Saturday, May 26, 2007

MIRLN -- Misc. IT Related Legal News [6-26 May 2007; v10.07]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of the American Bar Association’s Cyberspace Law Committee and Dickinson Wright PLLC. Dickinson Wright’s IT & Security Law practice group is described at

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley ( with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at and blogged at

**************End of Introductory Note***************

CONFIDENTIALITY. NOT OK TO LOOK AT METADATA IN ALABAMA (Freivogel on Conflicts, 2 May 2007) -- The [Alabama Ethics] Committee opined that lawyers have a duty under Rule 1.6 to scrub metadata from certain documents. The Committee also opined that it is a violation of Rule 8.4 for lawyers to “mine” metadata from documents received from opponents. The Committee relied specifically upon N.Y. Ops. 749 (2001) & 782 (2004). The Committee did not mention ABA Op. 06-442 (Aug. 2006), which said that mining for metadata was not a violation of ethics rules. Opinion at

SUPREME COURT DECISION CHALLENGES SOFTWARE PATENTS (, 4 May 2007) -- When the Supreme Court of the United States ruled for KSR in the case of KSR Int’l Co. v. Teleflex Inc. , it also served notice to the software industry that major changes may be afoot in both the granting and protecting of existing software patents. For several years now, software patents have frequently been seen by many as stifling innovation , granting intellectual property claims for ideas that had been around for decades and awarding the companies that hold them hundreds of millions of dollars - such as in RIM vs. NTP - even when the patents themselves have been rejected by the U.S. Patent and Trademark Office. Now, as Pamela Jones, editor of the intellectual property law news site Groklaw , noted, “The standout paragraph” in the decision written by Supreme Court Justice Anthony Kennedy read: “We build and create by bringing to the tangible and palpable reality around us new works based on instinct, simple logic, ordinary inferences, extraordinary ideas, and sometimes even genius. These advances, once part of our shared knowledge, define a new threshold from which innovation starts once more. And as progress beginning from higher levels of achievement is expected in the normal course, the results of ordinary innovation are not the subject of exclusive rights under the patent laws. Were it otherwise patents might stifle, rather than promote, the progress of useful arts.” Jones, a paralegal, observed, “The court has raised the obviousness bar, or as they probably view it put it back where the founding fathers meant it to be.” Lawrence Rosen, a partner in the law firm Rosenlaw & Einschlag and well-known open-source law expert, is inclined to agree. “As of April 30, many fewer patents will be valid under the Supreme Court’s newly articulated obviousness standard for patentability. Software developers and distributors are at much less risk of being sued over obvious patents.” Another result, according to Rosen, should be that “ [t]he quality of issued software patents will rise, but there will be far fewer of them.” Daniel Ravicher, attorney and the head of the Public Patent Foundation , a nonprofit legal services organization that represents the public’s interests against the harms caused by the patent system, isn’t quite so optimistic: “Well, what the KSR case says is one thing, while what the Federal Circuit - the pro-patent appeals court - does in response to KSR may be quite another. We know the Supreme Court will not take every patent case, so we’ll have to wait and see what the Federal Circuit does with this new instruction.” Ravicher continued, “KSR will make it easier for challengers to prove software patents are invalid for being obvious. But just because the task is easier doesn’t necessarily mean more people will take up the task. It’s still expensive and timely to challenge a software patent, so people need to have the right incentives to do so.” Richard Fontana, counsel for the Software Freedom Law Center , which provides legal representation and other law-related services to protect and advance free and open-source software, agrees with Ravicher on this point. “KSR will make it easier for deep-pockets defendants in patent infringement cases to successfully challenge the validity of software patents,” he said. “Although the KSR case itself dealt with fairly simple mechanical technology, it is peculiarly relevant to software patents, since so many software patents involve combinations of elements that themselves are easily shown to be old technology,” said Fontana. “The overall effect may be a diminution in the value of patents, particularly software patents, and therefore perhaps some reduction in the amount of litigation.”

BUSH WANTS PHONE FIRMS IMMUNE TO PRIVACY SUITS (Washington Post, 4 May 2007) -- The Bush administration is urging Congress to pass a law that would halt dozens of lawsuits charging phone companies with invading ordinary citizens’ privacy through a post-Sept. 11 warrantless surveillance program. The measure is part of a legislative package drafted by the Justice Department to relax provisions in the 1978 Foreign Intelligence Surveillance Act (FISA) that restrict the administration’s ability to intercept electronic communications in the United States. If passed, the proposed changes would forestall efforts to compel disclosure of the program’s details through Congress or the court system. The government asserts that the blanket immunity is necessary to protect sensitive national security information. “If companies are alleged to have cooperated with the government to protect our nation against another attack, they should not be held liable for any assistance they are alleged to have provided,” Justice Department spokesman Dean Boyd said. The immunity would be limited to assistance from Sept. 11, 2001, to the date the measure becomes law.

-- and --

VERIZON SAYS PHONE RECORD DISCLOSURE IS PROTECTED FREE SPEECH (ArsTechnica, 7 May 2007) -- Verizon is one of the phone companies currently being sued over its alleged disclosure of customer phone records to the NSA. In a response to the court last week, the company asked for the entire consolidated case against it to be thrown out--on free speech grounds. The response also alleges that the case should be thrown out because even looking into the issue could violate state secrets, of course, but a much longer section of the response tries to make the case that Verizon has a First Amendment right to “petition” the government. “Based on plaintiffs’ own allegations, defendants’ right to communicate such information to the government is fully protected by the Free Speech and Petition Clauses of the First Amendment,” argue Verizon’s lawyers. Essentially, the argument is that turning over truthful information to the government is free speech, and the EFF and ACLU can’t do anything about it. In fact, Verizon basically argues that the entire lawsuit is a giant SLAPP (Strategic Lawsuit Against Public Participation) suit, and that the case is an attempt to deter the company from exercising its First Amendment right to turn over customer calling information to government security services. “Communicating facts to the government is protected petitioning activity,” says the response, even when the communication of those facts would normally be illegal or would violate a company’s owner promises to its customers. Verizon argues that, if the EFF and other groups have concerns about customer call records, the only proper remedy “is to impose restrictions on the government, not on the speaker’s right to communicate.” [Wow.]

FORGERY TRADE LOSSES ‘UNDER $200BN’ (Financial Times, 7 May 2007) -- International trade losses due to product counterfeiting and piracy are much lower than estimated by business lobby groups, according to the most detailed global study to date. Trade losses in 2005 were “up to $200bn”, according to the executive summary of a report by the Organisation for Economic Co-operation and Development, obtained by the Financial Times. This compares with the business estimates for international trade losses, ranging upwards from $600bn. The report, due for endorsement by the OECD board later this month, could prove embarrassing for international business lobbies, which have used the higher estimates to lift intellectual property rights up the global political agenda and to demand crackdowns in China and elsewhere.

A BIG STRETCH (New York Times Op-Ed, 7 May 2007) -- I grew up watching my father stand on his head every morning. He was doing sirsasana, a yoga pose that accounts for his youthful looks well into his 60s. Now he might have to pay a royalty to an American patent holder if he teaches the secrets of his good health to others. The United States Patent and Trademark Office has issued 150 yoga-related copyrights, 134 patents on yoga accessories and 2,315 yoga trademarks. There’s big money in those pretzel twists and contortions -- $3 billion a year in America alone. It’s a mystery to most Indians that anybody can make that much money from the teaching of a knowledge that is not supposed to be bought or sold like sausages. Should an Indian, in retaliation, patent the Heimlich maneuver, so that he can collect every time a waiter saves a customer from choking on a fishbone?The Indian government is not laughing. It has set up a task force that is cataloging traditional knowledge, including ayurvedic remedies and hundreds of yoga poses, to protect them from being pirated and copyrighted by foreign hucksters. The data will be translated from ancient Sanskrit and Tamil texts, stored digitally and available in five international languages, so that patent offices in other countries can see that yoga didn’t originate in a San Francisco commune. It is worth noting that the people in the forefront of the patenting of traditional Indian wisdom are Indians, mostly overseas. We know a business opportunity when we see one and have exported generations of gurus skilled in peddling enlightenment for a buck. The two scientists in Mississippi who patented the medicinal use of turmeric, a traditional Indian spice, are Indians. So is the strapping Bikram Choudhury, founder of Bikram Yoga, who has copyrighted his method of teaching yoga -- a sequence of 26 poses in an overheated room -- and whose lawyers sent out threatening notices to small yoga studios that he claimed violated his copyright. But as an Indian, he ought to know that the very idea of patenting knowledge is a gross violation of the tradition of yoga. In Sanskrit, “yoga” means “union.” Indians believe in a universal mind -- brahman -- of which we are all a part, and which ponders eternally. Everyone has access to this knowledge. There is a line in the Hindu scriptures: “Let good knowledge come to us from all sides.” There is no follow-up that adds, “And let us pay royalties for it.” [snip] Drugs and hatha yoga have the same aim: to help us lead healthier lives. India has given the world yoga for free. No wonder so many in the country feel that the world should return the favor by making lifesaving drugs available at reduced prices, or at least letting Indian companies make cheap generics. If padmasana -- a k a the lotus position -- belongs to all mankind, so should the formula for Gleevec, the leukemia drug over whose patent a Swiss pharmaceuticals company is suing the Indian government. But the drug companies are playing rough. Abbott, based in Chicago, has decided to sell no new medicines in Thailand, in retaliation for that country’s producing generic versions of three lifesaving drugs. For decades, Indian law allowed its pharmaceutical companies to replicate Western-patented drugs and sell them at a lower price to countries too poor to afford them otherwise. In this way, India supplied half of the drugs used by H.I.V.-positive people in the developing world. But in March 2005, the Indian Parliament, under pressure to bring the country into compliance with the World Trade Organization’s regulations on intellectual property, passed a bill declaring it illegal to make generic copies of patented drugs. This has put life-saving antiretroviral medications out of reach of many of the nearly 6 million Indians who have AIDS. And yet, the very international drug companies that so fiercely protect their patents oppose India’s attempts to amend World Trade Organization rules to protect its traditional remedies. There’s more at stake than just the money involved in the commercial exploitation of traditional knowledge. There is also the perception that the world trading system is unfair, that the deck is stacked against developing countries. Unless the World Trade Organization and developed countries correct this, the entire project of globalization is at risk. If the copying of Western drugs is illegal, so should be the patenting of yoga. It is also intellectual piracy, stood on its head.

POLICE USE CELL PHONE-TRACKING TECHNOLOGY TO FIND HEART TRANSPLANT PATIENT (FindLaw, 8 May 2007) -- Pennsylvania Police located a 10-year-old boy awaiting a heart transplant by using global-positioning technology to find his mother’s cell phone, a technique usually used to locate criminals. John Paul May, of Harrisville, had the successful surgery at Children’s Hospital of Pittsburgh on Saturday night, but came dangerously close to being passed over for the donor heart until police tracked down the boy and his mother at a university jazz festival. The hospital called state police Saturday afternoon because officials could not reach May’s parents to let them know a donor heart had been found. When police could not find the boy or reach him by phone, they contacted the cell phone company Sprint to get the coordinates of his mother’s cell phone. “The only time you can use it is life or death, or to track someone wanted in a homicide,” state police Cpl. James Green said. Otherwise, police must get a warrant from a judge. Using the coordinates, state police tracked the phone to a Slippery Rock University building. Police stopped the jazz concert that was happening and announced they were looking for May and his mother, Sue.

MISSOURI REPORTS COMPUTER BREACH REVEALED OF MORE THAN 22,000 STUDENTS’ PERSONAL INFORMATION (, 8 May 2007) -- A computer hacker accessed the Social Security numbers of more than 22,000 current or former students at the University of Missouri, the second such attack this year, school officials said Tuesday. The FBI is investigating. University officials said campus computer technicians confirmed a breach of a database last week by a user or users whose Internet accounts were traced to China and Australia. The hacker accessed personal information of 22,396 University of Missouri-Columbia students or alumni who also worked at one of the system’s four campuses in St. Louis, Kansas City, Rolla or Columbia in 2004. The hacker obtained the information through a Web page used to make queries about the status of trouble reports to the university’s computer help desk, which is based in Columbia. The information had been compiled for a report, but the data had not been removed from the computer system. In January, a hacker obtained the Social Security numbers of 1,220 university researchers, as well as personal passwords of as many as 2,500 people who used an online grant application system.

INCLUSIVITY OR TOKENISM? (InsideHigherEd, 10 May 2007) -- The proposed panel seemed like a perfect pitch at a time when scholars in many fields are studying postcolonial identity and diaspora communities. The idea was to have scholars who study different regions and time periods examine issues of collective memory and identity in post-World War II Germany, modern Pakistan, and Japanese diaspora communities. The program committee for the next annual meeting for the American Historical Association liked the idea, too. There was just one little problem: The scholars involved are all men. “Since the AHA has a standing commitment to gender diversity on panels, the Program Committee has decided to require you to find a female participant, perhaps to serve as chair or a second commentator for your session,” said the notification the panel organizer received. Unless an acceptable additional participant is added, “we will be forced to reject your panel.” The response stunned Manan Ahmed, the organizer, who is preparing for his dissertation defense at the University of Chicago. After venting via e-mail with colleagues and joking about proposing that the panelists all appear in drag, he decided to go public with concerns about the AHA’s policy and blogged about it on Cliopatria. In his post, he said that he didn’t know what to do because he thought it would be insulting to ask a woman to join the panel just because she is a woman. Ahmed and his fellow panelists have been rescued. Rebecca A. Goetz, an assistant professor of history at Rice University, is a specialist on early North American history. She wouldn’t normally have put herself forward for the panel, but since it appeared that there was only one relevant qualification (in the eyes of the AHA), and she admires the work of the scholars who might otherwise be shut out of the meeting, she has become the chair of the panel. Ahmed said that he’s a fan of Goetz’s work, too, and has no doubt that she’ll offer some great insights, but when he sent in her name to the AHA, he just gave her name and institutional affiliation -- not including any explanation of how her work would fit into the theme of the panel (the kind of explanation provided about the other panelists). No matter -- the name “Rebecca” did the trick and the panel was immediately approved, no questions asked. While Goetz is happy to help out fellow historians, she’s more than a little annoyed about the historians’ policy -- about which she previously had no idea. “It’s offensive because it installs a woman simply for the sake of having a woman on the panel,” she writes on her blog, Historianess.

CT RULES WEBSITE INTERACTIVITY IRRELEVANT FOR JURISDICTION (BNA’s Internet Law News, 10 May 2007) -- BNA’s Electronic Commerce & Law Report reports that an Illinois court has ruled that an interactive Web page offering out-of-state visitors the ability to set up an appointment and submit comments is merely an advertisement and will not support, consistently with due process, the assertion of general jurisdiction in forums where the Web site is viewed. The court rejected the sliding-scale approach established in Zippo. Case name is Howard v. Missouri Bone and Joint Ctr.

SUIT TARGETS YAHOO! FOR ACTIONS IN CHINA, USING AMERICAN LAW FROM 1789 (Steptoe & Johnson’s E-Commerce Law Week, 10 May 2007) -- What would the Founding Fathers have thought about tech companies’ alleged cooperation with Chinese censors? Thanks to a recent lawsuit invoking the 218-year-old Alien Tort Statute (ATS), the question is no longer academic. Last month, with the help of a U.S. human rights group, Chinese political prisoner Wang Xiaoning, his wife, and additional yet-to-be-identified individuals filed suit against Yahoo! and its Chinese subsidiaries and business partner in a federal court in California. Plaintiffs contend that, by allegedly voluntarily providing Chinese authorities with identifying information about plaintiffs and their communications, the defendants knowingly “aided and abetted” the Chinese government’s detention, torture, and mistreatment of Xiaoning and others. Plaintiffs allege that the defendants thereby contravened the Torture Victim Protection Act, the Electronic Communications Privacy Act, and California law. They also claim that the defendants are liable for violations of international law under the ATS, which grants U.S. courts jurisdiction over “any civil action by an alien for a tort only, committed in violation of the law of nations or a treaty of the United States.” Companies that operate abroad should watch this case closely, since a broad application of the ATS or one of the other laws at issue could significantly increase their risk of liability for cooperating with foreign law enforcement or security agencies.

JUDGES RULE ON HARD-TO-DISCOVER DATA (, 10 May 2007) -- Federal judges have published opinions for more than 50 e-discovery disputes since the landmark amendments to the Federal Rules of Civil Procedure governing the discovery of electronically stored information went into effect on Dec. 1, 2006. These cases give -- in almost real time -- valuable insight into how judges are interpreting the amendments. These cases provide direction on how to handle the identification, preservation, collection, review and production of ESI in litigation going forward. One commentator noted that these district court decisions serve an important role in providing de facto national standards for e-discovery disputes. This article will focus on two such cases, Best Buy Stores L.P. v. Developers Diversified Realty Corp. and Ameriwood Industries Inc. v. Liberman. These cases tackle a recurring problem -- the discovery of information stored on computer systems and sources that aren’t reasonably accessible. These difficult-to-access sources include backup tapes used for disaster recovery that aren’t catalogued or indexed and legacy data from systems that are currently unreadable. These sources may contain information responsive to a particular discovery request, but it would take considerable time and money to access, cull or produce data from them. ….

FRANCE SLAPS TYCO ON THE WRIST FOR DATA PROTECTION DECEPTION (Steptoe & Johnson’s E-Commerce Law Week, 10 May 2007) -- Multinational countries spend an increasing amount of time worrying about data protection compliance, and this is indeed an important issue. However, enforcement reality does not necessarily match the level of compliance concern. This is well-illustrated by a recent enforcement action against Tyco Healthcare France (“Tyco”) by French data protection authority the Commission Nationale de l’Informatique et des Libert├ęs (“CNIL”). The CNIL’s enforcement action followed a troubling tale of missteps by Tyco which culminated in an enforcement decision in December 2006, but which was only announced in mid-April this year. Although Tyco made some arguments defending its conduct, the CNIL concluded that “Tyco Healthcare France has clearly not understood the gravity of the failures of which it is accused concerning its lack of cooperation and transparency.” As a result, the CNIL decided to fine Tyco … sit down and hold onto your chair … the princely sum of €30,000. This has to be regarded as a slap on the wrist in the global scheme of regulatory enforcement. And it is reportedly only the second fine that the CNIL has ever issued for breach of French data protection laws.

BUSH’S PRIVACY BOARD NOT DOING ITS JOB? (Washington Post, 10 May 2007) -- The leaders of the Sept. 11 commission say a White House privacy board is not protecting civil liberties because it refuses to investigate allegations of illegal detention at Guantanamo Bay. “We urge they revisit the definition of their mission to include issues relating to the treatment of detainees,” former Rep. Lee Hamilton, D-Ind., said in a telephone interview Thursday. He and former New Jersey Gov. Tom Kean sent a pointed letter to the board this week outlining their concerns. “If they continue to hold to their position, we don’t think they’re doing their job,” Hamilton said. Mark Robbins, the board’s executive director, said board members had received the letter and would respond. The five-member White House privacy board began its work in March 2006 after a recommendation by the Sept. 11 commission. Last month, the board put out a 49-page annual report to Congress where it spelled out its mission and preliminary findings. Some of those conclusions are questionable and need fuller explanation, the Sept. 11 commission leaders wrote after reading the report. They cited the board’s assertion it had no power to review the Bush administration’s plans to limit lawyers’ access to nearly 400 detainees deemed as “enemy combatants” at Guantanamo Bay, as well as allegations of torture and coercive interrogation at the Cuba facility, because the incidents were not taking place on U.S. soil. The American Bar Association has criticized “arbitrary restrictions concerning the number of times and the ways that lawyers may confer with their clients in Guantanamo.” The limits would threaten competent representation without at all advancing national security, according to the lawyers’ group. “We cannot speak to an audience, foreign or domestic, on the question of civil liberties without the topic of Guantanamo coming up,” Hamilton said. “To ignore those and say they are not within the mandate is a too restrictive reading.” Also troubling was the board’s conclusion that two of the administration’s most controversial surveillance programs _ electronic eavesdropping and financial tracking _ do not violate citizens’ civil liberties, the commission leaders said. Hamilton and Kean also said they want to know more about the board’s efforts to review the FBI’s use of national security letters. Earlier this year, a lengthy audit by the Justice Department’s inspector general found that agents sometimes demanded personal data on people without official authorization.

IT’S NO SECRET: CODE STIRS UP A WEB STORM (ABA Journal, 11 May 2007) -- For most readers, the series of 32 numbers and letters means nothing. But for savvy Internet users, the sequence represents a chance to copy protected DVDs and virtually thumb their noses at various entertainment conglomerates. The secret code, when paired with specific software, overwrites copy protection on Blu-ray and high-definition DVDs. The code showed up on various Web pages earlier this year, which prompted cease-and-desist notices from the Advanced Access Content System, a trade group comprised of corporations such as Sony, Warner Brothers and IBM. Many sites removed the code, including, a user-submitted news site. However, some of those users were not pleased, and large numbers of them reposted the code every time it was taken down. So after a few days, the San Francisco-based Web company changed its decision and stopped policing for the sequence. did not respond to a request for interview. According to Charles S. Sims, a New York City lawyer who represents AACS, his client is hopeful the site will again comply with its demand. “Almost everyone we contacted has complied,” Sims says. Others aren’t so sure that would have any effect. Besides posting the code outright, some individuals have written songs that incorporate the code; one such work can be viewed on YouTube. T-shirts imprinted with the code are also available, and on one Web page’s comments section, someone has offered $50 to anyone who tattoos the sequence on his or her body. “People are getting creative. It shows the futility of trying to stop this,” says Douglas J. Sorocco, an intellectual property lawyer in Oklahoma City. “Once the information is out there, cease-and-desist letters are going to infuriate this community more.” And the Web site operator usually plays ball.’s response, copyright and intellectual property lawyers say, makes the situation a first of sorts. Indeed, some were not sure how the law would cover what happened. Under the federal Digital Millennium Copyright Act, it’s unlawful to circumvent technology designed to protect copyrighted work. But the statute also provides a safe harbor for Web site operators in section 512 (c), when users make questionable posts. “What’s unclear is whether the cease-and-desist notice was sent under 512 or some other rubric we don’t know about, and whether, by refusing to honor the notice, lost its eligibility to be protected by safe harbors,” says Eric Goldman, an assistant professor at the Santa Clara University School of Law and director of the school’s High Tech Law Institute. He also mentions another federal statute, passed in 1996, that provides expansive safe harbor from liability for third-party content. The statute, 47 USC § 230, holds that--providing the post in question doesn’t involve intellectual property--online providers can respond to a complaint however it wants. So if the secret code is not intellectual property, Goldman says, has no liability. But he stresses that continuing to allow the code posts is risky. “It may have been the only decision available to them,” he adds. “They were caught between one angry intellectual property owner and thousands of angry individual power users.” YouTube display at T-Shirt site at; there, the code appears quite plainly.

MIXING IP WITH MMMMMM (ABA Journal, 11 May 2007) -- There’s a multipage nondisclosure agreement that visitors must sign before they’re allowed in the kitchen at Moto restaurant in Chicago. And some of the food prepared by executive chef Homaro Cantu is served with a copyright notice. Cantu is part culinary pioneer, part prolific inventor--which makes him an intellectual property attorney’s dream client. What worries Cantu most, he says, isn’t chefs or individual diners trying to re-create his signature preparation and presentation. It’s corporations capitalizing on his gastronomic inventions and restaurant management methods without authorization. Hence Cantu’s close relationship with his lawyer, Charles C. Valauskas. The two frequently talk and meet for meals to make sure no opportunity is missed to patent, copyright, trademark or otherwise protect Cantu’s creations from would-be business buccaneers. “He’s got a large intellectual property portfolio, and we talk on a very, very regular basis,” says Valauskas, a principal in the three-lawyer IP boutique Valauskas & Pine in Chicago. “It’s listening to what the new inventions are; it’s strategizing what’s the best way to protect the new techniques.” It would be standard practice, for instance, for an IP attorney to file a patent application once a client has completed a new invention. But because Valauskas and Cantu are in such regular contact, Valauskas can follow Cantu’s ideas as they develop. “We stay on top of that,” Valauskas says, “and we continue to file as he continues to refine his invention.” Those inventions include the whimsical--a spiral-handled fork designed to hold a sprig of basil that adds an aromatic element to each bite of food taken from the business end of the utensil--as well as high-tech business management tools. One of those tools involves a camera set unobtrusively into an upper wall of Moto. The camera is linked to a computer, allowing staff to track important aspects of the restaurant’s operation. The system can warn when usage rates threaten to deplete supplies, notify the kitchen when a diner leaves for the restroom so the chefs can adjust the spacing of their preparations, and anticipate orders from regular customers. And it’s all linked to Cantu’s cell phone so he can be in the loop even when he’s not in the building. Then there’s Cantu’s celebrated edible paper--a soybean and cornstarch concoction that can be imprinted with virtually any image and any flavor. The chef prints his menu on it (along with a copyright notice), and when diners are finished ordering, they can eat it. In addition to the copyright, Valauskas has filed a patent application on the process Cantu uses to create the paper.

ONLINE ADS VS. PRIVACY (New York Times, 12 May 2007) -- For advertisers, and in many ways for consumers, online advertising is a blessing. Customized messages rescue advertisers from the broad reach of traditional media. And consumers can learn about products and services that appeal directly to them. But there are huge costs, and many dangers, warns Jennifer Granick, the executive director for the Stanford Law School Center for Internet and Society. To approach individuals with customized advertising, you have to know who they are. Or at least, you have to gather enough personal information about them that their identity could be easily figured out. This has been an issue for a long time, of course, but as technology has improved and sources of data have multiplied, the problem has, in the eyes of many privacy advocates, reached a tipping point. Last fall, Ms. Granick notes, the Center for Digital Democracy filed a complaint with the Federal Trade Commission calling for “injunctive relief” and detailing how the combination of user profiling, data mining and targeted advertising threaten privacy. That group’s executive director, Jeff Chester, faced off with Mike Zaneis, the Interactive Advertising Bureau’s vice president for public policy, last week at the Computers, Freedom and Privacy conference in Montreal ( Mr. Chester, she reported, argued that the information collected by many Web sites -- browsing histories, search histories, wish lists, preferences, purchase histories -- is amassed and manipulated in ways consumers never know about. And they often collect Internet Protocol addresses, which usually can be easily traced to individual users. “They don’t need to know your name to know who you are,” Mr. Chester said. Mr. Zaneis * * * “stressed that profiling does not capture” personally identifiable information. Even if that is true, people like Kaliya Hamlin still say that collecting data about the online activities of individuals can amount to an invasion of privacy. Ms. Hamlin, known as The Identity Woman, is a privacy advocate and consultant. “My clickstream data is sensitive information,” she told Mr. Zaneis, “and it belongs to me.” On her blog, though, Ms. Hamlin wrote that she found the whole affair frustrating. It was, she wrote, the “angry, progressive anticonsumer guy vs. the super-corporate marketing guy.” The answers, she wrote, lie somewhere between those positions. “The ‘activist types’ tend to deny that we are people who actually might want to buy things in a marketplace,” she wrote. “The ‘corporate types’ tend to think that we always want to have ‘advertising’ presented to us at all times of day or night because we ‘want it.’ Neither view is really right.” Her solution is essentially to give consumers ownership of their data and the power to decide whether or not to share it with marketers (

MICROSOFT SAYS OPEN SOURCE VIOLATES 235 PATENTS (CNET, 13 May 2007) -- In an interview with Fortune, Microsoft top lawyer Brad Smith alleges that the Linux kernel violates 42 Microsoft patents, while its user interface and other design elements infringe on a further 65. is accused of infringing 45, along with 83 more in other free and open-source programs, according to Fortune. It is not entirely clear how Microsoft might proceed in enforcing these patents, but the company has been encouraging large tech companies that depend on Linux to ink patent deals, starting with its controversial pact with Novell last November. Microsoft has also cited Linux protection playing a role in recent patent swap deals with Samsung and Fuji Xero. xMicrosoft has also had discussions but not reached a deal with Red Hat, as noted in the Fortune article. Microsoft CEO Steve Ballmer is also quoted in the article as saying Microsoft’s open-source competitors need to “play by the same rules as the rest of the business.”

TEXAS MULLS BILL THAT WOULD MAKE PCI REQUIREMENTS A STATE LAW (Computerworld, 14 May 2007) -- Retailers and other entities accepting credit and debit card transactions in Texas may soon have a powerful new incentive for complying with the Payment Card Industry (PCI) data security standard mandated by the major credit card companies. The state’s House of Representatives last week voted 139-0 in favor of a bill that would formally codify PCI requirements into a state law that merchants would be obliged to comply with if passed. Under HB 3222 a breached entity will have to reimburse banks and credit unions the cost associated with blocking and reissuing cards if the merchant was not PCI compliant at the time of the compromise. It also provides a safe harbor against such liability for companies who are PCI compliant and get breached. The proposal needs to win approval in the state Senate before it becomes law. Minnesota adopts similar law:

WHY DOES GOOGLE RETAIN DATA? BECAUSE NONEXISTENT LAWS TELL IT TO (ArsTechnica, 14 May 2007) -- Google wants to know what you search for, and plenty of people have wondered why. The company’s global privacy counsel, Peter Fleischer, recently posted an explanation to this question of Google’s official blog, and his answers are quite simple: logging leads to better search, less fraud, and government compliance. Nothing evil about that, is there? Two months ago, Google announced a plan to anonymize its logs, but only after retaining the data for 18 to 24 months. After that time, user searches will still be stored, but it should be impossible to link search queries up with individual users. Of course, this is what AOL researchers thought when they released their own search logs, but queries often turn out to be highly specific things... the sort of things that can eventually be used to identify individuals. Commentators generally praised Google for at least taking steps to safeguard the privacy of information, but others wondered why Google truly needed to retain this information at all. According to Fleischer, log data is used to improve core Google search services, including the spell check component. “Google’s spell checking software automatically looks at your query and checks to see if you are using the most common version of a word’s spelling,” Fleischer says. “If it calculates that you’re likely to generate more relevant search results with an alternative spelling, it will ask ‘Did you mean: (more common spelling)?’ We can offer this service by looking at spelling corrections that people do or do not click on. Similarly, with logs, we can improve our search results: if we know that people are clicking on the #1 result we’re doing something right, and if they’re hitting next page or reformulating their query, we’re doing something wrong.” Sounds good--though it’s not clear why this couldn’t be done just as well with anonymous data. The company also uses the information to deal with fraud and abuse. “Immediate deletion of IP addresses from our logs would make our systems more vulnerable to security attacks, putting the personal data of our users at greater risk,” says Fleischer. “Historical logs information can also be a useful tool to help us detect and prevent phishing, scripting attacks, and spam, including query click spam and ads click spam.” But when it comes to the issue of government compliance, the argument gets less straightforward. Fleischer claims that retaining personal data for two years is necessary because of European and US data protection laws, even though those laws do not yet exist. The EU’s Data Retention Directive was passed in late 2005 but has yet to be implemented by the various member states (which have until 2009). The law requires each country in the EU to adopt a retention requirement of between six and 24 months. “Since these laws do not yet exist, and are only now being proposed and debated,” Fleischer says, “it is too early to know the final retention time periods, the jurisdictional impact, and the scope of applicability. It’s therefore too early to state whether such laws would apply to particular Google services, and if so, which ones.” Even though the laws are not yet in force in Europe and won’t apply retroactively, Google still uses the law as an argument to retain data now, and to do so for the longest possible period the law provides for. In the US, no general data retention laws have been passed, though the government has mooted numerous proposals for a two-year retention requirement to combat child pornography and other ills. Fleischer suggests that Google’s behavior is proper because the government has simply “called for 24-month data retention laws.”

-- and --

EU PROBES GOOGLE GRIP ON DATA (FT, 24 May 2007) -- European data protection officials have raised concerns that Google could be contravening European privacy laws by keeping data on internet searches for too long. The Article 29 working party, a group of national officials that advises the European Union on privacy policy, sent a letter to Google last week asking the company to justify its policy of keeping information on individuals’ internet searches for up to two years. The letter questioned whether Google had “fulfilled all the necessary requirements” on data protection. The data kept by Google includes the search term typed in, the address of the internet server and occasionally more personal information contained on “cookies”, or identifier programs, on an individual’s computer. This is separate to the personal information Google has begun collecting over the past two years from people who give the group explicit permission to do so. Standard search information is kept about everyone who uses the search engine, and privacy groups are concerned that even this ostensibly non-personal data can be used to identify individuals and create profiles of their political opinions, religious beliefs and sexual preferences. Google previously kept such data indefinitely, but in March announced it would limit the storage time to two years, in an attempt to assuage concerns. But many members of the working party feel that even two years is too long to keep data, and the group has asked Google to justify its policy.

-- and --

SPYING ON THE HOME FRONT -- (PBS’s FRONTLINE, 15 May 2007) -- “So many people in America think this does not affect them. They’ve been convinced that these programs are only targeted at suspected terrorists. … I think that’s wrong. … Our programs are not perfect, and it is inevitable that totally innocent Americans are going to be affected by these programs,” former CIA Assistant General Counsel Suzanne Spaulding tells FRONTLINE correspondent Hedrick Smith in Spying on the Home Front. [View the report at]

WEB SITE IS HELD LIABLE FOR SOME USER POSTINGS (New York Times, 16 May 2007) -- A Web site that matches roommates may be liable for what its users say about their preferences, a fractured three-judge panel of the federal appeals court in San Francisco ruled yesterday. The suit was brought by two California fair housing groups that objected to postings on the matching service, The groups said the site violated the Fair Housing Act by allowing and encouraging its users to post notices expressing preferences for roommates based on sex, race, religion and sexual orientation. The ruling knocked down the main defense of the site. In 1996, Congress granted immunity to Internet service providers for transmitting unlawful materials supplied by others. Most courts have interpreted the scope of that immunity broadly. Though their rationales varied, all three judges in the decision yesterday agreed that the site could be held liable for soliciting information from users through a series of menus about themselves and their preferred roommates and for posting and distributing profiles created from the menus. The choices on the menus included gender, sexual orientation and whether children were involved. Because created the menus, the court ruled, it cannot claim immunity under the 1996 law, the Communications Decency Act. But Judges Alex Kozinski and Sandra S. Ikuta ruled that postings from users in a part of their profile designated “additional comments” could not subject the site to liability because it was essentially uninvolved in creating them. Judge Stephen Reinhardt dissented on that point, citing examples (“must be a black gay male”) and saying the entire site was “an integral part of one package.” The court, the United States Court of Appeals for the Ninth Circuit, sent the case back to a trial judge for a determination of whether the site had violated the Fair Housing Act, which forbids publishing real estate notices indicating preferences based on race, religion, sex or familial status. The three judges each wrote separately, and piecing together the reasoning for the decision was difficult, said Eric Goldman, a law professor at Santa Clara University. Still, Professor Goldman said, the decision represented a fundamental shift. “To date,” he said, “The law has been almost uniform that a Web site isn’t liable for what its users say. The problem here is that the Web site offered up choices for users to structure their remarks. That creates a hole plaintiffs can exploit.” ABA Journal story (25 May 2007) at

TJX BREACH-RELATED EXPENSES: $17M AND COUNTING (Computerworld, 15 May 2007) -- The TJX Companies Inc. today announced that it took a $12 million after-tax charge for the quarter ending April 28 in connection with the massive data breach it disclosed in January. The charge of 3 cents per share included the costs involved in investigating and containing the intrusion, beefing up computer security, communicating with customers, and various legal and other fees, the company said in its first quarter earnings statement. The company expects to incur a similar charge of 2 cents to 3 cents per share in the second quarter, as well, TJX said. It also warned investors of even more potential costs down the road. “TJX does not yet have enough information to reasonably estimate the losses it may incur arising from this intrusion, including exposure to payment card companies and banks, exposure in various legal proceedings that are pending or may arise, and related fees and expenses, and other potential liabilities and other costs and expenses,” TJX said in its statement. The Framingham, Mass.-based TJX owns several retail brands, including T.J.Maxx, Marshalls and Bob’s Stores. In January, the company announced that someone had broken into its payment systems and illegally accessed card data belonging to customers in the U.S., Canada, Puerto Rico, the U.K. and Ireland. In filings with the U.S. Securities and Exchange Commission in March, the company said 45.6 million credit and debit card numbers were stolen over a period of more than 18 months by an unknown number of intruders. That number eclipsed the 40 million records compromised in a mid-2005 breach at CardSystems Solutions Inc. and made the TJX compromise the worst ever in terms of the loss of payment card data. The $12 million charge comes on top of the $5 million in breach-related costs cited by TJX in the previous quarter. And that may just be the tip of the iceberg, said Khalid Kark, an analyst at Forrester Research Inc. in Cambridge, Mass., who released a report last month on all the factors that need to be included when totaling data breach costs. Apart from direct expenses related to breach discovery, response and notification, companies also incur a variety of other costs such as those stemming from regulatory fines, lawsuits, and additional security and audit requirements. Several lawsuits have already been filed against TJX, including one by the Massachusetts Bankers Association seeking tens of millions in restitution for banks that were forced to block and reissue thousands of debit cards following the breach. There are also somewhat less tangible costs such as lost employee productivity and opportunity costs that need to be factored in, Kark said. The expenses disclosed by TJX could be “just a fraction” of what the breach could eventually end up costing the company. “This is something that is going to play out over years,” he said. [Editor: studies suggest that every dollar spent on preparation and planning saves $9 in remediation costs. If security breaches are like hard-disk crashes (everyboy’s gonna have one), many should be doing more.]

-- and --

INFORMATION SECURITY FOR LAW FIRMS (Your ABA, 22 May 2007) -- Failure to implement adequate security measures can come with a price tag that few law firms can pay. At $182 per compromised record, or an average of $4.8 million per breach, why has the legal industry been one of the slowest to implement incident response plans? This question is especially pertinent since law firms are required ethically to maintain the confidentiality of client data. “Information Security for the Small- and Medium-Sized Law Firm,” a recent CLE teleconference sponsored by the Section of Science and Technology, Law Practice Management Section and the ABA Center for Continuing Legal Education explored data security through various case studies. Although a lack of statistics regarding information security in law firms makes it difficult to pinpoint surefire solutions, the expert panel provided suggestions that can help firms reduce the vulnerability of their confidential information. Protecting a client’s confidential information can include steps as simple as resetting default passwords on newly purchased hardware and software. People often fail to change passwords and other factory-set settings, leading to a critical oversight, according to John W. Simek, vice president of Sensei Enterprises and certified forensic technologist. He also suggests regularly updating a firm’s computer system with security patches, which are usually available for download at the manufacturer’s Web site. Providing firm employees with proper training is another critical step that is often overlooked as well. Without training, employees are more likely to trust e-mail messages, going so far as to click links provided in unidentified e-mails. Employees who lack training in technology issues are also likely to visit Web sites that are not secure, increasing the likelihood of outsiders gaining unwanted access to confidential files.

COURT RULES GOOGLE SEARCH SMALL IMAGES ARE `FAIR USE’ (, 17 May 2007) -- A federal appeals court Wednesday said Google does not infringe the copyrights of adult entertainment company Perfect 10 by displaying small versions of its images in search results. But the 9th U.S. Circuit Court of Appeals said a lower court should reconsider whether Google helps violate copyrights by pointing people to sites that display unauthorized photos. A U.S. District Court judge last year issued a preliminary injunction against Google, finding that Perfect 10 had submitted enough evidence to suggest the search engine directly violated copyrights by displaying the small image, known as a “thumbnail,” even though the full-size image was on a third party’s Web site. But the judge said Google could not be held liable for the actions of a user who clicks on the thumbnail and is directed to a site that contains illegal copies of Perfect 10’s photos. A three-judge panel of the 9th Circuit essentially flipped the earlier ruling. The panel said the lower court erred in granting the preliminary injunction, saying that the display of a thumbnail could be considered “fair use” under copyright law. Still, the panel said the lower court should not have rejected Perfect 10’s claim that search engines can be held liable when they act as the middleman between a Web searcher and a Web site that contains illegal copies. SUMMARY OF PERFECT 10 DECISION (Eric Goldman’s Technology & Marketing Law Blog, article by John Ottaviani, 16 May 2007) -- at; Court’s decision at

MAGISTRATE RULES TRADEMARKS IN METADATA NOT USE IN COMMERCE (BNA’s Internet Law News, 17 May 2007) -- BNA’s Electronic Commerce & Law Report reports that a magistrate judge in New York has ruled that there is no “use in commerce” of trademarks employed only in Web site metatags and search terms on advertising site. The magistrate follows Second Circuit precedent to hold that a trademark use occurs only when the mark is visibly placed on the goods or in advertisements, or when it is used in a way that indicates source or origin. Case name is Site Pro-1 Inc. v. Better Metal LLC.

PUBLIC ACCESS GROUP DEFIES COPYRIGHT TO POST SMITHSONIAN IMAGES ONLINE (, 18 May 2007) -- Grabbing pictures of iconic Smithsonian Institution artifacts just got a whole lot easier. Before, if you wanted to get a picture of the Wright Brothers’ plane, you could go to the Smithsonian Images website and pay for a print or high-resolution image after clicking through several warnings about copyrights and other restrictions - and only if you were a student, teacher or pledging not to use it to make money. Now, you can just go to the free photo-sharing website A nonprofit group is challenging the copyrights and restrictions on images being sold by the Smithsonian. But instead of going to court, the group downloaded all 6,288 photos online and posted them Wednesday night on the free Internet site. “I don’t care if they sell the photos, but then once they sell it, they can’t say you can’t reuse this photo,” said Carl Malamud, co-founder of the group Public.Resource.Org, advocates for posting more government information online. “You’re not allowed to chill debate by telling people they can’t use something because it’s under copyright when that’s not true.” Most images the Smithsonian is selling, including photos of artifacts and historic figures, are not protected by copyright, Malamud said. But the Smithsonian site carries copyright notices and other warnings that would discourage most people from using historic images that should be publicly available, he said.

THE IMPENDING INTERNET ADDRESS SHORTAGE (Information Week, 21 May 2007) -- The coming shortage of Internet Protocol addresses on Monday prompted the American Registry for Internet Numbers (ARIN) to call for a faster migration to the new Internet Protocol, IPv6. The current version of the Internet Protocol, IPv4, allows for over 4 billion (2^32) Internet addresses. Only 19% of the IPv4 address space remains. Somewhere around 2012-2013, the last Internet address bloc will be assigned and the Internet will be full, in a manner of speaking. “We must prepare for IPv4’s depletion, and ARIN’s resolution to encourage that migration to IPv6 may be the impetus for more organizations to start the planning process,” said John Curran, chairman of ARIN’s Board of Trustees, in a statement. IPv6 promises some 16 billion-billion possible addresses (2^128). “Unless action is taken now, a quiet technical crisis will occur, not unlike Y2K in its complications, but without a fixed date or high level public attention,” wrote Stephen M. Ryan, a partner at McDermott Will & Emery LLP and ARIN general counsel, and Raymond A. Plzak, CEO and president of ARIN, in a forthcoming policy paper.;_ylt=AoNYZm.qEd3Svs322Gk8grME1vAI

DHS SEEKS RESEARCH ON NINE CYBERSECURITY AREAS (, 21 May 2007) -- The Homeland Security Department is initiating an ambitious Cyber Security Research Development Center program that entails soliciting input from industry, government labs and academia on how to protect data against the latest threats and intrusions. The Science and Technology Directorate published a 43-page agency announcement seeking white papers on topics such as botnet and malware protection, composable and scaleable systems, cybermetrics, data visualization, routing security, process control security, real-time assessment, data anonymization, and insider threat detection and management. White papers on technologies to address the threats and strengthen protections are due June 27. Final proposals will be due Sept. 17. The directorate will award up to $4.5 million for research related to technologies proposing solutions in nine topic areas. Directorate announcement at

WEB SITES LISTING INFORMANTS CONCERN JUSTICE DEPT. (New York Times, 22 May 2007) -- There are three “rats of the week” on the home page of, a Web site devoted to exposing the identities of witnesses cooperating with the government. The site posts their names and mug shots, along with court documents detailing what they have agreed to do in exchange for lenient sentences. Last week, for instance, the site featured a Florida man who agreed in September to plead guilty to cocaine possession but not gun charges in exchange for his commitment to work “in an undercover role to contact and negotiate with sources of controlled substances.” The site says it has identified 4,300 informers and 400 undercover agents, many of them from documents obtained from court files available on the Internet. Federal prosecutors are furious, and the Justice Department has begun urging the federal courts to make fundamental changes in public access to electronic court files by removing all plea agreements from them -- whether involving cooperating witnesses or not. “We are witnessing the rise of a new cottage industry engaged in republishing court filings about cooperators on Web sites such as for the clear purpose of witness intimidation, retaliation and harassment,” a Justice Department official wrote in a December letter to the Judicial Conference of the United States, the administrative and policy-making body of the federal court system. In one case described in the letter, a witness in Philadelphia was moved and the F.B.I. was asked to investigate after material from was mailed to his neighbors and posted on utility poles and cars in the area. The federal court in Miami has provisionally adopted the department’s recommendation to remove plea agreements from electronic files, and other courts are considering it and experimenting with alternative approaches. Judge John R. Tunheim, a federal judge in Minneapolis and the chairman of a Judicial Conference committee studying the issue, acknowledged the gravity of the safety threat posed by the Web sites but said it would be better addressed through case-by-case actions. “We are getting a pretty significant push from the Justice Department to take plea agreements off the electronic file entirely,” Judge Tunheim said. “But it is important to have our files accessible. I really do not want to see a situation in which plea agreements are routinely sealed or kept out of the electronic record.” Judge Tunheim said his committee was working on recommendations for a nationwide approach to the issue. He said he favored putting the details of a witness’s cooperation into a separate document and sealing only that document, or withholding it from the court file entirely. For those who want to read the details on cooperating witnesses, charges between $7.99 for a week and $89.99 for life. Defense lawyers are, in fact, hungry for any information about the nature of the case against their clients. “The more information out there, the easier it is for the truth to come out at trial,” said David O. Markus, a criminal defense lawyer in Miami. Defendants who choose to go to trial will, of course, eventually learn the identities of the witnesses who testify against them. But the site also discloses the identities of people engaged in undercover operations and those whose information is merely used to build a case. The widespread dissemination of informants’ identities, moreover, may subject them to retribution from friends and associates of the defendant. Still, Professor Bowman, an authority on federal sentencing law, said he would hate to see the routine sealing of plea agreements. “It certainly is terribly important for the public ultimately to know who’s flipped,” he said. Professor Bowman added that he was studying the deals prosecutors made in the aftermath of the collapse of Enron, the energy company. “To do that effectively,” he said, “I really need to know who flipped and the nature of their plea agreements.” Most legal experts agreed that is protected by the First Amendment. In 2004, a federal judge in Alabama refused to block a similar site created by a criminal defendant, Leon Carmichael Sr., who has since been convicted of drug trafficking and money laundering.

GOOGLE BANS ESSAY WRITING ADVERTS (BBC, 22 MAY 2007) -- Google is to ban adverts for essay writing services - following claims that plagiarism is threatening the integrity of university degrees. There have been complaints from universities about students being sold customised essays on the internet. The advert ban from the Google search engine has been “warmly welcomed” by university authorities. But it has angered essay writing firms which say this will unfairly punish legitimate businesses. From next month, Google will no longer take adverts from companies which sell essays and dissertations - and the internet company has written to advertisers to tell them about the policy. Google’s forthcoming ban on adverts for “academic paper-writing services and the sale of pre-written essays, theses, and dissertations” means that essay websites join a blacklist of “unacceptable content” including adverts for weapons, prostitution, drugs, tobacco, fake documents and “miracle cures”. The move has been applauded by universities which have struggled with the problem of students dishonestly submitting material copied from the internet. “Making life harder for these cynical web ‘essay mills’ is a step in the right direction,” says Professor Drummond Bone, president of Universities UK.

MICHIGAN MAN DODGES PRISON IN THEFT OF WI-FI (CNET, 22 May 2007) -- A Michigan man who used a coffee shop’s unsecured Wi-Fi to check his e-mail from his car could have faced up to five years in prison, according to local TV station WOOD. But it seems few in the village of Sparta, Mich., were aware that using an unsecured Wi-Fi connection without the owner’s permission--a practice known as piggybacking--was a felony. Each day around lunch time, Sam Peterson would drive to the Union Street Cafe, park his car and--without actually entering the coffee shop--check his e-mail and surf the Net. His ritual raised the suspicions of Police Chief Andrew Milanowski, who approached him and asked what he was doing. Peterson, probably not realizing that his actions constituted a crime, freely admitted what he was doing. “I knew that the Union Street had Wi-Fi. I just went down and checked my e-mail and didn’t see a problem with that,” Peterson told a WOOD reporter. Milanowski didn’t immediately cite or arrest Peterson, mostly because he wasn’t certain a crime had been committed. “I had a feeling a law was being broken,” the chief said. Milanowski did some research and found Michigan’s “Fraudulent access to computers, computer systems, and computer networks” law, a felony punishable by five years in prison and a $10,000 fine. Milanowski, who eventually swore out a warrant for Peterson, doesn’t believe Milanowski knew he was breaking the law. “In my opinion, probably not. Most people probably don’t.” Indeed, neither did Donna May, the owner of the Union Street Cafe. “I didn’t know it was really illegal, either,” she told the TV station. “If he would have come in (to the coffee shop), it would have been fine.” But apparently prosecutors were more than aware of the 1979 law, which was revised in 2000 to include protections for Wi-Fi networks. “This is the first time that we’ve actually charged it,” Kent County Assistant Prosecutor Lynn Hopkins said, adding that “we’d been hoping to dodge this bullet for a while.” [Editor: when I intentionally open my WiFi connection (as I do from time to time), I’m inviting visitors to use it. While my ISP might be unhappy, my actions should constitute an (ex|im)plicit license, no?]

THE MAN WHO OWNS THE INTERNET (, 22 May 2007) -- Kevin Ham leans forward, sits up tall, closes his eyes, and begins to type -- into the air. He’s seated along the rear wall of a packed ballroom in Las Vegas’s Venetian Hotel. Up front, an auctioneer is running through a list of Internet domain names, building excitement the same way he might if vintage cars were on the block. As names come up that interest Ham, he occasionally air-types. It’s the ultimate gut check. Is the name one that people might enter directly into their Web browser, bypassing the search engine box entirely, as Ham wants? Is it better in plural or singular form? If it’s a typo, is it a mistake a lot of people would make? Or does the name, like a stunning beachfront property, just feel like a winner? When Ham wants a domain, he leans over and quietly instructs an associate to bid on his behalf. He likes wedding names, so his guy lifts the white paddle and snags for $10,000. is not nearly as good as the plural, but Ham grabs it anyway, for $350,000. Ham is a devout Christian, and he spends $31,000 to add to his collection, which already includes and When it’s all over, Ham strolls to the table near the exit and writes a check for $650,000. It’s a cheap afternoon. Just a few years ago, most of the guys bidding in this room had never laid eyes on one another. Indeed, they rarely left their home computers. Now they find themselves in a Vegas ballroom surrounded by deep-pocketed bankers, venture-backed startups, and other investors trying to get a piece of the action. And why not? In the past three years alone, the number of dotcom names has soared more than 130 percent to 66 million. Every two seconds, another joins the list. But the big money is in the aftermarket, where the most valuable names -- those that draw thousands of pageviews and throw off steady cash from Google’s and Yahoo’s pay-per-click ads -- are driving prices to dizzying heights. People who had the guts and foresight to sweep up names shed during the dotcom bust are now landlords of some of the most valuable real estate on the Web.

UNPATCHED SYMANTEC FLAW LEADS TO U. OF COLORADO BREACH (Computerworld, 24 May 2007) -- An unpatched flaw in a Symantec Corp. anti-virus management console resulted in the compromise of a server containing the names and Social Security numbers of nearly 45,000 students at the University of Colorado at Boulder. The students, enrolled at the university from 2002 to present, are presently being notified about a potential compromise of their information as a result of the breach, according to a statement posted on the school’s Web site. The breached server belonged to the Academic Advising Center of the University’s College of Arts and Science. According to Dan Jones, director for campus IT security, the intrusion was discovered May 12 by the university’s security staff when the compromised server started scanning other Internet-connected systems, including those on campus, for the same Symantec flaw. The vulnerability in question was a previously disclosed flaw for which Symantec had already issued a patch, but which the Advising Center had not applied.

WHITE HOUSE PUBLISHES BREACH RESPONSE RULES (InfoWorld, 24 May 2007) -- The White House has issued a memo to the heads of all federal government executive departments that establishes new ground rules for responding to potential data incidents and demands that the agencies clean up their information-handling procedures. In the notice -- distributed off the desk of Clay Johnson III, deputy director for management in the White House Office of Management and Budget, on May 22 -- authorities also set forth a requirement for all federal agencies to develop and implement a data breach notification policy within the next 120 days as part of the work of the government’s Identity Theft Task Force. In formulating their respective policies, the White House ordered agencies to review their existing requirements with respect to privacy and security, incident reporting and handling, and external breach notification. The document further requires agencies to develop policies that dictate stricter policies for the types of workers who are given access to sensitive information. Among the most basic advice offered in the executive order is for agencies to:
-Reduce the volume of collected and retained information to the minimum necessary.
-Limit access to sensitive data to only those individuals who must have such access.
-Use encryption and strong authentication procedures.
In his forward to the document, Johnson emphasizes that the requirement should “receive the widest possible distribution” within agencies and that and each affected organization and individual should “understand their specific responsibilities for implementing the procedures and requirements.” OMB memo at

WHEN “YOU’VE GOT MAIL” MEANS “YOU’VE BEEN SERVED” (Steptoe & Johnson’s E-Commerce Law Week, 25 May 2007) -- Following the Ninth Circuit’s watershed decision in Rio Properties, Inc., v. Rio International Interlink (2002), which upheld service by email on a Costa Rican Internet sports gambling organization, federal courts in New York, Tennessee, and West Virginia have authorized service by email on foreign defendants under Federal Rule of Civil Procedure 4(f)(3), which permits service on those outside the United States “by other means not prohibited by international agreement as may be directed by the court.” Most recently, in Williams-Sonoma Inc. v. FriendFinder Inc., a federal court in California held that the plaintiff could serve foreign owners of allegedly infringing websites by email. These cases suggest that, when foreign defendants prove elusive, plaintiffs may be able to use modern communications technologies, such as email, to effect service. Williams-Sonoma case at

**** RESOURCES ****
FRCP AND METADATA: E-DISCOVERY WHITE PAPER (, May 2007) -- Two of the hottest issues in electronic discovery are metadata and the recent amendments to the Federal Rules of Civil Procedure. It’s no surprise that one of the most interesting places in electronic discovery is at the intersection of metadata and the amendments. Workshare, a leading e-discovery and legal discovery vendor, has just released a new white paper called “FRCP and Metadata: Avoiding the Lurking e-Discovery Disaster” that surveys this important territory, with an emphasis on the practical and a focus on the metadata management and preparation needs of organizations. Outside counsel has not taken a leadership role in metadata and EDD preparation and guidance, so it’s incumbent on those charged with dealing with these issues inside organizations to take charge of this issues. The white paper has practical tips, useful charts, and suggested steps you should take. White paper at

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. Internet Law & Policy Forum,
6. BNA’s Internet Law News,
7. Crypto-Gram,
8. McGuire Wood’s Technology & Business Articles of Note,
9. Steptoe & Johnson’s E-Commerce Law Week,
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: