Friday, June 15, 2007

MIRLN -- Misc. IT Related Legal News [27 May - 16 June 2007; v10.08]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of the American Bar Association’s Cyberspace Law Committee and Dickinson Wright PLLC. Dickinson Wright’s IT & Security Law practice group is described at

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley ( with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at and blogged at

**************End of Introductory Note***************

SOFTWARE PROVIDER LIABLE FOR UNAUTHORIZED PRACTICE OF LAW IN NINTH CIRCUIT (Findlaw, May 2007) -- Legal software vendors beware! The Ninth Circuit recently held that a seller of web-based bankruptcy software qualified as a bankruptcy petition preparer and, as such, engaged in fraud and the unauthorized practice of the law. Any provider of software that claims to “know the law” and offers automated form selection should examine this decision closely to make sure their activities are within legal boundaries. The suit, Frankfort Digital Services v. Kistler (In re: Reynoso), arose out of a bankruptcy proceeding, during which the petitioner paid to use browser-based software that prepared his bankruptcy petition based on information he provided. The product’s web site explained that the software would choose which bankruptcy exemptions to apply for and remove any need for the petitioner to individually select which schedule to use for the various pieces of information involved. The court found that several features of the software and how it was presented to users constituted the unauthorized practice of law. First, the vendor advertised itself as offering legal expertise. The software-provider’s web site offered advice on loopholes in the bankruptcy code, compared its services to those of a “top-notch bankruptcy lawyer,” and described the software as an “expert system.” Second, the software provided much more than mere clerical services. The software chose where to place the user’s information, selected which exemptions to claim, and provided the legal citations to back everything up. The court concluded that this level of personal, although automated, guidance amounted to the unauthorized practice of law. The Ninth Circuit specifically limited its holding to the facts of the case, and gave no opinion whether software alone (i.e., without the representations made on the web site) or different types of programs would constitute an unauthorized legal practice.

COURTS GRAPPLE WITH COMPUTER SEARCHES; IS IT A PASSWORD-PROTECTED ‘LOCKED BOX’ OR A SIMPLE CONTAINER? (, 15 May 2007) -- When Ray Andrus’ 91-year-old father gave federal agents permission to search his son’s password-protected computer files and they found child pornography, the case turned a spotlight on how appellate courts grapple with third-party consents to search computers. With an increasing number of criminal cases depending on forensic computer searches, the direction courts ultimately take is likely to affect a wide array of criminal cases, ranging from hacking and piracy to murder investigations, according to Orin Kerr, a George Washington University Law Center professor specializing in computer crime law. The case was a first for the 10th U.S. Circuit Court of Appeals, and only two other circuits have touched on the issue, the 4th and 6th circuits. The 10th Circuit held that although password-protected computers command a high level of privacy, the legitimacy of a search turns on an officer’s belief that the third party had authority to consent. The 10th Circuit’s recent 2-1 decision in U.S. v. Andrus, No. 06-3094 (April 25, 2007), recognized for the first time that a password-protected computer is like a locked suitcase or a padlocked footlocker in a bedroom. The digital locks raise the expectation of privacy by the owner. The majority nonetheless refused to suppress the evidence. More specifically, the issue is whether to apply the Fourth Amendment from the virtual perspective or the physical perspective, Kerr said. “The big question is whether the majority’s approach will last,” he said. Judge Michael R. Murphy, joined by the court’s newest member, Judge Neil M. Gorsuch, said the legal test is “whether law enforcement knows or should reasonably suspect because of surrounding circumstances that the computer is password protected.” In dissent, Judge Monroe G. McKay called the unconstrained ability of law enforcement to use forensic software to bypass password protection without first determining whether such passwords have been enabled amounts to “dangerously sidestepping the Fourth Amendment.” “The fact that a computer password ‘lock’ may not be immediately visible does not render it unlocked,” McKay wrote. He wanted the panel to recognize that password protection has become “commonplace” in today’s world and whether a computer search is objectively reasonable is fact-specific to individual cases “with no bright-line rules.” In Andrus’ case, agents did not check the computer for passwords but simply attached a device that allowed them to download all the data it contained without regard to passwords. Andrus, 51 at the time, was out when agents did what is called a “knock and talk” in an attempt to gather enough information for a search warrant. Andrus’ elderly father gave permission to search the house and computer, though he had never personally used the machine, which was in Andrus’ bedroom. [Editor: There’s more here worth reading.]

ONT. TO WEBCAST SOME COURT PROCEEDINGS AND ARCHIVE THEM ONLINE FOR 90 DAYS (CBCnews, 24 May 2007) -- Ontario Attorney General Michael Bryant says some court proceedings will soon be webcast over the Internet and archived online for 90 days. Bryant says webcasting court cases and providing copies to the media on DVD will increase the openness of the justice system. Fees to access court files have been also reduced following recommendations from a panel and complaints from the Canadian Association of Journalists about a lack of access to court documents. The association awarded Bryant the Code of Silence award as a representative of the “most secretive government body in Canada,” and for having the highest fees in Canada for accessing court records. Bryant says some of those fees have now been cut by as much as two-thirds.

NISSAN WARNS U.S. CELL PHONES CAN DISABLE CAR KEYS (ComputerWorld, 25 May 2007) -- Nissan North America has a warning for customers: Placing your electronic key too close to your cell phone could leave you stranded. The automaker is asking customers driving new models of two of its flagship sedans to keep their car keys and cell phones at least an inch apart to avoid disabling the “intelligent keys.” Cell phones kept near Nissan’s I-Keys -- wireless devices designed to allow drivers to enter and start their cars at the push of a button -- can erase the electronic code on the keys, rendering them unable to unlock or start the cars. The problem has occurred on the 2007 Nissan Altima and Infiniti G35 sedans -- two of Nissan’s top-selling models, the company said yesterday. “We discovered that if the I-Key touches a cell phone, outgoing or incoming calls have the potential to alter the electronic code inside the I-Key,” Nissan spokesman Kyle Bazemore said. “The car won’t start, and the I-Key cannot be reprogrammed,” he added. The problem has occurred in a “very small percentage” of cars sold, Bazemore said. He also said a new version of the I-Key would be available in the fall.

GERMANY PASSES ANTIHACKING LAW (ComputerWorld, 28 May 2007) -- Hackers may want to avoid Germany, after the approval of a law that makes their activity a punishable crime. The legislation, which the German government proposed earlier last year and approved Friday with no changes, aims to crack down on the sharp rise in computer attacks in the public and private sectors. Although Germany already has a comprehensive penal law against attacks on IT systems, the new legislation looks to close any remaining loopholes. It defines hacking as penetrating a computer security system and gaining access to secure data, without necessarily stealing data. Offenders are defined as any individual or group that intentionally creates, spreads or purchases hacker tools designed for illegal purposes. They could face up to 10 years in prison for major offences. Other punishable cybercrimes include DOS (denial-of-service) attacks and computer sabotage attacks on individuals, which would extend the existing law that limited sabotage to businesses and public authorities. The new law, however, has drawn criticism by several groups, including the hacker club Chaos Computer Club e.V., which points to the work of “good” hackers, also known as “white hats,” who work for security companies. These computer experts, the club argues, could be restricted in their ability to help software makers develop secure products and businesses to deploy them.;690399781;fp;4194304;fpid;1

APPLE INTRODUCED ITUNES U (InsideHigherEd, 31 May 2007) -- Apple introduced iTunes U, a new section within its music software where universities can publish lecture audio, promotional videos and other downloadable media for current and prospective students. Top downloads on Wednesday included a “What Is Existentialism?” lecture from the University of California at Berkeley and another called “Technical Aspects of Biofuel Development” at Stanford University. Unlike traditional podcasts, not just anyone can post material to iTunes U — universities control the content, and institutions can sign up to publish their own media relatively easily, according to Chris Bell, Apple’s director of worldwide marketing for iTunes. The new initiative to bring content from institutions of higher learning together into a unified interface stemmed in part from a program that began with Stanford in 2005, in which colleges could offer course content available only to their students. iTunes U was developed in collaboration with many of those colleges and universities, Bell added. “It’s free to the university, it’s free to the end user, and we think it’s a great way to take the assets that universities have and really serve the public,” he said. iTunesU at [Editor: There’s excellent material there; find iTunesU in the Apple store, click on “Power Search” (right column) and search for “law” in the Descriptions field.]

CT RULES ONLINE ADS INVITATIONS FOR OFFERS (BNA’s Internet Law News, 31 May 2007) -- BNA’s Electronic Commerce & Law Report reports that a federal court in New York has ruled that an online solicitation for goods and ideas is not an offer but instead is a mere invitation for offers from responders. The court said that neither the Internet context nor the subject matter of an online call for news ideas changed the announcement’s essential character from an advertisement to a bona fide offer. Case name is Trell v. Am. Ass’n of the Advancement of Sci.

ANOTHER COURT POURS SALT IN WEBSITES’ WOUNDS (Steptoe & Johnson’s E-Commerce Law Week, 31 May 2007) -- As if the Ninth Circuit’s decision in the case, wasn’t bad enough, on April 19, a federal court in Connecticut further limited the protection afforded to websites by Section 230 of the Communications Decency Act. In Doctor’s Associates, Inc. v. QIP Holders, LLC, the court held that Section 230 creates an affirmative defense which cannot be decided on a motion to dismiss. Instead, it must be addressed in a motion for summary judgment, and normally after discovery. Though not as big a blow to websites as the decision, this ruling could mean that websites will need to spend more time (and money) making out a CDA defense, and may have to endure at least some discovery by plaintiffs. And if the decision is upheld, plaintiffs will undoubtedly use such discovery to look for evidence that website defendants encouraged, solicited, and profited from third-party content.

EHARMONY SUED IN CALIFORNIA FOR EXCLUDING GAYS (Reuters, 31 May 2007) -- The popular online dating service eHarmony was sued on Thursday for refusing to offer its services to gays, lesbians and bisexuals. A lawsuit alleging discrimination based on sexual orientation was filed in Los Angeles Superior Court on behalf of Linda Carlson, who was denied access to eHarmony because she is gay. Lawyers bringing the action said they believed it was the first lawsuit of its kind against eHarmony, which has long rankled the gay community with its failure to offer a “men seeking men” or “women seeking women” option. They were seeking to make it a class action lawsuit on behalf of gays and lesbians excluded from the dating service. eHarmony was founded in 2000 by evangelical Christian Dr. Neil Clark Warren and had strong early ties with the influential religious conservative group Focus on the Family. It has more than 12 million registered users, and heavy television advertising has made it one of the nation’s biggest Internet dating sites.

CHOICEPOINT SETTLES WITH 43 STATES, D.C. OVER DATA BREACH (, 31 May 2007) -- ChoicePoint Inc. has agreed to implement more safeguards as part of a settlement with 43 states and the District of Columbia over allegations it failed to adequately secure consumers’ personal information related to a breach of its database it disclosed in 2005. The Alpharetta, Ga.-based consumer data provider has agreed to adopt significantly stronger security measures, according to the settlement announced Thursday. Among them are written certification for access to consumer reports and, in some cases, onsite visits by ChoicePoint to ensure the legitimacy of companies before they are allowed access to personally identifiable information. The breach involved thieves posing as small business customers who gained access to ChoicePoint’s database, possibly compromising the personal information of 163,000 people, according to the Federal Trade Commission. ChoicePoint will now conduct periodic audits to ensure that companies are using consumer data for legitimate purposes. There is no fine or penalty, though ChoicePoint will pay $500,000 for the states to share. ChoicePoint said the money is for programs like state public education campaigns about identity theft. But Connecticut, for one, said its share - $5,500 - will go into the state’s general fund. “This step marks a historic first - the first time a data broker has agreed to safeguard certain sensitive publicly available information, including Social Security numbers, using the same credentialing methods as it uses to safeguard private financial information that is protected by law,” Connecticut Attorney General Richard Blumenthal said in a statement.

COMPUTER HACKERS STEAL CARSON FUNDS (LA Times, 1 June 2007) -- If Carson Treasurer Karen Avilla had had a nagging feeling she was being watched whenever she got on her laptop computer, she would have been right. Cyber-thieves were able to shift nearly $450,000 from the city’s general fund last week by using a program that was able to mimic the computer strokes made by Carson’s financial officer. Each time Avilla logged on to her city-provided laptop in the morning, someone was — virtually — looking over her shoulder, recording every single keystroke. Armed with the spyware program, the hackers obtained bank passwords. They wired $90,000 to a “Diego Smith” in North Carolina. One day later, on May 24, the thieves got bolder and wired $358,000 from the city’s bank account to a bank in Kalamazoo, Mich. Avilla and her deputy discovered the theft just in time to have all but $45,000 of the funds frozen. But the experience left city leaders rattled. “As I sat there with the detectives and the forensic folks from the bank, I thought, ‘I don’t even want to touch a computer,’ “ Avilla said Thursday. “I felt violated. It made me think, ‘Who’s out there?’ “ The crime raised concerns about the security of municipal coffers, especially when wireless networks are used. Although such city hacking cases have been isolated, some experts said many municipalities lack the large information technology staffs and large budgets for computer security. “If you go after a local municipality, they’re more likely to have fewer people dedicated to computer security,” said Eric Schultze, chief security architect for Shavlik Technologies in Minnesota and a widely cited expert in anti-hacking circles. Avilla said she still doesn’t know how her computer was targeted. She said she doubts it had the latest security software patch protections — something sheriff’s detectives and bank investigators told her is essential in safeguarding her computer.,1,2311103.story

FEDS GIVE WEB ACCESS TO LOBBYING RECORDS (Washington Post, 1 June 2007) -- The Justice Department has launched a searchable online database that tracks the activities of foreign governments and companies lobbying the U.S. government. Previously, people seeking this information had to phone the Justice Department or visit its office in person to get public disclosure documents, which representatives of foreign entities are required to provide under the Foreign Agents Registration Act, or FARA. Passed in 1938, FARA requires all individuals acting as agents of foreign entities in a political or quasi-political capacity to disclose their relationship, activities, receipts and payments supporting the activities. Under a federal law enacted in 1995, Congress also requires lobbyists working for American companies, associations and other entities to disclose activities that could influence members of the executive and legislative branches. Those public documents are available online through a Senate Web site. The new Justice Department site,, also provides links to lobbying statutes, semiannual reports to Congress and access to registration forms for filing purposes. “This Web site is a significant step in the effort to ensure transparency in the world of foreign-influenced lobbying,” Kenneth L. Wainstein, assistant attorney general for national security, said in a statement. The agency said some documents are still unavailable online due to potential privacy issues. However, they can still be accessed at the FARA public office.

CREDIT UNIONS BANK ON STATE DATA-SECURITY LAWS (ComputerWorld, 4 June 2007) -- As an increasing number of states consider bills seeking to codify pieces of the Payment Card Industry (PCI) Data Security Standard into law, a common thread is emerging: the involvement of credit unions in pushing the legislation. California legislators last week held a hearing on a bill that would set new data security and breach-notification requirements for all organizations processing credit and debit card transactions in the state. Businesses hit by breaches would also have to reimburse affected banks and credit unions for the costs of alerting customers and reissuing cards. The chief proponent of the bill, which was introduced in the state assembly in February, is the California Credit Union League. The CCUL’s sponsorship of the proposal mirrors recent efforts by credit union associations to pass similar measures in Minnesota and Texas — successfully in the former state and unsuccessfully in the latter. The need for such legislation is being driven by the burgeoning costs that many credit unions are having to bear as a result of security breaches at merchants, said Keri Bailey, a lobbyist for the CCUL. “This is an issue of fundamental fairness,” Bailey said. “Right now, the burden is entirely on the financial institution.” The federal Gramm-Leach-Bliley Act requires banks and credit unions that issue cards “to do a whole lot to protect people’s data,” she said. “But the folks accepting this data [for transactions] have no skin in the game.” Individually, large and midsize credit unions can easily end up shelling out between $500,000 and $750,000 annually in breach-notification and card replacement costs, Bailey said. And those figures don’t include any fraud-related charges, she noted. Most credit unions are not-for-profit institutions, Bailey said. As a result, it’s harder for them to absorb the costs of responding to retail security breaches than it is for banks, she added. The bill in California has goals similar to those of the Plastic Card Security Act that was signed into law in Minnesota two weeks ago. The requirements included in the Minnesota law and the California bill incorporate elements of the PCI standard, which was developed by the five major credit card companies.

BEST BUY LAWYER ADMITS HE ALTERED DOCUMENTS IN SUIT (, 5 June 2007) -- A lawyer for Best Buy Co. has acknowledged that he falsified e-mails and a memo before turning them over to plaintiffs in a nationwide class-action lawsuit -- a development that could prompt the judge to find the company liable for tens of millions of dollars in damages. Judge Douglass North Jr. in King County Superior Court has previously scolded Best Buy for not being forthcoming with documents related to the case, so last month’s revelations about the actions of Minneapolis lawyer Timothy Block do not bode well for the company. The lawsuit, filed in 2003, accuses Best Buy of signing up at least 100,000 customers for trial subscriptions to Microsoft Corp.’s MSN Internet service from 1999 to 2003, in many cases without their knowledge. Once the trial period ended, the customers began incurring credit card charges they had not approved. Microsoft, which paid Best Buy for each customer it signed up, is accused of allowing Best Buy’s practice to continue even after receiving complaints. The lawsuit aims to hold Best Buy, Microsoft or both financially liable; if the judge enters a default judgment against Best Buy, Microsoft would essentially be off the hook, said Beth Terrell, a Seattle-based lawyer for the plaintiffs. For now, the case has been stayed while Best Buy finds new outside counsel. Block’s firm, the prominent Minneapolis firm of Robins, Kaplan, Miller and Ciresi, asked to withdraw after he admitted May 23 to redacting or otherwise altering the documents. A hearing on the withdrawal motion is set for June 22. “Mr. Block confirmed that no other person at RKMC, and no person at Best Buy, were aware that he had changed documents,” the firm said in a court filing the next day. “RKMC has begun its investigation into the number of documents that were altered and is attempting to locate the original (pre-alteration) documents.” Block reported his wrongdoing to Minnesota’s Board of Professional Responsibility as well as to the three other states where he is licensed to practice, and is on medical leave for stress and depression, said his attorney, Richard Thomas. The altered documents are limited to two e-mails and one memo, Thomas said. The documents have not been publicly released.

2 MODELS FOR DIGITIZING COLLECTIONS (InsideHigherEd, 7 June 2007) -- Google’s Library Project, which is in the process of digitizing millions of books at top university libraries around the world, announced a major expansion Wednesday: The 12 universities that make up the Committee on Institutional Cooperation have agreed to let Google digitize up to 10 million of their collective volumes — generally those from the most distinctive parts of their collections. The announcement brings to 25 the number of universities involved in the Google project, which is being hailed by some scholars for the way it will assure online access to volumes that have been largely available only in a few locations and that are in danger of decomposition. The project will involve both books in the public domain and copyrighted materials — and the latter have been controversial. Groups of authors and publishers are suing Google over the Library Project, charging that it is infringing on copyrights, and those suing indicated that they would expect any eventual settlement in the case (should Google lose) to be applied to the additional works being added under the new agreement. On the same day Google and the 12 universities made their announcement, Emory University announced a plan to digitize major portions of its collection — independent of Google and using an intentionally different model.

CT RULES SECOND LIFE ARBITRATION CLAUSE UNENFORCEABLE (BNA’s Internet Law News, 7 June 2007) -- BNA’s Electronic Commerce & Law Report reports that a federal court in Pennsylvania has ruled that an arbitration clause contained in the Second Life virtual world’s terms of service is unconscionable. The court says that, procedurally, the clause was buried in Second Life’s clickwrap offer; as for the substance of the terms, the court finds they were so one-sided they left the plaintiff without an effective legal remedy. Case name is Bragg v. Linden Research Inc.; background on the dispute (and the court’s ruling) at

US ISPS START CHARGING FOR EMAILS (ZDnet, 7 June 2007) -- Five of the largest ISPs in the US are to start charging businesses for guaranteed delivery of their emails, in a bid to combat spam. Goodmail Systems, which provides a service called CertifiedEmail, announced on Thursday that it had signed up Comcast, Cox Communications, Time Warner Cable’s Road Runner and Verizon as customers. Emails certified using the system are marked with a blue ribbon to show they come from a trusted source, thus bypassing spam filters — a privilege which will cost the sender a quarter of a US cent per email. The voluntary scheme is aimed at large corporations and financial institutions whose mass mailings are most likely to be spoofed and caught in spam filters. Non-profit groups will be able to use the service for roughly a tenth of the commercial rate.

CONFIDENTIALITY - CONSEQUENCES OF INVITING E-MAILS ON LAW FIRM WEB SITES. (Freivogel on Conflicts, 7 June 2007) -- Mass. Op. 2007-1 (2007). This opinion addresses the situation where Non-Client sends a detailed E-mail request for assistance to a lawyer whose Web site contains the lawyer’s E-mail address. The lawyer reads the E-mail and discovers that Non-Client wants to sue a current client of the lawyer’s firm. The opinion concludes that the lawyer and the lawyer’s firm are disqualified from representing the client against Non-Client. The opinion notes that Model Rule 1.18(d) and Restatement Sec. 15(2)(a) would allow the firm to continue if the lawyer receiving the information was screened. However, the opinion also notes that Massachusetts has not adopted Model Rule 1.18. The opinion suggests that this problem could have been avoided had the Web site had the facility to require Non-Client to agree not to send confidences. Recall earlier opinions that did not hold for disqualification where there was no Web site, and the E-mails were completely unsolicited: San Diego Op. 2006-1; Ariz. Op. 02-04; and ABCNY Op 2001-1. We are attempting to get the precise date of the Massachusetts opinion.

PATENT OFFICE TO TEST PEER REVIEW OF COMPUTER TECH PATENTS (ComputerWorld, 7 June 2007) -- The U.S. Patent and Trademark Office said today it is launching a project that could help improve the process for examining applications for patents in computer technologies. The Peer Review Pilot, which will begin June 15 and run for one year, will allow experts in computer technology to send technical references related to the claims of a published patent application before an examiner reviews it, according to a press statement. The pilot is a joint initiative with the Community Patent Review Project organized by the New York Law School’s Institute for Information Law and Policy. “Studies have shown that when our patent examiners have the best data in front of them, they make the correct decision,” said Jon Dudas, director of the patent office, in the statement. “Examiners, however, have a limited amount of time to find and properly consider the most relevant information. This is particularly true in the software-related technologies where code is not easily accessible and is often not dated or well-documented.” Technical experts will review and submit information for up to 250 published patent applications, according to the patent office. Applicants who volunteer for the project must give their consent for the patent office to seek comments on their applications because the current law doesn’t allow the public to submit commentary without the permission of the applicant, the statement said. “This pilot is just one facet of USPTO’s broader efforts to find new ways to get the best information in front of examiners before they make a final decision on a patent application,” according to the statement.

DIGITAL SIGNATURES GET WEB STANDARDS NOD (CNET, 7 June 2007) -- A standards group has completed work on digital signature technology designed to ensure data authenticity between interacting Web servers. Version 1.0 of the Digital Signature Services standard provides a tamper-proof mechanism to provide electronic timestamps, postmarks or official corporate imprimaturs. Members of the Organization for the Advancement of Structured Information Standards (OASIS) gave the digital signature standard its highest level of ratification, the standard group said Thursday. OASIS governs many emerging standards in the domain of Web services, a term that refers to sophisticated interactions of different servers over the Internet. With a digital signature Web service, a company could use a separate server to handle the chore rather than building it directly into each application that needed it. The digital signature standard has two components, one for the signature itself and one for verification of the signature, OASIS said. So, for example, a computer service could send a document to a server to receive a digital signature or send a document and its signature to a server that will verify the document’s authenticity. One organization that has an interest in digital signatures and that worked with OASIS to develop the standard is the Universal Postal Union, a United Nations agency. It’s working to incorporate the digital signature standard into its Electronic Post Mark system (UPU EPM), OASIS said.

CREDIT UNION BILLS TJX $590K FOR BREACH COSTS (ComputerWorld, 11 June 2007) -- A credit union has sent The TJX Companies Inc. an invoice for $590,000 to cover the monetary costs and reputational damage that the financial institution says it incurred as a result of the data breach disclosed by the retailer in January. HarborOne Credit Union in Brockton, Mass., sent the bill to TJX on April 30. Thus far, the retailer hasn’t responded, said James Blake, president and CEO of the 100,000-member credit union. Blake said that because of the breach at TJX, HarborOne had to block and reissue about 9,000 debit cards at a cost of around $90,000. The remaining $500,000 on the bill is what he thinks the breach has cost the credit union in terms of damage to its reputation. “We had to notify customers of the fact that their account was breached,” Blake said. “There were some questions on their part [about] whether or not we were responsible [for the breach], when in fact it was TJX’s responsibility.” Instead of filing a lawsuit against TJX, HarborOne decided to give the retailer a chance to do the “morally” right thing, Blake said. “Whether they will is another issue,” he added. “They have run from the problem from the very beginning.”

EFF PRIVACY ADVOCATE SIGHTED IN GOOGLE STREET VIEW (Wired, 11 June 2007) -- It’s official. Every new street level map view service has to capture an image of EFF staff attorney Kevin Bankston sneaking a cigarette. Amazon’s now-defunct A9 service first nailed Bankston outside EFF’s San Francisco office a few years ago. He’d been trying conceal his smoking from his family. These days Bankston uses that anecdote as a weapon in his principled but quixotic campaign against Google’s new Street View service. Bankston argues Street View is legal, but irresponsible, and should include facial obfuscation technology so every face is blurred or made to resemble the mush-visaged demons from Jacobs Ladder. But after the A9 incident, Bankston thought he’d personally escaped the same treatment from Street View, which shows nobody at all standing outside EFF headquarters. Imagine my delight when, looking for directions in the Mission this weekend, I stumbled upon [a] picture of someone resembling Bankston a few blocks away from EFF. It turns out he’s walking to work. I showed it to Bankston at a party Sunday, and he confirmed it was him with a howl of disbelief mixed with ironic laughter. “I can’t believe they got me again!” Then he snuck out for a smoke. Google’s burdensome process for removing your picture from Street View:

GOOGLE RANKED ‘WORST’ ON PRIVACY (BBC, 11 June 2007) -- Google has the worst privacy policy of popular net firms, says a report. Rights group Privacy International rated the search giant as “hostile” to privacy in a report ranking web firms by how they handle personal data. The group said Google was leading a “race to the bottom” among net firms many of whom had policies that did little to substantially protect users. In response Google said the report was mistaken and that it worked hard to keep user data confidential. The report by the veteran cyber rights group is the result of six months’ research which scrutinised 20 popular net firms to find out how they handle the personal information users gave up when they started using such services. None of the firms featured in the report got a “privacy friendly” rating. Yahoo and AOL were said to have “substantial threats” to privacy as were Facebook and Hi5 for the allegedly poor way they dealt with user data. Microsoft, one place higher in the rankings than these four firms, was described as having “serious lapses” in its privacy policy. Other net sites, such as, eBay and were described in the report as “generally privacy aware but in need of improvement”. But Privacy International singled put Google at the bottom of its rankings for what the group called its “numerous deficiencies and hostilities” to privacy. Privacy International placed Google at the bottom of its ranking because of the sheer amount of data it gathers about users and their activities; because its privacy policies are incomplete and for its poor record of responding to complaints. “While a number of companies share some of these negative elements, none comes close to achieving status as an endemic threat to privacy,” read the report. Responding to the report Nicole Wong, general counsel for Google, said in a statement: “We are disappointed with Privacy International’s report which is based on numerous inaccuracies and misunderstandings about our services.”

-- and --

GOOGLE LIMITS DATA RETENTION IN COMPROMISE WITH EU (Reuters, 12 June 2007) -- Google Inc. is scaling back how long it keeps personally identifiable data accumulated from its Web users, seeking to mollify a European Union watchdog that has questioned its privacy policies. The world’s top provider of Web search services said late on Monday that it is ready to curtail the time it stores user data to a year-and-a-half, the low end of an 18 to 24 month period it had originally proposed to regulators in March. But Peter Fleischer, Google’s global privacy counsel said in a letter addressed to the Article 29 Data Protection Working Party in Brussels that any regulatory requirement to keep data for less than 18 months would undermine Google’s services. “After considering the Working Party’s concerns, we are announcing a new policy: to anonymize our search server logs after 18 months, rather than the previously established period of 18 to 24 months,” he said in the letter dated June 10. The server logs refer to software that stores Web search histories. “We believe that we can still address our legitimate interests in security, innovation and anti-fraud efforts with this shorter period,” Fleischer added. Google is seeking to ease the concerns of regulators in Europe and the United States, as well as a small, but vocal, chorus of privacy activists, who see the scope of Google’s Web services as posing unprecedented threats to consumer privacy. Each time a Google user searches the Web, the company gathers information about that customer’s tastes, interests and beliefs that could potentially be used by third parties such as advertisers. Google shares general user statistics but is adamant it never shares personal data outside the company. The European Union body, made up of national protection supervisors of the bloc’s 27 member states, said in May that Google seemed to be failing to respect EU privacy rules and asked for clarification before its next meeting in mid-June.;_ylt=AsNN6WfsNNuc93uMhqFyw9ME1vAI

AT&T TO TARGET PIRATED CONTENT (LA Times, 13 June 2007) -- AT&T Inc. has joined Hollywood studios and recording companies in trying to keep pirated films, music and other content off its network — the first major carrier of Internet traffic to do so. The San Antonio-based company started working last week with studios and record companies to develop anti-piracy technology that would target the most frequent offenders, said James W. Cicconi, an AT&T senior vice president. The nation’s largest telephone and Internet service provider also operates the biggest cross-country system for handling Internet traffic for its customers and those of other providers. As AT&T has begun selling pay-television services, the company has realized that its interests are more closely aligned with Hollywood, Cicconi said in an interview Tuesday. The company’s top leaders recently decided to help Hollywood protect the digital copyrights to that content.,1,402794.story?coll=la-headlines-pe-business

MICROSOFT CLARIFIES VIRTUALIZATION LICENSING -- FOR NOW (ComputerWorld, 13 June 2007) -- Microsoft Corp. has released a white paper clarifying how licensing for its current version of Windows Server works when paired with third-party virtualization software. However, customers may face a whole new set of licensing rules once the next version, Windows Server 2008, is released later this year. In a white paper called “Licensing Microsoft Windows Server 2003 R2 to Run with Virtualization Technologies,” Microsoft outlines clearly how to license the current version of Windows Server -- Windows Server 2003 R2 -- for specific third-party virtualization technology, including VMware ESX, VMware Vmotion and SWsoft Virtuozzo. It also explains licensing for Microsoft’s own System Center Virtual Machine Manager. The document can be found on a Web page that also includes previously released virtualization calculators that help customers determine the cost of Windows Server licensing in various virtualization scenarios. Virtualization has complicated server OS pricing because it allows more than one instance of server software to run on a single server. Traditional OS pricing has been per server and has assumed that only one version of an OS can run on one piece of hardware. Virtualization allows software to be emulated via a virtual machine, and so can run without having to be physically installed. But even if Microsoft has done enough to clarify how its current version of Windows Server should be licensed for virtualization scenarios, customers could find themselves needing new guidelines once Windows Server 2008 is released, something Microsoft expects to do by the end of the year. Formerly code-named Longhorn, the next version of Windows Server will have virtualization technology built in, which could preclude the need for third-party virtualization software. White paper at

TOP FRENCH ADMINISTRATIVE COURT PERMITS P2P SPYING (BNA’s Internet Law News, 14 May 2007) -- BNA’s Electronic Commerce & Law Report reports that the French Council of State, the highest court of appeal on administrative decisions, has ruled that the French Data Protection Authority over-stepped its privacy protection mandate when it refused to allow music industry organizations to spy on users of P2P file sharing services. The Council of State ruling overturns CNIL’s October 2005 refusal to grant four collective royalty management groups permission to use automated computerized processes to observe activity at P2P sites and later communicate with suspected IP rights violators. Case name is SCPP v. CNIL.

TWO UNIVERSITIES HIT BY SECURITY BREACHES (Information Week, 11 June 2007) -- Two universities suffered security breaches that compromised the security of sensitive personal information on students and faculty. Both the University of Iowa and the University of Virginia announced last Friday that they have been sending out notifications about the breaches. The University of Virginia said its investigation has shown that on 54 separate days between May 20, 2005, and April 19, 2007, a hacker broke into the network and accessed the records of 5,735 faculty members. The school called in the FBI to work on the case alongside the university police and its IT workers. “We sincerely regret the distress this causes to our colleagues,” said James Hilton, the university’s VP and CIO, in a written statement. “This theft adds greater urgency to our ongoing effort to remove from databases Social Security numbers and other personal information that could be accessed through the Internet and later potentially abused. The university is continually modifying its systems and practices to enhance the security of sensitive information and training its employees in data protection.” The school pointed out in an online release that information on students and non-faculty staff members wasn’t compromised. Those who were affected include anyone who taught or had any faculty designation from approximately 1990 to August 2003. Of those whose records were accessed, about 2,100 are currently employed at the university. The faculty information that was accessed included dates of birth and Social Security numbers. The University of Iowa breach affected about 1,000 students and applicants to the school’s Molecular and Cellular Biology graduate program, along with about 100 faculty members associated with the program, according to an online release. A staff member in the graduate program discovered the security breach on May 19. Social Security numbers of faculty, students, and prospective students were stored on a Web-based database program that was compromised. The university did not say when the security breach occurred.

**** RESOURCES ****

DATA MINING AND THE SECURITY-LIBERTY DEBATE (Daniel Solove, May 2007) -- Abstract: In this essay, written for a symposium on surveillance for the University of Chicago Law Review, I examine some common difficulties in the way that liberty is balanced against security in the context of data mining. Countless discussions about the trade-offs between security and liberty begin by taking a security proposal and then weighing it against what it would cost our civil liberties. Often, the liberty interests are cast as individual rights and balanced against the security interests, which are cast in terms of the safety of society as a whole. Courts and commentators defer to the government’s assertions about the effectiveness of the security interest. In the context of data mining, the liberty interest is limited by narrow understandings of privacy that neglect to account for many privacy problems. As a result, the balancing concludes with a victory in favor of the security interest. But as I argue, important dimensions of data mining’s security benefits require more scrutiny, and the privacy concerns are significantly greater than currently acknowledged. These problems have undermined the balancing process and skewed the results toward the security side of the scale.

USE OF SSNS AT DHS: Privacy Policy Guidance Memorandum (DHS, 4 June 2007) --

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. Internet Law & Policy Forum,
6. BNA’s Internet Law News,
7. Crypto-Gram,
8. McGuire Wood’s Technology & Business Articles of Note,
9. Steptoe & Johnson’s E-Commerce Law Week,
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: