 10, Inc. v. CCBill LLC, the Ninth Circuit addressed the plaintiff’s claim that CCBill, an online payment processor, and CWIE, a web hosting service, should not be given safe harbor. By offering a definition of a “reasonably implemented” termination policy, this ruling should help providers of online services more easily determine whether they meet the threshold for claiming DMCA safe harbor. And, for copyright holders, the ruling shows what not to do when giving a service provider notice of infringement. http://www.steptoe.com/publications-4417.html
NY COURT CONVERTS CONVERSION INTO E-TORT (Steptoe & Johnson’s E-Commerce Law Week, 19 April 2007) -- The common law tort of conversion provides a remedy for the theft or other unauthorized interference with the ownership of the plaintiff’s personal property. This cause of action has traditionally been limited to tangible objects. But in Thyroff v. Nationwide Mutual Insurance Co., the New York State Court of Appeals last month explicitly extended the Empire State’s conversion tort to “electronic records,” finding that the tort’s history supported its expansion to “keep pace with the contemporary realities of widespread computer use.” Specifically, the ruling allows an insurance agent to maintain a conversion claim against his former employer, which had allegedly prevented the agent from accessing personal and business information stored on the company computer system. But the conversion tort also gives employers another tool for going after workers who purloin company data. http://www.steptoe.com/publications-4417.html
JUDGE REFUSES TO DISMISS GOOGLE TRADEMARK SUIT (Information Week, 19 April 2007) -- A U.S. judge refused Wednesday to dismiss a lawsuit against Google Inc. that charges the Web search leader’s AdWords program abuses trademarks. In making his decision to allow the case to move forward, U.S. District Court Judge Jeremy Fogel ruled the public has an interest in whether AdWords, the company’s popular pay-per-click advertising system, violates U.S. trademark law. American Blind & Wallpaper Factory Inc., the top U.S. reseller of window blinds, charged in its lawsuit that Google abuses trademarks by allowing rivals of a company to buy ads that appear when consumers search the Web for information on that business. Google has prevailed in two prior trademark suits filed against its pay-per-click ads. Auto insurer GEICO lost a federal case in Virginia, and computer repair site Rescuecom lost a similar federal case, but is appealing. The latest ruling granted some claims while rejecting others in Google’s motion for summary judgment, which asked the judge to dismiss American Blind’s trademark infringement claims against Google’s AdWords ad-selling program. “The large number of businesses and users affected by Google’s AdWords program indicates that a significant public interest exists in determining whether the AdWords program violates trademark law,” Fogel wrote in his decision. A Google spokesman said the company still has a motion for sanctions against American Blinds pending before Magistrate Judge Richard Seeborg, in the same federal court, alleging that American Blinds failed to disclose key evidence. http://www.informationweek.com/story/showArticle.jhtml?articleID=199100854&cid=RSSfeed_IWK_News
YOUTUBE DELETES VIDEO OF MCCAIN SINGING ‘BOMB IRAN’ (CNET, 20 April 2007) -- YouTube confirmed Friday that it had erroneously deleted and would restore a video of presidential candidate John McCain singing an impromptu ditty about starting a war with Iran. The Arizona senator joked about attacking the sovereign nation during a campaign stop in South Carolina this week, singing, to the tune of the Beach Boys song “Barbara Ann”: “That old, that old Beach Boys song, Bomb Iran. Bomb, bomb, bomb, bomb, anyway.” According to a video recorded by what appears to be a camera phone held by someone at the back of the room, the audience laughed at McCain’s rendition of the classic song. But the clip was deleted by YouTube, which is owned by Google. A spokesman for YouTube, who asked that his name not appear in this article, said, “We appreciate the prompt feedback from our community regarding the McCain video. It was flagged by our users, we reviewed it and it was mistakenly removed. We have examined the situation and have since reinstated the video.” The spokesman refused to answer any other questions, such as when, exactly, the video was deleted or what procedures are in place to ensure that political candidates don’t use YouTube’s complaint procedure to squelch critics. The popular video-sharing site permits users to flag videos as “inappropriate.” This is not the first time a controversy has erupted over political videos removed by YouTube. The Electronic Frontier Foundation has documented other videos that it says should not have been deleted. The EFF has filed suit against Viacom on behalf of MoveOn.org and Brave New Films, saying a satire of the The Colbert Report was removed from YouTube following a “baseless” copyright complaint. “It is time to draw a line in the sand and make clear that taking down political speech first and asking questions later is absolutely unacceptable behavior,” Adam Green, civic communications director at MoveOn.org, said in response to the McCain video deletion. Recently, another anti-Bush video surfaced on YouTube. This one pokes fun at World Bank President Paul Wolfowitz--who is currently embroiled in a controversy over a hiring that violates the organization’s policy--in the style of NBC’s popular TV show The Office. Democratic Presidential candidate John Edwards is mocked in a video showing him spending more than two minutes fussing with his hair and camera makeup. http://news.com.com/2100-1025_3-6178173.html [McCain video here: http://www.youtube.com/watch?v=hAzBxFaio1I; Wolfowitz video here: http://www.youtube.com/watch?v=7UlhLLiQo2Y; Edwards video here: http://www.youtube.com/watch?v=2AE847UXu3Q]
WARNER MUSIC REACHES $110 MILLION SETTLEMENT WITH BERTELSMANN RELATED TO NAPSTER ALLIANCE (SiliconValley.com, 24 April 2007) -- Warner Music Group Corp., parent company of record labels such as Bad Boy, Nonesuch, and Rhino, said Tuesday it reached a $110 million settlement with Bertelsmann related to copyright infringement claims after Bertelsmann invested in Napster. Bertelsmann AG invested in the file-swapping site in 2000. Under the settlement, Bertelsmann admitted no liability. http://www.siliconvalley.com/news/ci_5739296?nclick_check=1
YAHOO STRIKES DEAL TO CATALOG LYRICS ONLINE (SiliconValley.com, 24 April 2007) -- Yahoo has teamed up with Gracenote, an Emeryville company, to offer what it is calling “the largest catalog of legal, licensed song lyrics” on the Web. “It fills a huge, gaping hole out there,” said Ian Rogers, general manager of Yahoo Music. While there are plenty of Web sites offering lyrics, Gracenote is the first company to have gone through the painstaking process of negotiating deals with the thousands of publishers who own copyrights to the lyrics. The catalog offered by Yahoo will include lyrics of 400,000 songs owned by more than 10,000 publishers. About 9,000 artists are represented, ranging from classic names such as the Beatles and Bob Dylan to more recent stars like Radiohead and Beyonce. Craig Palmer, chief executive of Gracenote, said it took more than two years and nearly 100 deals to forge the legal framework behind the database. Gracenote then had to create standards for publishing lyrics on the Web and put together an automated system for compensating the songwriters. This can include as many as 10 writers on a single hip-hop song. “The copyrights, the database and the payments issues all had to be solved in order to bring this obvious service to market,” Palmer said. Yahoo’s song lyrics are supposed to be the official versions. Under the licensing agreement, Yahoo will share with copyright holders the revenue from the ads that will be displayed alongside the lyrics. Music publishers such as BMG Music Publishing, EMI Music Publishing, Sony/ATV Music Publishing, Universal Music Publishing Group and Warner/Chappell Music are contributing lyrics. http://www.siliconvalley.com/news/ci_5738001
INTEL PROPOSES PLAN TO RESTORE LOST DOCUMENTS IN AMD SUIT (SiliconValley.com, 24 April 2007) -- Intel Corp. on Tuesday said it came up with a plan to restore documents destroyed as the company braced for massive antitrust litigation, saying it “regrets the lapse in its retention practices.” Rival chip maker Sunnyvale, Calif.-based Advanced Micro Devices Inc. has attacked what it calls Intel’s “grim reaper” email destruction policies, exposed in antitrust litigation in federal court in Delaware. In court papers Tuesday, Santa Clara, Calif.-based Intel cited its recently purchased a new email archive system that automatically saves all messages from designated document custodians as part of a plan to restore the lost materials. Filed in 2005, the case accuses Intel of misusing its market power in semiconductor chip manufacture to keep a lid on competition from AMD. Earlier this year, the long-simmering dispute heated up when Intel admitted to a potentially massive loss of documents that AMD was requesting to prepare its case. The two companies and lawyers for consumers who have joined in the antitrust lawsuit against Intel have been assessing the extent of the damage to documents that could become key evidence in the case. Tuesday, Intel filed a 39-page document setting out its plan to restore and supplement its database to make sure nothing important is left out of the mountain of data that AMD will be mining for evidence. The plan, Intel says, “will involve the processing and review of a huge, and as yet indeterminate volume of data.” The effort will be a costly one, Intel said, but the company wants to set things right. U.S. District Judge Joseph Farnan, who has appointed a special master to review the problem of the missing documents, said he would become personally involved at the stage where the accumulated data are tested to demonstrate whether incurable gaps exist. http://www.siliconvalley.com/news/ci_5740458
BANKS FILE DATA BREACH SUIT AGAINST TJX (CNET, 25 April 2007) -- The Massachusetts Bankers Association, a trade group, announced that it is filing a class action lawsuit against retailer TJX over a data breach that put more than 45 million credit and debit cards holders at risk of having their financial information accessed. The bankers association, along with the Connecticut Bankers Association and Maine Association of Community Banks, filed the lawsuit in the U.S. District Court in Boston. The three banking associations represent almost 300 banks and are seeking to recover “tens of millions of dollars” in damages, according to the filing. Last month, TJX announced it discovered a data breach of its customers’ records that spanned a two-year period. http://news.com.com/2110-7350_3-6179237.html
OHIO U. RESTRICTS FILE SHARING (InsideHigherEd, 26 April 2007) -- Ohio University, under heavy pressure from the recording industry to curtail illegal downloading on campus, announced a plan Wednesday to monitor its campus network for peer-to-peer file sharing and disable Internet access for students violating a new policy restricting the use of all peer-to-peer technology. The university is one of just a handful of institutions, including the University of Florida, to adopt such a broad approach to restricting file sharing, said John C. Vaughn, executive vice president of the Association of American Universities. “The concern is that if the price of restricting illegal file sharing is also to shut off legal transactions, that’s a price that most institutions aren’t willing to pay,” said Vaughn, who has tracked file sharing policies for the association of research universities. But to the extent that institutions can find ways to zero in on peer-to-peer protocols that are “used overwhelmingly for illegal file sharing,” Vaughn said, “then I think some institutions think it’s a reasonable policy.” Ohio University employees will begin monitoring the network Friday for use of such file sharing programs as Ares, Azureus, BitTorrent, BitLord, KaZaA, LimeWire, Shareaza and uTorrent. Any use of peer-to-peer technology under the new policy could result in a loss of Internet access and, upon the second offense, a disciplinary referral — although it’s important to note that the university will be phasing the policy in on a flexible, still undetermined time frame, targeting the biggest users first, according to Sally Linder, a university spokeswoman. http://insidehighered.com/news/2007/04/26/ohio
GERMAN GOVERNMENT ADMITS IT IS ALREADY CONDUCTING ONLINE SEARCHES (Heise Online, 26 April 2007) -- At a meeting of the Bundestag’s Interior Affairs Committee on Wednesday, the Chancellor’s Office admitted that Germany’s secret services have been conducting controversial, covert online searches of computers since 2005 after being given an order to do so by then-Interior Minister Otto Schily (SPD). Gisela Piltz, spokesperson for home affairs from the FDP in the Bundestag, made these announcements after the German government was forced to answer her questions concerning the touchy subject of the monitoring of private PCs and storage units on the Internet. The government said that it does not see any breach of the privacy of telecommunications and the basic right to control personal data. The government did not say how many covert telecommunications investigations had already taken place. Apparently, the government is dealing with practical problems concerning these online searches. For instance, government officials have allegedly been complaining about more data being collected than could be managed. Piltz said that “the cat is out of the bag” now that the government has made this general confession. According to the neoliberal FDP, a mere order from a ministry does not provide any legal basis for such deep intervention in the basic rights of citizens. The party says that the German government’s opinion that such searches in apartments do not constitute a violation of privacy is an outrage as long as the computers are not “in the garden.” In March, the German government reacted to another request for information from the FDP, explaining that the German Office for the Protection of the Constitution already has the right to conduct covert searches of networked PCs and protected data storage media on the Internet. At the beginning of February, the German Supreme Court ruled that state investigators have no legal basis for covert searches via the Internet. In that case, the Court handed down a ruling concerning one of the German Criminal Police Office’s projects. Since then, politicians such as German Interior Minister Wolfgang Schäuble (CDU) and police spokespeople have been calling for a legal basis to be provided quickly so that state criminal prosecutors can search PCs and online data carriers. But support for such measures has not only come from the CDU: Dieter Wiefelspütz, the SPD’s spokesperson for home affairs in the Bundestag, has also repeatedly called for the creation of a legal basis for covert online searches within strictly defined legal boundaries. Recently, he also indirectly admitted that the state was already conducting online searches of hard drives. http://www.heise.de/english/newsticker/news/88895
ARIZ. HIGH COURT REVERSES RULING ON GOVERNMENT E-MAIL PRIVACY (Arizona Republic, 26 April 2007) -- It is up to a judge, not government officials, to decide which messages generated from government e-mail systems are private. The ruling came from the Arizona Supreme Court on Wednesday morning after Phoenix Newspapers Inc. appealed a court decision denying The Arizona Republic access to about 90 e-mails Stanley Griffis sent or received during his time as Pinal county manager. Now a court will review those e-mails to determine which messages should be released as public record to the newspaper. The Arizona Republic requested access to Griffis’ e-mails last year after the Pinal County Sheriff’s Office launched an investigation into the former county manager’s misuse of public funds. Pinal County gave up more than 700 messages but withheld dozens that county officials and Griffis considered confidential or private. A court of appeals ruled that Griffis, and in essence government officials, had the right to decide what e-mails are private and what could be withheld from public record. But the Arizona Supreme Court’s ruling reversed that decision. “In camera (court) review of disputed documents . . . reinforces this Court’s previous holding that the courts, rather than government officials, are the final arbiter of what qualifies as a public record,” states the opinion of the Supreme Court of Arizona. “Griffis bears the burden of establishing that the e-mails are not public records.” David Bodney, an attorney representing the newspaper, said the ruling establishes an “important protocol for public officials who would try to withhold their e-mail communications as purely personal.” “The public has a strong right to know that its top appointed official was not using e-mail to further his own private schemes,” Bodney said. http://www.azcentral.com/news/articles/0426ruling0426.html
THE EUROPEAN PARLIAMENT APPROVES NEW, STRICTER ANTI-PIRACY DIRECTIVE (NordicHardware.com, 26 April 2007) -- The European Parliament voted yes on the new controversial directive Ipred 2 which concludes that all kinds of infringement of the intellectual copyrights will be considered criminal. The directive is actually stricter than that and even criminalizes attempts of infringing on copyrights. In theory this means that basically all video sites, P2P developers and other services used to spread material around the web is criminal. There is an exception though and that is the end-user. If this user downloads pirated material and use this only for his own entertainment, study or research he or she can not be prosecuted through the new directive. Ipred 2 has been harshly criticized from day 1 by people saying it in turn infringes on people freedom of speech and even been considered a lobby directive from the media industry. The goal is to harmonize (EP’s choice of word) the copyright laws of the member countries of the EU through the new directive. The fines and penalties will be adjusted by some countries according to the new directive, but they still vary quite a lot between the European countries where Great Britain are the strictest with up to 10 years in prison, while the same crime only pays three months in Greece. http://www.nordichardware.com/news,6197.html
MUSIC INDUSTRY WINS UW IDS IN FILE-SHARING CASE (Wisconsin State Journal, 26 April 2007) -- As many as 53 UW-Madison students could be slapped with lawsuits by the music recording industry after a federal judge on Wednesday ordered the university to surrender their names and other information for sharing digital music files over the Internet. On Tuesday, 16 record companies represented by the Recording Industry Association of America filed a lawsuit in U.S. District Court seeking the names associated with 53 Internet connections for copyright infringement. On Wednesday, U.S. District Judge John Shabaz signed an order requiring UW-Madison to relinquish the names, addresses, telephone numbers, e-mail addresses and Media Access Control addresses for each of the 53 individuals. The lawsuit and decision came as no surprise to the university, which last month declined to send out “settlement letters” from the RIAA to alleged copyright violators among UW-Madison students. http://www.madison.com/wsj/home/local/index.php?ntid=131102
-- and --
CONGRESS UPS ANTE ON FILE SHARING (InsideHigherEd, 3 May 2007) -- If campus technology officers have been feeling left out as their colleagues in the financial aid office get all the fan mail from Congress, never fear. Now it’s their turn. A bipartisan group of House of Representatives lawmakers said Wednesday that they had written the presidents of 19 colleges and universities asking their officials to complete an expansive survey on the use of their campus networks for illegal downloading of copyrighted music, video or other digital content. The institutions (all universities, a list of which appears at bottom) were singled out because they had received the largest number of copyright infringement notices from the recording and movie industries in the most recent reporting period. The effort was spearheaded by lawmakers on the House Judiciary Committee, which has led Congress’s scrutiny of the campus downloading issue so far. But the fact that the signers of the letter included the chairman and senior Republican on the House Education and Labor Committee suggested — to the dismay of some college officials — that leaders on the education panel might be receptive to dealing with the issue in legislation to renew the Higher Education Act this year. http://insidehighered.com/news/2007/05/03/download
NCAA BARS TEXTING OF RECRUITS (InsideHigherEd, 27 April 2007) -- The Division I Board of Directors of the National Collegiate Athletic Association has voted to ban text-messaging between coaches and recruits. A student advisory group told NACC leaders that text-messaging had become “instusive” and “overused.” http://insidehighered.com/news/2007/04/27/qt
GOOGLE HALTS `HIJACKED’ ADS USED TO STEAL PERSONAL DATA (SiliconValley.com, 27 April 2007) -- Google yanked paid advertisements that online criminals were using to steal banking and other personal information from Web surfers looking for the Better Business Bureau and other sites. The ads, linked to 20 popular search terms, directed those who clicked on them to a booby-trapped site where their information could be captured. It was unclear how many people were affected before the breach was discovered this week, but computer security experts said Thursday the attack appears to be isolated and only targeting Windows XP users who had not properly updated their machines. They said the attack was unlikely to undermine Google’s core business of selling lucrative advertising links, which made up the bulk of the Mountain View-based company’s $3.08 billion in profit in 2006 and $1 billion in the first quarter of 2007 alone. Google said it dismantled the offending links and shut down the problem AdWords accounts Tuesday. The company is working with advertisers to identify any other malware-loaded sites that might be on the network, it said. However, the experts said the infiltration of the Web’s largest marketing network raises questions for the entire search industry about how to screen advertisers for those with nefarious motives. The criminals created their own Web site and outbid legitimate businesses in Google’s AdWords program to secure prime placement of ads linked to popular search terms. Users who clicked on those ads were then routed to the booby-trapped site before being sent on to the legitimate destination. http://www.siliconvalley.com/news/ci_5762859 [Editor: reminds me a bit of the Choicepoint fiasco inasmuch as Google apparently was doing business with unvetted criminal parties. ‘Know-Your-Customer’ may take on a whole new meaning.]
N.Y. AG GETS FIRST SETTLEMENT UNDER SECURITY BREACH NOTIFICATION LAW (Information Week, 27 April 2007) -- The New York Attorney General has obtained the first settlement under the state’s new security breach notification law. Attorney General Andrew Cuomo announced Thursday that it has reached an agreement with CS Stars LLC, a Chicago-based claims management company, to implement precautionary procedures, comply with New York’s notification law in the event of another security breach, and pay $60,000 to the AG’s office for investigation costs. On May 9, 2006, an employee at CS Stars noticed that a computer was missing that held personal information, including the names, addresses, and Social Security numbers of recipients of workers’ compensation benefits, according to the AG’s office. The New York Special Funds Conservation Committee, a not-for-profit organization created to assist in providing benefits to workers under the New York Workers’ Compensation Law, was the owner of the data contained in the missing computer. It was not until June 29, 2006 that CS Stars first notified Special Funds of the security breach, the AG’s office reported. On the same date, the company notified the FBI, as well. The FBI instructed the company to not send out any notifications to people who might be affected by the data breach because it might impede their investigation. According to the AG’s release, CS Stars notified the Attorney General’s office, the Consumer Protection Board, and the state office of Cyber Security about the breach on June 30, 2006. Then on July 18, the company, with the permission of the FBI, the company began sending out notices to the approximately 540,000 potentially affected New York consumers notifying them of the security breach. Under New York’s Information Security Breach and Notification Law, any business that maintains private information which it does not own must notify the owner of the data of any security breach “immediately following discovery” of the breach. They also must notify all affected consumers in the “most expedient time possible.” http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199202218
-- and --
GAO REPORT TARGETS DATA BREACH GUIDELINES (Network World, 30 April 2007) -- A U.S. Government Accountability Office (GAO) report issued Monday in response to a May 2006 data breach at the Department of Veterans Affairs says federal agencies should have uniform guidelines governing when to offer credit monitoring to individuals whose personal information is exposed. Veterans were denied the opportunity to take prompt steps to protect themselves against identity theft last year because internal delays kept key VA officials, including the agency’s secretary, in the dark for up to two weeks, the report states. One lesson learned after the breach is that federal agencies must have rapid internal notification of key officials, the GAO said. Today’s report urges the Office of Management and Budget, which oversees security and privacy for the federal government, to develop guidance agencies can use when determining whether to offer credit monitoring and other services that may reduce the risk of identity theft. Without such guidance, the GAO said, agencies may make inconsistent decisions that leave some people more vulnerable than others. http://www.networkworld.com/news/2007/043007-gao-data-breach-guidelines.html GAO report at http://www.gao.gov/new.items/d07657.pdf
ISO 17799 -- IT’S A CONTROL, NOT A STANDARD (Computerworld, 29 April 2007) -- I’m always interested when I learn that things aren’t the way I thought they were. Mom put “Santa’s” presents under the Christmas tree. Columbus didn’t discover America. Lee, Lifeson, and Peart aren’t equal to the Father, Son, and Holy Spirit. And, most recently, ISO 17799:2005 shouldn’t be used as a list of required controls for organizations to deploy. Don’t get me wrong. For something written by committee, the International Standards Organization and International Electrotechnical Commission Code of Practice for Information Security Management Reference Number 17799:2005 (from here on out ISO 17799) isn’t half bad. As anyone familiar with it knows, it’s a fairly exhaustive list of controls covering 11 major domains of information security (more on that later), from policy to compliance. It’s not perfect. Aside from the Briticisms (it is their language, after all), there are some areas where it doesn’t give enough depth or detail, others where it goes a little overboard, and some terminology that is just plain odd (“Threat Vulnerability Management,” anyone?). But these relatively minor shortcomings are outweighed by the overall benefits for those companies that turn to it for guidance. If your company is adopting ISO 17799 as a “standard,” however, you’re missing the point. ISO 17799 is a list of controls -- nothing more, nothing less. Notice the ample use of the word should throughout the document. Nowhere are there any requirements that an organization do anything. No ‘shall’ or ‘shall not’, no ‘do’ or ‘do not’ -- ISO 17799 is a list of guidelines, not requirements. This is a good thing. ISO 17799 was originally British Standard 7799-1, and meant to be adopted along with the other parts of the 7799 series, namely 7799-2 (Information Security Management Systems) and 7799-3 (Guidelines for Information Security Risk Management). Further muddying the waters, BS 7799-2 was recently adopted as ISO 27001. BS 7799-1/ISO 17799 will eventually be renumbered as ISO 27002 (PDF format). So what’s the point? That’s where ISO 27001 comes in. ISO 27001:2005 is a specification for an Information Security Management System (ISMS): These are things you must do to set up an ISMS. But what is an ISMS? The ISMS is the framework you need to have in place to define, implement and monitor the controls needed to protect the information in your company. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9018158&source=rss_topic146
DOJ BUSTS E-GOLD PAYMENT SERVICE ON MONEY LAUNDERING, CONSPIRACY CHARGES (Computerworld, 30 April 2007) -- A federal grand jury has indicted online payment provider E-gold Ltd. and three men on charges of money laundering and conspiracy. According to a four-count indictment unsealed Friday, Dr. Douglas Jackson, of Satellite Beach, Fla.; Reid Jackson, of Melbourne, Fla.; and Barry Downey, of Woodbine, Md.; and their company, E-gold, transferred funds even though they knew the monies were proceeds of child pornography, credit card fraud and bank fraud. E-gold carried out these transfers over a six-year period from 1999 to 2005, the government said. “Criminals of every stripe gravitated to E-gold as a place to move their money with impunity,” Jeffrey Taylor, U.S. Attorney for the District of Columbia, said in a statement. “The defendants in this case knowingly allowed them to do so and profited from their crimes.” After the indictment was passed down, federal prosecutors seized funds in 58 E-gold accounts and froze the company’s assets. E-gold can continue to operate under government supervision, however, and use existing funds to cash out unaffected accounts. E-gold, which was founded in 1996, has been a favorite of online scammers because it is completely anonymous, said Ron O’Brien, a senior security analyst at Sophos PLC. E-gold required only an e-mail address to register, and as a digital gold exchange it is not required to perform background checks on users. “E-gold has attracted cybercriminals because of the anonymity,” said O’Brien. The service has also been favored because payments are not reversible; once a payment is made, it can’t be retracted by the sender. In fact, several “ransomware” attacks -- malicious code that sneaked onto PCs, encrypted user files and then displayed a message demanding money to unlock the files -- have used E-gold as the payment method between victim and criminal, O’Brien noted. E-gold payments have also been linked to the notorious ShadowCrew identity theft gang. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9018291&source=rss_topic146
J.P. MORGAN CHASE PROBING DATA BREACH SHOWN IN YOUTUBE VIDEO (Computer World, 1 May 2007) -- Financial services firm J.P. Morgan Chase is investigating claims by a Washington, D.C.-based workers union that it dumped documents containing personal financial data belonging to its customers in garbage bags outside five branch offices in New York. Separately, it is also sending out letters to tens of thousands of Chicago-area customers and some employees about the potential compromise of their account information after a tape containing the data was reported missing. The Service Employees International Union, an organization claiming more than 1.8 million members countrywide, has posted a video on YouTube that supposedly shows documents containing account data -- including full customer names, addresses and Social Security numbers -- being discovered in trash bags outside the bank branches in and around New York City. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9018384&source=NLT_AM&nlid=1
RECOVERING THE COSTS OF ELECTRONIC DATA DISCOVERY AS PART OF A BILL OF COSTS (ABA’s Law Technology Today, 1 May 2007) -- In today’s world of exploding digital content, complying with discovery requests often means identifying, preserving, collecting, coding, reviewing and producing gigabytes, if not terabytes, of data. To satisfy these electronic data discovery (EDD) obligations – many of which are now codified in the recent amendments to the Federal Rules of Civil Procedure – litigants regularly turn to a wide variety of electronic discovery specialists to collect data, code it and build sophisticated computerized databases that make it possible for discovery reviews to proceed efficiently and for litigators to prepare for trial. The costs of these activities can be expensive, running from tens of thousands to hundreds and even millions of dollars in a single case, prompting litigants to seek vehicles for shifting this financial burden to their opponents. The recent amendments to the Federal Rules of Civil Procedure now codify the courts’ long-standing authority to shift unduly burdensome production costs to the party requesting the discovery.[1] This authority, however, rarely gets exercised and, at best, addresses only isolated requests for production and not the lion’s share of EDD-related costs. Six years ago, the Sedona Conference advocated that this issue be addressed by allowing prevailing parties to recover electronic discovery costs.[2] The recent decision in Lockheed Martin Idaho Technologies Co. (“LMITCO”)[3]indicates that courts may be increasingly inclined to adopt this approach when exercising their discretion under 28 U.S.C. § 1920 and its state counterparts – at least under certain circumstances. [Editor: LMITCO decision analysis follows.] http://www.abanet.org/lpm/ltt/articles/vol1/is2/Recovering_the_Costs_of_Electronic_Data_Discovery.shtml
THE RIGHT’S EXPLICIT AND CANDID REJECTION OF “THE RULE OF LAW” (Salon.com, 2 May 2007) -- The Wall St. Journal online has today published a lengthy and truly astonishing article by Harvard Government Professor Harvey Mansfield, which expressly argues that the power of the President is greater than “the rule of law.” The article bears this headline: The Case for the Strong Executive -- Under some circumstances, the Rule of Law must yield to the need for Energy. And it is the most explicit argument I have seen yet for vesting in the President the power to override and ignore the rule of law in order to receive the glories of what Mansfield calls “one-man rule.” That such an argument comes from Mansfield is unsurprising. He has long been a folk hero to the what used to be the most extremist right-wing fringe but is now the core of the Republican Party. He devoted earlier parts of his career to warning of the dangers of homosexuality, particularly its effeminizing effect on our culture. [snip] But reading Mansfield has real value for understanding the dominant right-wing movement in this country. Because he is an academic, and a quite intelligent one, he makes intellectually honest arguments, by which I mean that he does not disguise what he thinks in politically palatable slogans, but instead really describes the actual premises on which political beliefs are based. And that is Mansfield’s value; he is a clear and honest embodiment of what the Bush movement is. In particular, he makes crystal clear that the so-called devotion to a “strong executive” by the Bush administration and the movement which supports it is nothing more than a belief that the Leader has the power to disregard, violate, and remain above the rule of law. And that is clear because Mansfied explicitly says that. And that is not just Mansfield’s idiosyncratic belief. He is simply stating -- honestly and clearly -- the necessary premises of the model of the Omnipotent Presidency which has taken root under the Bush presidency. http://www.salon.com/opinion/greenwald/2007/05/02/mansfield/ [Editor: I am *NOT* articulating ABA views in deciding to run this excerpt, only my own. Me? I think there’s nothing more important than the rule of law (slippery slope, and all that). The Journal’s article can be found here: http://opinionjournal.com/federation/feature/?id=110010014]
PERSPECTIVE: EVEN IN NET LITIGATION, IT’S ALL ABOUT LOCATION (CNET, 2 May 2007) -- The Web site DontDateHimGirl.com allows women to make anonymous postings about specific men. So it was that a defamation lawsuit got filed with respect to statements made on the site about one particular man. But the case was just dismissed for failure of personal jurisdiction, offering a signal lesson in why the details of the law matter. Let’s take a closer look at the facts of the case. On May 24, 2006, a profile of the plaintiff appeared on the DontDateHimGirl site. Additional postings about the man appeared later. In a lawsuit filed in state court in Pennsylvania, the plaintiff claimed that the profiles were false and misrepresented him as being a herpes-ridden gay or bisexual who had transmitted a sexually transmitted disease and had sired different children. The court determined that whether the use of an Internet Web site permits it to exercise jurisdiction over an out-of-state company under Pennsylvania’s Long-Arm Act required the court to look to a “sliding scale” of contacts. Namely, the more contacts by the defendants with the state of Pennsylvania, the more likely it is appropriate for the court to decide that it has personal jurisdiction over the defendants. The court then embarked on an analysis of those contacts in this case. The court first noted that the server for the DontDateHimGirl.com site is located in Florida, not Pennsylvania, and that all Web site operations take place in Florida. The court also concluded that the site does not specifically solicit residents of Pennsylvania to post profiles on the site. However, the defendants apparently are aware that Pennsylvania residents will post profiles on the site. The court concluded that the defendants do not perform a “significant amount of commercial business over the Internet” as directly impacting Pennsylvania sufficient to warrant personal jurisdiction over the defendants in the state. The court also found that while DontDateHimGirl.com maintains an online store on its server where users can purchase clothing and accessory items, the store has made sales to only six Pennsylvania residents, for less than five percent of the total sales of the store. After analyzing the foregoing facts, the court concluded that the defendants do not perform a “significant amount of commercial business over the Internet” as directly impacting Pennsylvania sufficient to warrant personal jurisdiction over the defendants in the state. Indeed, the court viewed the defendants’ activities as no more than “general advertising with the added convenience of an online registry.” The court recognized that the DontDateHimGirl.com Web site, like other sites, is accessible to anyone connected to the Internet anywhere in the world. The court rejected the notion that a defendant can be hauled into court in any state for any controversy, regardless of contacts with that particular state. This would violate principles of due process, according to the court. http://news.com.com/Even+in+Net+litigation%2C+its+all+about+location/2010-1028_3-6180169.html?tag=nefd.top
ARMY SQUEEZES SOLDIER BLOGS, MAYBE TO DEATH (Wired, 2 May 2007) -- The U.S. Army has ordered soldiers to stop posting to blogs or sending personal e-mail messages, without first clearing the content with a superior officer, Wired News has learned. The directive, issued April 19, is the sharpest restriction on troops’ online activities since the start of the Iraq war. And it could mean the end of military blogs, observers say. Military officials have been wrestling for years with how to handle troops who publish blogs. Officers have weighed the need for wartime discretion against the opportunities for the public to personally connect with some of the most effective advocates for the operations in Afghanistan and Iraq -- the troops themselves. The secret-keepers have generally won the argument, and the once-permissive atmosphere has slowly grown more tightly regulated. Soldier-bloggers have dropped offline as a result. The new rules obtained by Wired News require a commander be consulted before every blog update. “This is the final nail in the coffin for combat blogging,” said retired paratrooper Matthew Burden, editor of The Blog of War anthology. “No more military bloggers writing about their experiences in the combat zone. This is the best PR the military has -- it’s most honest voice out of the war zone. And it’s being silenced.” Army Regulation 530--1: Operations Security (OPSEC) restricts more than just blogs, however. Previous editions of the rules asked Army personnel to “consult with their immediate supervisor” before posting a document “that might contain sensitive and/or critical information in a public forum.” The new version, in contrast, requires “an OPSEC review prior to publishing” anything -- from “web log (blog) postings” to comments on internet message boards, from resumes to letters home. Active-duty troops aren’t the only ones affected by the new guidelines. Civilians working for the military, Army contractors -- even soldiers’ families -- are all subject to the directive as well. But, while the regulations may apply to a broad swath of people, not everybody affected can actually read them. In a Kafka-esque turn, the guidelines are kept on the military’s restricted Army Knowledge Online intranet. Many Army contractors -- and many family members -- don’t have access to the site. Even those able to get in are finding their access is blocked to that particular file. http://www.wired.com/politics/onlinerights/news/2007/05/army_bloggers New rule at http://blog.wired.com/defense/files/army_reg_530_1_updated.pdf; OPSEC rule at http://blog.wired.com/defense/files/army_reg_530_1_updated.pdf
GUIDELINES FOR OUTSOURCING GROW (National Law Journal, 3 May 2007) -- Responding to a growing trend of outsourcing legal services to other countries, three bar associations in the last year have issued opinions that aim to provide ethical guidelines for lawyers. The Los Angeles County Bar Association was the first to tackle the issue when it delivered an opinion in June 2006. It was followed by the Association of the Bar of the City of New York in August and, most recently, by the San Diego County Bar Association in January. The opinions are meant to guide lawyers considering outsourcing to foreign countries -- a cost-saving strategy an increasing number of law firms are relying on for myriad services. They range from advising attorneys when they must inform clients that work is being outsourced to charging “appropriate” fees. A 2005 study by Forrester Research, a technology and market research company in Cambridge, Mass., predicted that the value of legal outsourcing work to India could rise from $80 million to $4 billion by 2015. Prism Legal Consulting of Arlington, Va., which advises law firms on a number of issues, found more than 60 offshore legal services companies in October, compared with only 20 in March 2005. Paul Dutka, a partner in New York’s Weil, Gotshal & Manges who chairs the New York City bar association’s Committee on Professional and Judicial Ethics, said legal outsourcing will continue to command attention. http://www.law.com/jsp/llf/PubArticleLLF.jsp?id=1178096674507&rss=newswire
GOOGLE LISTS BELGIAN NEWSPAPERS AGAIN AS COPYRIGHT ROW COOLS (SiliconValley.com, 3 May 2007) -- Belgian French-language newspapers were back on Google on Thursday after agreeing that the search engine can link to their Web sites, the first signs of a thaw in a bitter copyright dispute. But neither has so far settled on a key part of the dispute: the use of newspaper story links used on Google News. In February, Google Inc. lost a lawsuit filed by the newspapers that forced it to remove headlines and links to news stories posted on its Google News service and stored in its search engine’s cache without the copyright owners’ permission. Google had earlier removed all reference to the newspapers to avoid legal trouble, meaning that a search for even the name of Belgian daily “Le Soir” would not bring up the publication’s Web site. But searchers will now find that paper and 16 others - although they will not be able to access stored versions of older content that the newspapers want to charge for. It is similar to the system used by The New York Times and others for premium content that marks stories with a “no archive” tag so it won’t be cached. In a joint statement, Google and the newspapers’ copyright group Copiepresse said they had decided that Google could once again list the newspapers on the search engine. But they made no mention of one of the main parts of their dispute, Google News, merely saying they were still in talks. http://www.siliconvalley.com/news/ci_5809436?nclick_check=1
SUPREME COURT MEETS YOUTUBE (ABA Journal, 4 May 2007) -- In a U.S. Supreme Court first, the justices have joined the Internet age, including digital access to videotaped evidence with an opinion. Scott v. Harris, No. 05-1631 (April 30). The grainy clip (Real Player), which can be reached via a hyperlink on the court’s opinions Web page, shows the view from the dashboard of a police car involved in a high-speed chase in suburban Atlanta. Although the video can’t physically be included in the published opinion, it is referenced in a footnote in which the URL is written out, notes Kathy Arberg, a spokeswoman for the court. “Because the video was referred to in the opinion, the court wanted to provide access to the video on its Web site,” Arberg says. This use of new technology is likely to be more interesting to many lawyers than the actual decision. Observers see the decision to post the clip as a milestone for the court, which has been notoriously reluctant to embrace new technology, especially cameras in its courtroom. “It’s about time,” says David Post, a professor at Temple Law School in Philadelphia. That’s because in more and more cases today, he says, “limitations of the print technology make it impossible or very difficult to actually understand the legal issues.” Post cites a Supreme Court case of more than a decade ago that he uses as a teaching tool in his copyright class. It concerned a 2 Live Crew rap cover of a famous Roy Orbison song, “Oh, Pretty Woman.” Orbison sued for copyright infringement, but 2 Live Crew successfully defended its version as a fair-use parody. Campbell v. Acuff-Rose Music 510 U.S. 569 (1994). http://www.abanet.org/journal/ereport/my4video.html
**** RESOURCES ****
PRIVACY’S OTHER PATH: RECOVERING THE LAW OF CONFIDENTIALITY (96 Georgetown Law Journal, 2007) -- Abstract: The familiar legend of privacy law holds that Samuel Warren and Louis Brandeis “invented” the right to privacy in 1890, and that William Prosser aided its development by recognizing four privacy torts in 1960. In this article, Professors Richards and Solove contend that Warren, Brandeis, and Prosser did not invent privacy law, but took it down a new path. Well before 1890, a considerable body of Anglo-American law protected confidentiality, which safeguards the information people share with others. Warren, Brandeis, and later Prosser turned away from the law of confidentiality to create a new conception of privacy based on the individual’s “inviolate personality.” English law, however, rejected Warren and Brandeis’s conception of privacy and developed a conception of privacy as confidentiality from the same sources used by Warren and Brandeis. Today, in contrast to the individualistic conception of privacy in American law, the English law of confidence recognizes and enforces expectations of trust within relationships. Richards and Solove explore how and why privacy law developed so differently in America and England. Understanding the origins and developments of privacy law’s divergent paths reveals that each body of law’s conception of privacy has much to teach the other. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=969495
YOUR IDENTITY HAS BEEN STOLEN: A 24-POINT RECOVERY CHECKLIST (AskTheAdvisor, 20 March 2007) -- If you are between the ages of 18 to 29 and you live in Phoenix or Los Angeles, your chances for identity theft are higher than the national average according to the Federal Trade Commission (FTC). But, if you’re over age thirty and you live in Somerset, Vermont (population 5), don’t wipe the sweat off your brow just yet. Identity theft can occur through numerous methods, and you could be the next victim no matter where you live or your age. Identity theft accounted for 255,000 — or 37 percent — of more than 686,683 complaints registered with the FTC in 2005. These figures mark the sixth year in a row where identity theft has topped the list of complaints filed with this agency. The most commonly reported form of identity theft was credit card fraud, followed by phone or utilities fraud, and bank (electronic funds transfer) and employment fraud. You can reduce your risks for identity theft, but you don’t have control over government agencies, hospitals, or retail stores that manage to lose your personal information. The following list will walk you through the steps that will help you recover your identity and restore your credit rating. [Lots of useful URLs in the web version.] http://www.yourcreditadvisor.com/blog/2007/03/your_identity_h.html
THE BEST AND WORST INTERNET LAWS (Informit.com, 20 April 2007) -- Over the past dozen years, the lure of regulating the Internet has proven irresistible to legislators. For example, in the 109th Congress, almost 1,100 introduced bills referenced the word “Internet.” Although this legislative activity doesn’t always come to fruition, hundreds of Internet laws have been passed by Congress and the states. This body of work is now large enough that we can identify some winners and losers. So in the spirit of good fun, I offer an opinionated list of my personal votes for the best and worst Internet statutes in the United States. http://www.informit.com/articles/printerfriendly.asp?p=717374&rl=1 [Editor: There’s real substance here.]
BLOGGER’S CODE OF CONDUCT (Wikipedia, ongoing) -- Tim O’Reilly called for bloggers to work together to create a Blogger’s Code of Conduct. This wiki is used for the development of this code of conduct. After a week’s discussion, we have decided to split this code into modules. Bloggers can choose the specific modules they want to apply to their new blog. Feel free to edit or add to these any of these nodes or visit the discussion page to discuss your thoughts. You can also join the mailing list to discuss this draft. Please do not simply remove points you disagree with, but discuss them on the talk page. http://blogging.wikia.com/wiki/Blogger%27s_Code_of_Conduct
CONGRESSPEDIA -- Welcome to Congresspedia, the “citizen’s encyclopedia on Congress” that anyone—including you—can edit. Congresspedia is a not-for-profit, collaborative project of the Center for Media and Democracy and the Sunlight Foundation and is overseen by an editor to help ensure fairness and accuracy. Congresspedia is part of SourceWatch, a wiki-based website documenting the people, organizations and issues shaping the public agenda. http://www.sourcewatch.org/index.php?title=Congresspedia
******* PERSONAL NOTE *******
Today my daughter, Elizabeth, graduates from the University of Florida. We’re very proud of her. Go Gators!
SOURCES:
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.
Subscribe to:
Posts (Atom)