Saturday, July 28, 2007

MIRLN - Misc. IT Related Legal News [8-28 July 2007; v10.10]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of the American Bar Association’s Cyberspace Law Committee and Dickinson Wright PLLC. Dickinson Wright’s IT & Security Law practice group is described at http://tinyurl.com/joo5y.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (vpolley@REMOVETHISSTRINGvip-law.com) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/.

**************End of Introductory Note***************

APPEALS COURT DISMISSES SUIT AGAINST NSA SPY PROGRAM (CNET, 6 July 2007) - In a setback for foes of a controversial Bush administration wiretapping program, a federal appeals court on Friday threw out an American Civil Liberties Union lawsuit that alleged illicit snooping on Americans’ calls and e-mails. In a 2-1 decision (PDF), the 6th Circuit Court of Appeals in Cincinnati dismissed a federal district court ruling from last August that found the National Security Agency’s Terrorist Surveillance Program violated the U.S. Constitution and ordered it to stop. The majority’s ruling did not address the legality of the program; rather, it tossed out the case on narrow procedural grounds [i.e., standing]. http://news.com.com/2100-1029_3-6195253.html

GOOGLE APOLOGIZES FOR BLOG CRITICIZING `SICKO’ (SiliconValley.com, 6 Jly 2007) - Search engine Google apologized after an employee criticized Michael Moore’s new documentary “Sicko” in a corporate blog. Google account planner Lauren Turner wrote on the company’s health care advertising blog last week that Moore’s expose` of the health care industry was one-sided and failed to note the industry has also contributed to philanthropy and raised awareness of patient care. Turner suggested that health care companies buy Google ads to counter the negative portrayal. But after angry readers peppered Turner with complaints, she wrote another blog post explaining that her comments were her opinion - not Google’s. The Mountain View company followed up with an apology on its main corporate blog, saying the original blog posting did not reflect its official position. http://www.siliconvalley.com/news/ci_6310943?nclick_check=1

ISP TOLD TO BLOCK ILLEGAL P2P TRAFFIC (VNUnet, 6 July 2007) - Belgian ISP Scarlett, formerly part of Tiscali, has been ordered by a judge to block all peer-to-peer traffic by its customers in a landmark ruling that could set a precedent in Europe. The court in Belgium found that Scarlett had a duty to stop the traffic in illegal content over its network with a variety of technical means that are currently on the market, in particular filtering technology developed by Audible Magic. The case was brought by Sabam, the association of authors and composers in Belgium. The move has been welcomed by the International Federation of the Phonographic Industry (IFPI), which represents recording companies and artists worldwide. IFPI chairman John Kennedy said: “This is an extremely significant ruling which bears out exactly what we have been saying for the past two years. “The internet’s gatekeepers, the ISPs, have a responsibility to help control copyright-infringing traffic on their networks. http://www.vnunet.com/vnunet/news/2193670/isp-block-illegal-p2p-traffic

- but -

MUSIC FILE-SHARERS GET BOOST IN TOP EU COURT (Reuters, 18 July 2007) - Telecoms companies in Europe are not required to hand over information on clients believed to be running music-sharing websites in civil cases, an adviser to the European Union’s top court said on Wednesday. The case was brought by a Spanish music and audiovisual association after telecoms provider Telefonica refused to hand over the names and addresses of its Internet clients suspected of running illegal file sharing sites. The association, Promusicae, wanted to identify the clients, who used the file-sharing programme KaZaA, so it could start taking action against them. But advocate general Juliane Kokott, whose role is to advise the judges, said on Wednesday that it is compatible with EU law for European countries to exclude communication of personal data in the context of a civil, as distinct from criminal, action. The court follows the advice of advocates general on most occasions. http://uk.news.yahoo.com/rtrs/20070718/tot-uk-eu-court-filesharing-566e283.html

- and -

UNIVERSITIES TO RIAA: TAKE A HIKE (Harvard’s Berkman Center, 9 July 2007) - Recently, the president of the Recording Industry Association of America, Cary Sherman, wrote to Harvard to challenge the university administration to stop acting as a “passive conduit” for students downloading music. We agree. Harvard and the 22 universities to which the RIAA has sent “pre-litigation notices” ought to take strong, direct action...and tell the RIAA to take a hike. This Spring, 1,200 pre-litigation letters arrived unannounced at universities across the country. The RIAA promises more will follow. These letters tell the university which students the RIAA plans on suing, identifying the students only by their IP addresses, the “license plates” of Internet connections. Because the RIAA does not know the names behind the IP addresses, the letters ask the universities to deliver the notices to the proper students, rather than relying upon the ordinary legal mechanisms. Universities should have no part in this extraordinary process. [Editor: There’s more, worth reading.] http://cyber.law.harvard.edu/home/filter?func=viewSubmission&sid=2802&wid=379

- and, on the other hand -

UNIVERSITY OF KANSAS ADOPTS ONE-STRIKE POLICY FOR COPYRIGHT INFRINGEMENT (ArsTechnica, 20 July 2007) - In response to the RIAA and MPAA’s campaign against file-sharing, the University of Kansas has announced a stringent policy for students found sharing copyrighted content on the university network. Students fingered for file-sharing would be kicked off of the residence hall network, although they would still be able to use campus computer labs. A brief notice on the University of Kansas ResNet site explains the university’s new position very succinctly. “If you are caught downloading copyrighted material, you will lose your ResNet privileges forever,” reads the notice. “No second notices, no excuses, no refunds. One violation and your ResNet internet access is gone for as long as you reside on campus.” Presumably, the University is referring to illegally downloaded copyrighted material, as there is plenty of copyrighted material that can be downloaded legally. Formerly, KU had a three strikes policy, but the new policy is one of the most stringent we have seen. Other schools have tightened their policies on copyright infringement since Big Content ratcheted up its fight against on-campus file-sharing. For one, Stanford University has made file-sharing a potentially very expensive proposition with its reconnection fees. First-time offenders will have to pay a $100 reconnection fee, with subsequent offenses assessed reconnection fees of $500 and $1,000. Along with the $1,000 fee, students will be referred to Judicial Affairs for disciplinary action after a third offense. http://arstechnica.com/news.ars/post/20070720-university-of-kansas-adopts-one-strike-policy-for-copyright-infringement.html

NINTH CIRCUIT UPHOLDS USE OF INTERNET PEN REGISTER (MIRLN reader, 8 July 2007) - In United States v. Forrester, issued today, the Ninth Circuit ratified DOJ’s longstanding position on the constitutional status of Internet addressing information – such as IP addresses and email addresses – associated with network transmissions. Specifically, the court found that collecting such information does not intrude upon a reasonable expectation of privacy, and thus does not implicate the Fourth Amendment. “Neither this nor any other circuit has spoken to the constitutionality of computer surveillance techniques that reveal the to/from addresses of e-mail messages, the IP addresses of websites visited and the total amount of data transmitted to or from an account. We conclude that these surveillance techniques are constitutionally indistinguishable from the use of a pen register that the Court approved in Smith [v. Maryland]. First, e-mail and Internet users, like the telephone users in Smith, rely on third-party equipment in order to engage in communication. Smith based its holding that telephone users have no expectation of privacy in the numbers they dial on the users’ imputed knowledge that their calls are completed through telephone company switching equipment. 442 U.S. at 742. Analogously, e-mail and Internet users have no expectation of privacy in the to/from addresses of their messages or the IP addresses of the websites they visit because they should know that these messages are sent and these IP addresses are accessed through the equipment of their Internet service provider and other third parties. […]” Note, however, the reservation in footnote 6 concerning URL collection: “Surveillance techniques that enable the government to determine not only the IP addresses that a person accesses but also the uniform resource locators (“URL”) of the pages visited might be more constitutionally problematic. A URL, unlike an IP address, identifies the particular document within a website that a person views and thus reveals much more information about the person’s Internet activity. For instance, a surveillance technique that captures IP addresses would show only that a person visited the New York Times’ website at http://www.nytimes.com, whereas a technique that captures URLs would also divulge the particular articles the person viewed.” Full opinion at http://www.ca9.uscourts.gov/ca9/newopinions.nsf/F0E09BB37A97D51A88257310004D1DAC/$file/0550410.pdf?openelement Press coverage at http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/07/07/BAGMNQSJDA1.DTL&feed=rss.news

CORPORATE USERS DUMP MICROSOFT’S SOFTWARE ASSURANCE (Computer World, 9 July 2007) - Microsoft Corp. faces a revolt among enterprise customers over its Software Assurance maintenance program, an analyst said today, because of long stretches between upgrades and simple economics. In research published today, Forrester Research Inc. analyst Julie Giera said that based on interviews with 63 Microsoft customers, 25% won’t renew their maintenance contracts and another third remain undecided. “There are more in the ‘mad as hell’ category than I’ve ever seen,” said Giera regarding customers’ feelings about Software Assurance. “A number of companies, higher than I’ve seen since 2001 when I started to track this, are deciding to buy [licenses] later.” Software Assurance is the Microsoft program that gives corporate customers software upgrade rights and other benefits during a multiyear contract in exchange for a flat annual fee. It’s an important part of the company’s revenue picture; based on Microsoft’s own numbers for the program’s contribution to the bottom line, Software Assurance delivered about $4.1 billion in the quarter that ended March 31. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9026626&source=NLT_AM&nlid=1

77 PERCENT OF SECURITY PROFESSIONALS WANT EU DATA BREACH LAWS (Computerworld UK, 9 July 2007) - Around three out of four IT security professionals think companies should be legally obliged to inform customers and regulators of data security breaches, a survey reveals. Of those that are in favour of introducing this law, nearly half (49%) said that businesses should be forced to disclose a security breach immediately, rather than delaying the announcement. This is the result of a survey of IT security professionals conducted by database security company Secerno at Europe’s annual information security conference, Infosec 2007. The European Commission is expected to pass the European Directive on Data Protection this year, which would require companies to inform all customers and regulators of any data security breaches. However, it could take years for the UK or other Eureopan countries to adopt this directive into law. Paul Davie, founder of Secerno, commented that the UK public does not know the full scale of data security breaches, as there is no legal obligation to reveal them. “There is a clear demand from security professionals and consumers that the Government and the EU should follow the US’s lead and impose a legal framework that forces companies to disclose breaches. http://www.computerworlduk.com/management/government-law/legislation/news/index.cfm?newsid=3924

GOOGLING “HOW TO CRACK A SAFE” NETS ROBBERS $12,000 (ArsTechnica, 10 July 2007) - Google has become so ubiquitous in many people’s daily lives that it serves as the all-encompassing information source on how to do nearly anything: jump a car, tie a tie, fold a pocket square, remove ketchup stains. Oh, and crack open a safe to steal $12,000. That’s what a couple of burglars did last month in Colorado, when they broke into an indoor amusement center called Bigg City armed with the knowledge they thought they needed in order to get into a couple of safes. The burglars knew the passcodes to the safes in question but were still unable to open them after several tries, so they eventually resorted to their good friend Google to tell them how. These burglars may not have been the sharpest tacks in the box to begin with; they attempted to cover a security camera lens not with spray paint or some other opaque agent, but the clear, cleaning properties of WD-40, and attempted to do the same to a fire alarm that they thought was a camera. But at least they were resourceful; after spending an hour and 15 minutes attempting to unsuccessfully crack the safe using their handy passcodes, according to the Colorado Springs Gazette, they used the computer in the next room to search Google for “how to crack a safe.” The Google search proved fruitful for the two burglars, as they were able to get the information they needed and walk away with $12,000 in cash as well as a PlayStation and a laptop. And despite their inept attempts to outwit the security cameras, they have not yet been arrested. http://arstechnica.com/news.ars/post/20070710-criminals-confused-about-how-to-get-the-job-done-google-to-the-rescue.html

NEW WEB SITE ENCOURAGES FIRMS TO REPORT CORRUPTION (CNET, 11 July 2007) - Multinational firms like Wal-Mart, Target and Tyco International on Wednesday endorsed a new Web site where companies and individuals can report bribery and corruption in countries where they do business. Bribeline.org, launched by Trace, a Maryland-based nonprofit group that represents multinational companies, lets anyone volunteer information about incidents of corruption or bribery in the United States or abroad. The information compiled from Bribeline will help companies determine where corruption is most prevalent and will help governments strengthen their ability to tackle corruption. “Bribeline will further Wal-Mart’s efforts to ensure we are allocating the necessary resources to combat corruption in those countries where we do business,” said Alberto Mora, vice president and general counsel for the international department at Wal-Mart. Businesses looking into ventures in certain countries will be forewarned about what kinds of bribery they can expect. “If you know the terrain, it’s easier to map out a business solution for survival,” said Michelle Gavin, a board member of Trace. The Web site does not require participants to identify themselves, which some critics say would encourage malicious or false reporting. “We had to make a decision early on between anonymity or verification,” said Trace President Alexandra Wrage, “You can’t have both.” The World Bank, which has a similar disclosure program that encourages firms to admit when they paid bribes while doing work for the bank, has estimated that bribery around the world amounts to about $1 trillion, and affects the poorest citizens the most. “The World Bank knows from experience that nobody wants their names mentioned,” said Suzanne Rich Folsom, director of the Department of Institutional Integrity at the World Bank. Fear is often a deterrent in reporting corruption, she added. “Bribeline will be real-time information to all of us who are trying to fight corruption,” said Folsom. “This may begin to level the playing field...and lower the cost of doing business.” http://news.com.com/New+Web+site+encourages+firms+to+report+corruption/2100-7348_3-6196139.html?tag=fd_nbs_ent&tag=nl.e703

EU ACCEPTS U.S. TREASURY’S PROMISES TO PROTECT SWIFT DATA (Steptoe & Johnson’s E-Commerce Law Week, 11 July 2007) - The European Union announced last month that the U.S. Treasury Department has made a unilateral commitment to handle “EU originating personal data” it obtains from the Brussels-based banking consortium known as SWIFT in a manner that “take[s] account of EU data protection concerns.” The EU stated that the European Commission considers Treasury’s representations - in combination with SWIFT’s promises to abide by “safe harbor” principles and inform customers that their personal data will be sent to the United States, where it will be subject to subpoena - “sufficient to guarantee respect for and the enforcement of European data protection rights.” The EU’s announcement provides a window into the procedures U.S. authorities will follow to avoid running afoul of EU data protection law. Companies might want to consult the specifics of this deal (once they’re publicly released) when considering whether or how to provide personal data from the EU to U.S. authorities. http://www.steptoe.com/publications-4639.html

WHOLE FOODS CEO PANNED WILD OATS ON WEB (Reuters, 12 July 2007) - The chief executive of Whole Foods Market Inc. posted messages on a Yahoo! chat forum under an alias for years, talking up his own company while predicting a bleak future for Wild Oats Markets Inc., the rival it has since sought to acquire. Company CEO John Mackey posted messages on a Yahoo! financial forum under the user name “rahodeb,” according to a court document filed by the U.S. Federal Trade Commission and postings on Yahoo! Mackey’s messages painted a bright future for Whole Foods, the largest U.S. natural and organic grocer, and downplayed the threat posed by competitors. “The writing is on the wall. The end game is now underway for (Wild Oats) .... Whole Foods is systematically destroying their viability as a business - market by market, city by city,” Mackey wrote in a March 28, 2006 posting. It was cited by the FTC as part of a lawsuit aimed at blocking Whole Foods’ planned $565 million (278 million pounds) acquisition of Wild Oats on grounds the deal would hobble competition and increase prices to consumers. “Bankruptcy remains a distinct possibility (for Wild Oats) IMO if the business isn’t sold within the next few years,” rahodeb said in another March 29, 2006 posting on Yahoo! Whole Foods confirmed Mackey had made the “rahodeb” postings between 1999 and 2006. It said references to those comments were among millions of documents the company provided to the FTC as part of the agency’s antitrust lawsuit. In a statement, the company said Mackey posted comments under an alias “to avoid having his comments associated with the company and to avoid others placing too much emphasis on his remarks.” http://uk.news.yahoo.com/rtrs/20070712/tot-uk-wholefoods-ftc-b86c26b.html Washington Post story about informal SEC investigation: http://www.washingtonpost.com/wp-dyn/content/article/2007/07/13/AR2007071301975.html

SPAM FILTER COSTS LAWYERS THEIR DAY IN COURT (IDG News Service, 12 July 2007) - The trouble at Franklin D. Azar & Associates PC began with pornographic spam. Last May the Aurora, Colo., law firm was being bombarded with offensive messages, and enough of it was seeping through the company’s spam filters that employees complained to management, and IT administrator Kevin Rea was told to do something. On the morning of May 21, Rea dialed up the spam settings on the Barracuda Spam Firewall 200 Azar & Associates was using to block unwanted mail. The changes made it harder for spam to land on the desktops of company employees but they also had one unforeseen consequence: The Barracuda Networks appliance began blocking e-mail from the U.S. District Court for the District of Colorado, including a notice advising company lawyers of a May 30 hearing in a civil lawsuit. Azar & Associates lawyers blew their court date, and this week the judge overseeing the matter ordered the company to pay attorney fees and expenses incurred by the lawyers who showed up representing the other side of the case. Rea did not return a call seeking comment on the matter. What happened to Azar & Associates is unusual, but reflects a legitimate worry for law firms. “This is an IT guy’s nightmare if you work in a law firm,” said Matt Kesner, CTO with Fenwick & West LLP, a Bay Area law firm with about 250 attorneys. “It doesn’t take a very high percentage of false-positives in the antispam world to misidentify a crucial piece of correspondence.” Fenwick & West has missed e-mailed court notices in the past, although it has not blown court dates as a consequence, Kesner said. http://www.pcworld.com/article/id,134460-pg,1/article.html

SITE PLANS TO SELL HACKS TO HIGHEST BIDDER (Washington Post, 12 July 2007) - A Swiss Internet start-up is raising the ire and eyebrows of the computer security community with the launch of an online auction house where software vulnerabilities are sold to the highest bidder. The founders of WabiSabiLabi.com (pronounced wobby-sobby-lobby) say they hope the service presents a legitimate alternative for security researchers who might otherwise be tempted to sell their discoveries to criminals. Several established vulnerability management companies already purchase information about software flaws from researchers, yet the terms of those deals are private and generally set by the companies. Letting all interested parties bid on security vulnerabilities in an “eBay”-style auction assures that researchers receive the fair market value for the work they do in finding the flaws, said Herman Zampariolo, WabiSabiLabi’s chief executive. http://www.washingtonpost.com/wp-dyn/content/article/2007/07/12/AR2007071201278.html

SONY BMG SUES ANTI-PIRACY COMPANY [over rootkit problems] (BBC, 13 July 2007) - Record company Sony BMG is suing a firm that designed controversial anti-piracy software used on CDs sold by the label. Sony BMG filed papers in a New York state court seeking $12m in damages from the Arizona-based Amergence Group. It says Amergence’s Mediamax software landed it with a $5.75m (£2.83m) bill for compensation after users reported problems with their computers. Amergence disputes the claims and blames another company’s software for the problems. Amergence, formerly known as SunnComm, developed the Mediamax anti-piracy program, which was used on 32 Sony CDs released in the US and Canada. In December 2005, Sony BMG issued a statement highlighting problems with the Mediamax software and urging users to install a patch that closed a security loophole which it said MediaMax opened on PCs. At the same time, other consumers took action over Sony CDs that were being protected with another anti-piracy technology known as XCP. Sony eventually recalled all the CDs that used XCP and offered to swap customers’ existing discs for ones that did not use the software. A statement from Amergence said the problems had resulted from “Sony’s undertested release of a competitor’s technology” and “BMG’s ‘final authority’ input in determining the functional specifications of the Mediamax copy protection”. http://news.bbc.co.uk/2/hi/business/6897202.stm

30 COUNTRIES MOVE TO PROTECT ONLINE CONSUMERS (Network World, 16 July 2007) - Spurred to find ways to protect consumers as online shopping grows, the 30 countries belonging to the international economic and social-development group Organization for Economic Co-Operation and Development (OECD) announced Monday an accord on dispute resolution. After two years of wrangling over the policy document, the Paris-based OECD said its 30 members - which include the European countries, Japan, Korea, Mexico, the United States and the United Kingdom among others - have signed off on a legal framework intended to lead to better policing and resolution of consumer complaints, particularly in cross-border disputes involving e-commerce. But it remains unclear whether concrete change will come from the policy agreement, which the OECD countries now must find a way to put into effect. Called the “OECD Recommendation on Consumer Dispute Resolution and Redress,” the 13-page document states principles that include: [story continues] http://www.networkworld.com/news/2007/071607-countries-protect-online-consumers.html

U.S. DETAILS SOME DATA-MINING PROGRAMS, HINTS AT OTHERS (Wired, 16 July 2007) - Justice Department and Homeland Security inspectors slid a broad range of government data-mining programs under a microscope last week in two reports to Congress that covered systems both sinister and banal. But while the reports - required under two separate federal laws - convey a sense of the breadth of these powerful agencies’ data mining, they only hint at several projects powerful enough to accidentally land innocent Americans in the cross hairs of the government’s antiterrorism efforts. On the innocent side, the Justice Department has separate data-mining programs to ferret out identity-theft gangs, Medicare fraud, staged automobile accidents, online pharmacy scams and illegal housing sales, according to the report by Justice Department Inspector General Glenn Fine. Some of that data mining is conducted with tools available to anyone with a copy of Microsoft Office. And once anomalies in the data are identified, agents follow up on the leads. A more ambitious system under development will be used by the Foreign Terrorism Tracking Task Force - an FBI group responsible for preventing terrorist attacks inside the United States. Called the System to Assess Risk, or STAR, the program will let agents enter names of suspected terrorists into a computer, which then calculates how likely each of those people is to pose a terrorist threat, based on 35 factors. Data mining in the broad sense is everywhere these days, from online services that analyze blog server logs to supermarket loyalty cards used to decide what coupons are mailed to shoppers’ houses. The term has many meanings, but usually refers to attempts to use smart algorithms to discover unseen patterns in large pools of data. The most notorious government data-mining effort was Darpa’s highly secretive Total Information Awareness program, which would have crawled through every possible database, public and private, to identify potential terrorists in the planning stages of an attack. In 2003, amid privacy concerns, Congress stepped in to defund much of that effort, and sent components of the program into the black budget with the promise that the tools would only target non-Americans. http://www.wired.com/politics/onlinerights/news/2007/07/feds_data and http://www.washingtonpost.com/wp-dyn/content/article/2007/07/10/AR2007071001739.html DHS report at http://www.dhs.gov/xlibrary/assets/privacy/privacy_rpt_datamining_2007.pdf

GOOGLE COOKIES WILL ‘AUTO DELETE’ (BBC, 17 July 2007) - Google has said that its cookies, tiny files stored on a computer when a user visits a website, will auto delete after two years. They will be deleted unless the user returns to a Google site within the two-year period, prompting a re-setting of the file’s lifespan. The company’s cookies are used to store preference data for sites, such as default language and to track searches. All search engines and most websites store cookies on a computer. Currently, Google’s are set to delete after 2038. Peter Fleischer, Google’s global privacy counsel, said in a statement: “After listening to feedback from our users and from privacy advocates, we’ve concluded that it would be a good thing for privacy to significantly shorten the lifetime of our cookies.” He said the company had to “find a way to do so without artificially forcing users to re-enter their basic preferences at arbitrary points in time.” So if a user visits a Google website, a cookie will be stored on their computer and will auto-delete after two years. But if the user returns to a Google service, the cookie will re-set for a further two years. http://news.bbc.co.uk/2/hi/technology/6901946.stm

- and -

SEARCH ENGINE ASK TO STOP KEEPING SEARCH DATA UPON REQUEST (SiliconValley.com, 20 July 2007) - Ask.com became the first major search engine to promise users it won’t store data on their queries, giving the privacy conscious the option of conducting research on the Internet in relative anonymity. The move comes amid increasing concerns about the release of search information through leaks or subpoenas. In some cases, the search terms a person uses can reveal plenty about medical conditions, marital troubles or kinky interests. “What everyone’s starting to see is competition for privacy,” said Ari Schwartz, deputy director of the Center for Democracy and Technology, a Washington-based nonprofit that had consulted with Ask on the changes. Company officials acknowledged Friday that the decision alone likely won’t raise Ask’s ranking among search engines. Ask, a unit of IAC/InterActiveCorp., is far behind Google Inc., Yahoo Inc., Microsoft Corp.’s MSN and Windows Live in the share of U.S. search queries. “The number of people this is important to is small,” said Doug Leeds, Ask’s vice president of product management. “But to these people, it’s very important.” The new controls won’t guarantee user anonymity, however. As Ask’s advertising partner, Google would receive and could retain the data in question. Search terms also appear in the Web address sent to Ask, and Internet service providers could retain that. But Leeds said Ask would review contracts with Google and other third parties to limit what they could do Advertisement Click Here! with the information, and the company hoped the move would pressure rivals to also adopt tighter privacy controls. http://www.siliconvalley.com/news/ci_6423758?nclick_check=1 Related story at http://www.siliconvalley.com/news/ci_6443591

SEC ISSUES INTERPRETIVE GUIDANCE ON ICFR (Duane Morris Alert, 17 July 2007) - On June 20, 2007, the Securities and Exchange Commission issued interpretive guidance to assist management of public companies in evaluating their internal control over financial reporting (“ICFR”), as required by Section 404 of the Sarbanes-Oxley Act of 2002 and Rules 13a-15(c) and 15d-15(c) of the Securities Exchange Act of 1934. The Guidance provides management with an approach to conduct a top-down, risk-based evaluation of ICFR. The same day, the SEC issued two rule releases. In one release, the SEC adopted final rules in which it:
· adopted amendments to its rules to facilitate management evaluations of ICFR by sanctioning the Guidance as a safe harbor;
· adopted amendments to its rules regarding the auditor’s attestation report on the effectiveness of ICFR; and
· defined the term “material weakness.” In the other release, the SEC proposed a rule defining the term “significant deficiency.” In a coordinated action, the Public Company Accounting Oversight Board (“PCAOB”) adopted a new auditing standard for use by auditors in their audits of ICFR. SEC guidance at http://reaction.duanemorris.com/reaction/RSProcess.asp?RSID=869E08E2C6EB1284864F3533C50507A2A655341DB2877748CB968577D6FE29D5AC3&RSTYPE=CLICKTHRU

STUDENTS’ TRIAL BY FACEBOOK (The Guardian, 17 July 2007) - Oxford University staff are logging on to Facebook and using evidence they find on student profiles to discipline students. Photos on the social networking website of undergraduates celebrating the end of their exams have been emailed to students by the proctors, Oxford’s disciplinary body, as evidence of breaches of the University’s code of conduct. Students now face fines of up to £100 after proctors collected evidence of students celebrating the end of exams by “trashing” their friends, covering them with champagne, confetti, flour, and even foodstuffs including raw meat and octopus. Students may be unable to graduate until the disciplinary hearings are resolved. Proctors emailed third-year mathematics and philosophy student Alex Hill with links to photographs of her on Facebook on Friday. “I have been charged by the proctors for breaching rules and being ‘disorderly’, on the basis of photographic evidence from Facebook,” she said. http://education.guardian.co.uk/higher/news/story/0,,2128265,00.html

WILL SECURITY FIRMS DETECT POLICE SPYWARE? (Wired, 17 July 2007) - A recent federal court decision raises the question of whether antivirus companies may intentionally overlook spyware that is secretly placed on computers by police. In the case decided earlier this month by the 9th U.S. Circuit Court of Appeals, federal agents used spyware with a keystroke logger-call it fedware-to record the typing of a suspected Ecstasy manufacturer who used encryption to thwart the police. A CNET News.com survey of 13 leading antispyware vendors found that not one company acknowledged cooperating unofficially with government agencies. Some, however, indicated that they would not alert customers to the presence of fedware if they were ordered by a court to remain quiet. Most of the companies surveyed, which covered the range from tiny firms to Symantec and IBM, said they never had received such a court order. The full list of companies surveyed: AVG/Grisoft, Computer Associates, Check Point, eEye, IBM, Kaspersky Lab, McAfee, Microsoft, Sana Security, Sophos, Symantec, Trend Micro and Websense. Only McAfee and Microsoft flatly declined to answer that question. Because only two known criminal prosecutions in the United States involve police use of key loggers, important legal rules remain unsettled. But key logger makers say that police and investigative agencies are frequent customers, in part because recording keystrokes can bypass the increasingly common use of encryption to scramble communications and hard drives. Microsoft’s Windows Vista and Apple’s OS X include built-in encryption. This isn’t exactly a new question. After the last high-profile case in which federal agents turned to a key logger, some security companies allegedly volunteered to ignore fedware. The Associated Press reported in 2001 that “McAfee Corp. contacted the FBI... to ensure its software wouldn’t inadvertently detect the bureau’s snooping software.” McAfee subsequently said the report was inaccurate. Later that year, the FBI confirmed that it was creating spy software called “Magic Lantern” that would allow agents to inject keystroke loggers remotely through a virus without having physical access to the computer. (In both the recent Ecstasy case and the earlier key logging case involving an alleged mobster, federal agents obtained court orders authorizing them to break into buildings to install key loggers.) Government agencies and backdoors in technology products have a long and frequently clandestine relationship. One 1995 expose by the Baltimore Sun described how the National Security Agency persuaded a Swiss firm, Crypto, to build backdoors into its encryption devices. In his 1982 book, The Puzzle Palace, author James Bamford described how the NSA’s predecessor in 1945 coerced Western Union, RCA and ITT Communications to turn over telegraph traffic to the feds. http://news.com.com/2100-7348_3-6197020.html?part=rss&tag=2547-1_3-0-5&subj=news

- and -

FBI REMOTELY INSTALLS SPYWARE TO TRACE BOMB THREAT (CNET, 18 July 2007) - The FBI used a novel type of remotely installed spyware last month to investigate who was e-mailing bomb threats to a high school near Olympia, Wash. Federal agents obtained a court order on June 12 to send spyware called CIPAV to a MySpace account suspected of being used by the bomb threat hoaxster. Once implanted, the software was designed to report back to the FBI with the Internet Protocol address of the suspect’s computer, other information found on the PC and, notably, an ongoing log of the user’s outbound connections. While there’s been plenty of speculation about how the FBI might deliver spyware electronically, this case appears to be the first to reveal how the technique is used in practice. The FBI did confirm in 2001 that it was working on a virus called Magic Lantern but hasn’t said much about it since. The two other cases in which federal investigators were known to have used spyware-the Scarfo and Forrester cases-involved agents actually sneaking into offices to implant key loggers. An 18-page affidavit filed in federal court by FBI Agent Norm Sanders last month and obtained by CNET News.com claims details about the governmental spyware are confidential. The FBI calls its spyware a Computer and Internet Protocol Address Verifier, or CIPAV. “The exact nature of these commands, processes, capabilities, and their configuration is classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardize other ongoing investigations and/or future use of the technique,” Sanders wrote. A reference to the operating system’s registry indicates that CIPAV can target, as you might expect given its market share, Microsoft Windows. Other data sent back to the FBI include the operating system type and serial number, the logged-in user name, and the Web URL that the computer was “previously connected to.” News.com has posted Sanders’ affidavit and a summary of the CIPAV results that the FBI submitted to U.S. Magistrate Judge James Donohue. There have been hints in the past that the FBI has employed this technique. In 2004, an article in the Minneapolis Star Tribune reported that the bureau had used an “Internet Protocol Address Verifier” that was sent to a suspect via e-mail. But bloggers at the time dismissed it-in hindsight, perhaps erroneously-as the FBI merely using an embedded image in an HTML-formatted e-mail message, also known as a Web bug. http://news.com.com/8301-10784_3-9746451-7.html?part=dht&tag=nl.e703

CT RULES JURISDICTION CLAIM REQUIRES TARGETED INTERACTIVITY (BNA’s Internet Law News, 19 July 2007) - BNA’s Electronic Commerce & Law Report reports on a decision by a federal court in Kansas that ruled that interactive features on a Web site will not support jurisdiction in a forum unless users there actually accessed the features. The court also said that the site owner must intend its interactive features to reach the forum in order to satisfy purposeful availment. Case name is Capitol Federal Savings Bank v. Eastern Bank Corp.

DOJ PITCHES LEGISLATION TO STRENGTHEN IDENTITY THEFT LAWS (Information Week, 20 July 2007) - The U.S. Department of Justice submitted proposed legislation to Congress on Thursday, looking to beef up laws that would take on the burgeoning problem of identity theft. The bill - the Identity Theft Enforcement and Restitution Act of 2007 - seeks, in part, to make sure identity theft victims are paid back for the time they spend trying to repair the damage inflicted upon them and their financial standing, according to a DoJ notice. The bill also would add to the current identity theft and aggravated identity theft statutes, which focus on stealing the identity of individuals. The bill supplements that by making sure people who steal information from companies and organizations can be prosecuted, as well. The bill comes out of the President’s Task Force on Identity Theft plan, which was released in April. The task force was pulled together to formulate a plan to attack identity theft at all levels in the public and private sectors. As for the bill that the DoJ is proposing, it also seeks to ensure that federal law enforcement has jurisdiction over the theft of identifying information by closing a loophole in the current statute. Under the proposed act, federal jurisdiction could be obtained if the victim’s computer is used in interstate or foreign commerce, the same standard used in other computer hacking offenses. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201200149

GOOGLE, STATE TO PARTNER ON PUBLIC RECORDS (Detroit Free Press, 20 July 2007) - State officials said this week they are partnering with Google Inc. to make some Michigan public records easier to find for Web surfers. The new technology enables Internet search engines to access and index the records in online databases. That makes the records accessible in search results. Google already has partnered with four other states — Arizona, California, Utah and Virginia — in similar efforts. Google is helping to implement the Michigan Web site improvements at no cost, state officials said in a press release. Some of the state applications that will be affected include school standardized test results, lane closures on Michigan roads and child day care centers. http://www.freep.com/apps/pbcs.dll/article?AID=/20070720/NEWS06/70720012

- but -

JUDGES RESPOND TO SITE OUTING INFORMANTS (Washington Post, 23 July 2007) - In response to a Web site that outs criminal informants and undercover agents, some U.S. judges are withholding certain court documents from the Internet. Federal judges in eastern Pennsylvania and southern Florida are keeping plea and sentencing memos out of online case files because of concerns that the information is being posted on a Web site called WhosARat.com. The documents still will be available in person at the federal courthouse. “It’s better in my view to act sooner rather than later, before any tragedy occurs,” Chief U.S. District Judge Harvey Bartle III said Friday. His colleagues in the Eastern District of Pennsylvania unanimously agreed on the plan, which was hatched in meetings with prosecutors and public defenders, he said. “We’re not going to have secret documents,” Bartle said. “It will still be available for anybody that still wants to walk into the courthouse office and get it.” http://www.washingtonpost.com/wp-dyn/content/article/2007/07/23/AR2007072301167.html

Curing “SENDER’S REMORSE” (AND SCREW-UPS) WITH SELF-DESTRUCTING E-MAIL (ArsTechnica, 23 July 2007) - Everyone has had one of those moments when you realize that you shouldn’t have sent that e-mail. Maybe you sent it out of anger (or drunkenness), it was sent to the wrong person (that was not supposed to go to the boss!), or it was just plain incomplete. A recently announced e-mail service called BigString hopes to eliminate sender’s remorse by offering users a way to send “self-destructing, recallable e-mail.” We were intrigued by some earlier reports on the service and decided to dig into it a little more to see what it was all about. BigString has three tiers of service: a free, web-based account, a premium account with POP3 access, and a business account that can send from corporate e-mail addresses. Through the service, users can specify any number of criteria by which the message might expire: it can expire automatically after a certain number of minutes, it can expire after a certain number of times the recipient has opened the e-mail, or it can simply be set to be “recallable,” so that the message will no longer be accessible whenever the sender feels like deeming it so. But how is it possible? E-mail messages sent through BigString are actually encoded into images that are hosted off of BigString’s servers and linked in an e-mail to the recipient. This not only makes it difficult for the recipient to copy and paste the content of the message, it also makes it easy for BigString to track how many times the image been viewed, how long it has been on the server, and whether it’s been viewed by people at different IP addresses (to prevent forwarding of the message). When the sender decides to destroy the message, the image is merely removed from the server and disappears from the e-mail message on the recipient side; the message is still sitting there in the inbox, and the recipient still knows that someone tried to send him or her an e-mail, but it no longer has any content. BigString also offers several other features with its e-mail packages. For example, users can track when and how many times a message has been viewed and edit sent e-mails for typos or corrections (which updates the image on the server). There are several annoyances with using BigString, however, as it practically removes all searchability of the e-mails you send. We suppose this is part of the “point,” but it’s annoying nonetheless for practical e-mail use. http://arstechnica.com/news.ars/post/20070723-curing-senders-remorse-and-screw-ups-with-self-destructing-e-mail.html [Editor: *LOTS* of interesting implications here - privacy, security, record-retention, discovery, etc.]

LAWYERS GET COURT APPROVAL FOR POP-UP ADS ON INTERNET (New York Times, 24 July 2007) - A federal judge in Syracuse has cleared the way for lawyers in New York State to use pop-up ads on the Internet, but did not answer the bigger but more subtle issue of whether firms must label newsletters and e-mail messages to clients as advertising. The decision, issued Friday, said that statewide rule changes that took effect on Feb. 1 violated the free speech of lawyers. The ruling resulted from a lawsuit filed by Public Citizen, an advocacy group, on behalf of Alexander & Catalano, a personal-injury firm from Syracuse that had challenged limits placed on advertising by a committee of judges in New York’s appellate division. The firm had called itself “heavy hitters” in ads and had run TV commercials depicting its lawyers as giants towering over skyscrapers, counseling space aliens about an insurance dispute and speeding to reach a client. Gregory A. Beck of Public Citizen, who argued the case, called the images in the advertisements “silly stuff,” but added: “Attention-getting is what advertisements do.” Judge Frederick J. Scullin Jr. of Federal District Court found that the justices who adopted the limits had “no statistical or anecdotal evidence of consumer complaints with or complaints about misleading lawyer advertising,” and had instead cited public comments by a New York Court of Appeals justice on the poor taste of billboards appearing in upstate New York. For major firms, Judge Scullin’s ruling did not address regulations that have confused their marketing officers — whether e-mail messages had to be labeled advertisements and Web sites needed disclaimers. “The portions that were knocked out would not have had a major impact on the large firms here in New York City. I don’t know of any big firms that use pop-up advertisements,” said David G. Keyko, a lawyer with Pillsbury Winthrop Shaw Pittman who is on a City Bar Association task force regarding the new rules. http://www.nytimes.com/2007/07/24/business/media/24legal.html?ex=1342929600&en=d0fed62cdeafc35c&ei=5090&partner=rssuserland&emc=rss

WHITE HOUSE PRIVACY ADVISER: WE DON’T NEED MORE AUTHORITY (CNET, 24 July 2007) - Congress is already well on its way to bestowing new powers on an internal White House panel that’s supposed to judge whether Bush administration programs like the National Security Agency’s electronic surveillance regime pose privacy and civil liberties concerns. But the board’s chairman on Tuesday had one message for the politicians backing the new authority: thanks, but no thanks. Civil liberties advocates have long dogged the Privacy and Civil Liberties Oversight Board-which was created within the White House by Congress in 2004 at the recommendation of the 9/11 Commission but didn’t meet until 2006-for its perceived inability to make real assessments without executive branch officials looking over its shoulder and its lack of transparency to the public. In fact, what is supposed to be a five-member body has already recorded one dropout-former Clinton Administration special counsel Lanny Davis-who cited precisely those concerns when he stepped down in May. So both the House of Representatives and the Senate have passed bills this year that attempt to address those concerns. The House version proposes the more drastic changes: severing the body from the White House and making it a standalone, independent agency with subpoena power. (The Senate version would leave the board within the White House but require the chairman to work full time and confirmation of all members-not just the chairman and vice chairman-to staggered six-year terms.) But at an hour-long hearing Tuesday afternoon in a House of Representatives Judiciary subcommittee, board vice chairman Alan Raul said the House approach in particular is “potentially unwise.” He argued such a move would deprive the board of its current “unparalleled” access to executive branch officials, would be inefficient in that it requires appointment of a whole new board, and could limit the number of private meetings members are permitted to have. Raul, a partner at the law firm Sidley Austin in Washington and a former Reagan White House attorney, also complained that Congress never bothered to hold “formal hearings” to hear board members’ views before passing those bills. (The two chambers are currently meeting to reconcile the differences between those two proposals, which focus more broadly on implementing 9/11 Commission recommendations.) http://news.com.com/White+House+privacy+adviser+We+dont+need+more+authority/8301-10784_3-9749388-7.html?part=dht&tag=nl.e703

SENATORS TO ABANDON ‘08 E-VOTING PAPER TRAIL MANDATE (CNET, 25 July 2007) - Democratic senators on Wednesday made another push for banning electronic voting machines that lack paper trails, but they’ve backed away from doing so in time for next year’s presidential election. Sen. Dianne Feinstein (D-Calif.), the chief sponsor of a contentious bill called the Ballot Integrity Act that proposes such changes, said she fears requiring all states to employ so-called voter-verified paper records in their systems, with some primaries only six months away, “could be an invitation to chaos.” Earlier this year, she called for enacting such changes by 2008. After listening to a rash of concerns about the bill’s approach at Wednesday’s hearing, Feinstein said it may be necessary to move any proposed deadline for a paper trail mandate “out a little farther.” Introduced just before the Memorial Day recess, Feinstein’s bill is co-sponsored by 10 Democrats-including presidential hopefuls Hillary Clinton, Barack Obama and Christopher Dodd-and Vermont Independent Bernie Sanders. Clinton made a brief appearance on Wednesday to make a pitch for “21st century reforms” to the nation’s voting system. In her view, that action includes requiring the use of voter-verified paper records that would serve as the official ballot of record, banning undisclosed e-voting software source code, and prohibiting wireless communications devices in voting systems. (A separate bill called the Count Every Vote Act, which she proposed earlier this year, also includes such steps.) Election watchdog groups and prominent computer scientists have long argued that paper ballots are one of the surest ways for voters to verify their intent was recorded, especially amid evidence that touch-screen machines are vulnerable to security flaws and glitches. But election officials and some voting machine reviewers have argued paperless machines are not as flawed as their critics claim and that replacing them would be unduly time-consuming and expensive. http://news.com.com/2100-1014_3-6198789.html

**** RESOURCES ****
GAO REPORT: Cybercrime: Public and Private Entities Face Challenges in Addressing Cyber Threats (20 June 2007) - Cybercrime has significant economic impacts and threatens U.S. national security interests. Various studies and experts estimate the direct economic impact from cybercrime to be in the billions of dollars annually. The annual loss due to computer crime was estimated to be $67.2 billion for U.S. organizations, according to a 2005 FBI survey. In addition, there is continued concern about the threat that our adversaries, including nation-states and terrorists, pose to our national security. For example, intelligence officials have stated that nation-states and terrorists could conduct a coordinated cyber attack to seriously disrupt electric power distribution, air traffic control, and financial sectors. Also, according to FBI testimony, terrorist organizations have used cybercrime raise money to fund their activities. Despite the estimated loss of money a information and known threats from adversaries, the precise impact of cybercrime is unknown because it is not always detected and reported (cybercrime reporting is discussed further in GAO’s challenges section). http://www.gao.gov/new.items/d07705.pdf

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

Friday, July 06, 2007

MIRLN -- Misc. IT Related Legal News [17 June - 7 July 2007; v10.09]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of the American Bar Association’s Cyberspace Law Committee and Dickinson Wright PLLC. Dickinson Wright’s IT & Security Law practice group is described at http://tinyurl.com/joo5y.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (vpolley@REMOVETHISSTRINGvip-law.com) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/.

**************End of Introductory Note***************

YOUTUBE - UTUBE SHOWDOWN STAYS ALIVE IN FEDERAL COURT (The Register, 12 June 2007) -- For the Universal Tube & Rollform Equipment Corporation, operator of uTube.com, its domain name means cash - and with a federal court’s recent refusal to dismiss the company’s suit against YouTube, the possibility of even more cash in the future. The company has operated uTube.com as a means to sell used pipe and tube mills and rollform machinery since 1996. After YouTube’s launch in 2005, the sleepy little Ohio website went from around 1,500 visitors a month to roughly 70,000 per day. The company alleges that this caused its web host’s servers to crash, which disrupted its business and sullied its reputation. It also claims that bandwidth overages bumped its hosting fees from $100 a month to $2,500. In true Midwestern fashion, the company made the best of a bad situation by adding a ringtone search engine to the site, as well as links to dating, insurance and gambling sites. These new features now pull in $1,000 a day or more, according to one report. In addition to capitalizing on the name confusion by hawking Internet crap, uTube has also sued YouTube in federal court. The company has asked for monetary damages, as well as injunctions to stop YouTube’s operation and for the court to transfer the YouTube.com domain to uTube. The judge hearing the case just dismissed a number of uTube’s complaints, but also refused to grant YouTube’s motion to dismiss the entire suit. The judge also gave uTube permission to amend its complaint to see if it can revive any of the dismissed causes of action. Specifically, the court said that uTube didn’t have a case for trespass to chattels, since some physical contact with an object must be involved for such a claim to go forward. Domain names aren’t physical objects, the court argued, and uTube used a third-party hosting service, so it couldn’t claim ownership in the computer equipment that crashed as a result of the influx of visitors. Moreover, the court continued, the visitors to the site were the ones that “violated” the site, so YouTube itself wouldn’t be liable even if there had been a trespass. The court also quickly dismissed one of uTube’s nuisance allegations, since nuisance claims must involve land, and uTube had not shown that a domain name, website, or host server somehow constitute real property in any way. http://www.theregister.co.uk/2007/06/12/youtube_utube_alive/

MYSPACE, FACEBOOK PRIVACY LIMITS TESTED IN EMOTIONAL DISTRESS SUIT (Law.com, 14 June 2007) -- The operators of MySpace and Facebook social networking sites assure their millions of subscribers that only designated “friends” can read registrants’ private postings. But do the postings stay private if the registrant becomes the plaintiff in an emotional distress case? Can the defendant get the texts of MySpace and Facebook messages to support a defense that the distress claim is bogus? And is the expectation of privacy by users of such sites higher than it is for customers of common e-mail providers such as Microsoft and Comcast? A New Jersey judge weighed those questions and gave a preliminary answer: Without a particularized showing that the texts are relevant, the plaintiff’s privacy interests prevail. http://www.law.com/jsp/article.jsp?id=1181725536838

FBI NABS THREE ‘BOT HERDERS’ (ComputerWorld, 14 June 2007) -- The FBI yesterday announced that its “Operation Bot Roast” anti-botnet sweep has so far identified more than 1 million hijacked personal computers and resulted in the arrest of three men charged with everything from spamming to infecting systems at several hospitals. The operation is an ongoing effort to disrupt the bot trade and identify botnet controllers, the FBI said at a news conference. “Bot” is the term for an infected personal computer. A “botnet” is a large number of hijacked PCs controlled by a hacker, called a “bot herder.” Botnets are used by spammers, criminals launching distributed-denial-of-service (DDoS) attacks and malware authors looking to spread their applications. “The majority of victims are not even aware that their computer has been compromised or their personal information exploited,” James Finch, FBI assistant director for the cyber division, said in a statement. With the help of the CERT Coordination Center at Carnegie Mellon University, the FBI is also trying to notify the owners of the million-plus victimized computers it has fingered as bots. “Through this process, the FBI may uncover additional incidents in which botnets have been used to facilitate other criminal activity,” the agency said. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9024720&source=rss_topic17

VA SETS ASIDE $20 MILLION TO HANDLE LATEST DATA BREACH (Gov’t Executive.com, 14 June 2007) -- The Veterans Affairs Department has set aside more than $20 million to respond to its latest data breach, the agency’s top technology officer said Thursday. The department does not expect to spend the full $20 million, but designated that much because the breach potentially puts the identities of nearly a million physicians and VA patients at risk, said Bob Howard, the department’s chief information officer. Howard spoke at The E-Gov Institute’s Government Health IT Conference and Exhibition in Washington. “We have no evidence that [information is at risk]. None whatsoever, but we don’t take the chance,” Howard said. “The attitude of the VA right now is if we think we’ve put anybody’s information at risk, then we need to step up to the plate and try to remedy that.” The breach occurred in January, when a hard drive went missing from a Birmingham, Ala., VA medical research facility. The drive contained highly sensitive information on nearly all U.S. physicians and medical data for more than a half million VA patients. Any physician who billed Medicaid and Medicare through 2004 could be affected. The hard drive has not been recovered. The VA estimates that about half of the 1.3 million doctors whose information was on the hard drive, and 254,000 veterans, are potentially at risk. This group was notified by mail at the end of May. The letters noted that VA is providing credit monitoring services through a General Services Administration blanket purchase agreement from the multiple award schedules program. http://www.govexec.com/story_page.cfm?articleid=37191&dcn=todaysnews

-- and --

FEDERAL INFO SECURITY ISN’T JUST ABOUT FISMA COMPLIANCE, AUDITOR SAYS (ComputerWorld, 14 June 2007) -- Despite some progress in recent years, most federal agencies still have significant gaps in their information security controls, according to Gregory Wilshusen, director of information security issues at the Government Accountability Office (GAO). In testimony last week before the House Committee on Oversight and Government Reform, Wilshusen said that continued security problems in several key areas -- including access control and configuration management -- pose a clear danger to the confidentially, integrity and availability of critical government systems and data. In an interview, Wilshusen said the problem may have to do with the way agencies are dealing with the Federal Information Security Management Act (FISMA). Excerpts from that interview follow: What should federal agencies take away from your testimony? The key message to take away from my testimony last week is that agencies need to move away from mere compliance with the FISMA requirement and focus on effective security. One of the things we found is that while agencies are increasingly performing a number of different types of control activities on a greater percentage of their systems and personnel, many of these controls are not effectively implemented. What we got are information security reviews. For example, under FISMA agencies are reporting that an increasing number of their systems have been certified and accredited. For 2006, I think it increased up to 88% of all federal systems. But the IGs [inspectors general] at 10 of the agencies reported that the quality of the agency certification and accreditation process was either poor or failing. When we go out and conduct our security control reviews at federal agencies, we often find serious and significant vulnerabilities in systems that have been certified and accredited. Part of it, I think, is just that agencies may be focusing on just trying to get the systems certified and accredited but not effectively implementing the processes that the certification and accreditation is supposed to reflect. Whether agencies are focusing on just performing those activities and taking more of a checklist approach in order to get a higher FISMA grade is one issue. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9024658

AVVO SUED OVER ITS LAWYER RANKINGS (Law.com, 18 June 2007) -- Avvo Corp. of Seattle, an Internet-based startup that “rates and profiles every lawyer so you can choose the right lawyer,” is facing a class action brought by those rankled by the rankings. The company, which ranks lawyers on a scale of one to 10, with the three lowest categories being “extreme caution,” “strong caution” and “caution,” has made for lively chatter in the legal blogosphere since it debuted last week -- and has upset lawyers slighted by its ratings. John Henry Browne, a Seattle criminal defense solo practitioner, said that the peer-reviewed Martindale-Hubble lists him AV (legal abilities “very high to pre-eminent” and ethical standards “very high”), but Avvo originally assigned him a 3.7, or “caution.” The rank has since been increased to 5.2, or “average.” Browne said that attorney Steve W. Berman, managing partner of Hagens Berman Sobol Shapiro in Seattle, asked him to represent a class of lawyers who allege that the site does not do them justice. Berman, who filed the action Thursday in federal court in Seattle, called the rankings “unreliable and meaningless, misleading to a consumer trying to find a lawyer. “A lawyer who was disbarred and dead has a higher ranking than the dean of Stanford Law School,” Berman said, adding that one of the owners has a higher ranking than his former law firm colleague who is going to be president of the American Bar Association. Avvo Chief Executive Mark Britton said that the company stands by the Avvo rating, “applied consistently and evenly to all attorneys.” Browne got a low rating because he was disciplined by the Washington State Bar, Britton said. Browne said he received an admonition in 2005 involving a contigency fee issue, noting that an admonition is not an infraction. He added that, in the same year, he got a pro bono award from the bar. Roy S. Ginsburg, a solo marketing ethics practitioner in Minneapolis, said he is watching this and a New Jersey case with interest. His clients include Super Lawyers magazine, which got into trouble in New Jersey for ranking lawyers. Last July, the New Jersey Supreme Court’s Committee on Attorney Advertising held marketing that mentions a lawyer’s selection as a “Super Lawyer” or a “Best Lawyer in America” violates ethics rules against misleading advertising by creating an unjustified expectation about results the lawyer could achieve. http://www.law.com/jsp/law/LawArticleFriendly.jsp?id=1181898353512

NOW AND THEN: MINORITIES AND MICHIGAN (InsideHigherEd, 19 June 2007) -- The percentage of African American, Hispanic and Native American students admitted to the University of Michigan Law School for next fall fell from 39.6 percent for those students whose applications were considered before enactment of a state law banning race-based preferences in December to 5.5 percent thereafter. While critics of affirmative action read the numbers as proof of the unfair impact of preferences based on race, advocates for affirmative action said the numbers were early indicators of just how damaging the law will be. http://insidehighered.com/news/2007/06/19/michigan

HIPAA AUDIT: THE 42 QUESTIONS HHS MIGHT ASK (Computerworld, 19 June 2007) -- In March, Atlanta’s Piedmont Hospital became the first institution in the country to be audited for compliance with the security rules of the Health Insurance Portability and Accountability Act (HIPAA). The audit was conducted by the office of the inspector general at the U.S. Department of Health and Human Service (HHS) and is being seen by some in the health care industry as a precursor of similar audits to come at other institutions. Neither Piedmont nor HHS officials have publicly confirmed the audit or spoken about it. That silence has sparked considerable curiosity about why Piedmont was targeted as well as the scope of the audit and the kind of information HHS was seeking. A document obtained by Computerworld from a reliable source indicates that Piedmont was presented with a list of 42 items that HHS officials wanted information on within 10 days. Specificially, Piedmont was asked to provide policies and procedures for * * * http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025253&source=rss_topic17

COURT UPHOLDS INJUNCTION AGAINST WARRANTLESS EMAIL SEIZURES (BNA’s Internet Law News, 19 June 2007) -- The 6th Circuit Court of Appeals has upheld a lower court’s injunction injunction against secret warrantless seizures of email. This case was brought by Steven Warshak to stop the government’s repeated secret searches and seizures of his stored email using the federal Stored Communications Act (SCA). In a landmark ruling, the district court held that the SCA violates the Fourth Amendment by allowing secret, warrantless searches and seizures of email stored with a third party. Case name is Warshak v. USA. Decision at http://www.ca6.uscourts.gov/opinions.pdf/07a0225p-06.pdf

WHITE HOUSE AIDES’ E-MAIL RECORDS GONE (Washington Post, 19 June 2007) -- E-mail records are missing for 51 of the 88 White House officials who had electronic message accounts with the Republican National Committee, the House Oversight Committee said Monday. The Bush administration may have committed “extensive” violations of a law requirin that certain records be preserved, said the committee’s Democratic chairman, adding that the panel will deepen its probe into the use of political e-mail accounts. The committee’s interim report said the number of White House officials who had RNC e-mail accounts, and the number of messages they sent and received, were more extensive than previously realized. The administration has said that about 50 White House officials had RNC e-mail accounts during Bush’s presidency. But the House committee found at least 88. The RNC has preserved e-mails from some of the heaviest users, including 140,216 messages sent or received by Bush’s top political adviser in the White House, Karl Rove. However, “the RNC has preserved no e-mails for 51 officials,” said the interim report, issued by committee chairman Henry Waxman, D-Calif. The 51 include Ken Mehlman, a former White House political director who reportedly used his RNC account frequently, the report said. “Given the heavy reliance by White House officials on RNC e-mail accounts, the high rank of the White House officials involved, and the large quantity of missing e-mails,” the report said, “the potential violation of the Presidential Records Act may be extensive.” http://www.washingtonpost.com/wp-dyn/content/article/2007/06/18/AR2007061800876.html

FRENCH GOVERNMENT, FEARING U.S. SNOOPING, BANS BLACKBERRY USE BY OFFICIALS (SiliconValley.com, 20 June 2007) -- BlackBerry handhelds have been called addictive, invasive, wonderful - and now, a threat to French state secrets. That, at least, is the fear of French government defense experts, who have advised against their use by officials in France’s corridors of power, reportedly to avoid snooping by U.S. intelligence agencies. “It’s not a question of trust,” French lawmaker Pierre Lasbordes told The Associated Press. “We are friends with the Americans, the Anglo-Saxons, but it’s economic war.” Le Monde newspaper, which broke the story, described BlackBerry withdrawal among those who have given them up. “We feel that we are wasting huge amounts of time, having to relearn how to work in the old way,” the daily quoted a ministry office director as saying. E-mails sent from “Le BlackBerry” pass through servers in the United States and Britain, and France fears that makes the system vulnerable to snooping by the U.S. National Security Agency, Le Monde reported. The company that makes BlackBerrys, however, denies such spying is possible. http://www.siliconvalley.com/news/ci_6185447?nclick_check=1

RIAA EX PARTE DISCOVERY APPLICATION AGAINST UNIVERSITY OF NEW MEXICO DENIED (Recording Industry v. The People blog, 20 June 2007) -- The RIAA’s ex parte motion to compel the University of New Mexico to disclose the identities of its students has been denied, in the District Court of New Mexico, by Magistrate Judge Lorenzo F. Garcia, in Capitol v. Does 1-16. The Judge ruled that there was no reason for the motion to be ex parte, reasoning as follows: “Plaintiffs contend that unless the Court allows ex parte immediate discovery, they will be irreparably harmed. While the Court does not dispute that infringement of a copyright results in harm, it requires a Coleridgian “suspension of disbelief” to accept that the harm is irreparable, especially when monetary damages can cure any alleged violation. On the other hand, the harm related to disclosure of confidential information in a student or faculty member’s Internet files can be equally harmful. As the Plaintiffs do not presently know the identity of the Defendants, there is no reasonable way to ensure that those prospective Defendants are given notice or even an opportunity to respond in opposition to the request for disclosure. Rather, Plaintiffs seek to obtain information directly from the University of New Mexico. Plaintiffs propose that the University will be able to notify subscribers that a subpoena was served. However, the Court needs to ensure that subscribers actually receive notification and are given a reasonable opportunity to intervene in order to stop the disclosure of sensitive information. In any event, the Court[...] sees no need to act on an ex parte application. Rather, it would appear appropriate that Plaintiffs and the University of New Mexico confer on an appropriate process to ensure that, if a subpoena is served, the University not turn over information until it has given notice to individual subscribers that a subpoena has been issued and allow those subscribers to intervene in this proceeding to protect disclosure of sensitive information. Moreover, ex parte proceedings should be the exception, not the rule. Accordingly, the Court declines to grant Plaintiffs’ request for ex parte application.” http://recordingindustryvspeople.blogspot.com/2007/06/riaa-ex-parte-discovery-application.html and http://arstechnica.com/news.ars/post/20070620-judge-deals-blow-to-riaa-says-students-can-respond-to-john-doe-lawsuit.html

-- and --

UNIV. OF WASHINGTON TO FORWARD RIAA LEGAL NOTICES TO SUSPECTED STUDENT PIRATES (ComputerWorld, 28 June 2007) -- The University of Washington (UW) at Seattle this week became the latest educational institution in the U.S. to be pressured by the Recording Industry Association of America (RIAA) into notifying students about the potential legal consequences of illegal music sharing. The notice to students went out in a campuswide e-mail sent Monday by Eric Godfrey, vice provost for student life at UW. In the e-mail, Godfrey said that the university had been asked by the RIAA to forward letters on the association’s behalf to students it says have engaged in copyright violations. The letter, called an Early Settlement Letter, gives alleged copyright violators 20 days to pay anywhere from $3,000 to $5,000 to avoid being formally sued by the RIAA. Since it launched the campaign earlier this year, the RIAA has been sending similar letters to several other universities in the country. “The university has been notified by the RIAA that we will be receiving a number of these early settlement letters,” Godfrey said in his e-mail. “After careful consideration, we have decided to forward the letters to the alleged copyright violators.” Robert Roseth, UW’s director for news and information, said that a group of administrators and students met to discuss the situation after receiving the RIAA letters. “At this point, RIAA has Internet addresses where the alleged violations took place, that’s all,” he said. “The university is not taking steps to identify students -- that’s being done by the RIAA, presumably,” Roseth said. “The university is not turning anything over to RIAA -- not the names of students, not their contact information.” But once it receives the letters from the RIAA, the university will forward them to the students whose IP addresses match those cited in in the letter. “By not forwarding the letters, the university could be criticized by those students for denying them one option in dealing with the claim that they had violated copyright law,” he said. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025847&source=NLT_PM&nlid=8

COURT RAMS HOME MESSAGE: TEMPORARY STORAGE MAY NOT BE SO TEMPORARY (Steptoe & Johnson’s E-Commerce Law Week, 21 June 2007) -- Data privacy and data retention are hot issues these days. While American and European legislatures and regulators wring their hands over how to balance the interests of privacy, law enforcement, and commercial imperatives, courts are not hesitating to step into the breach in unexpected ways. Last month, in Columbia Pictures Indus. v. Bunneli, a federal magistrate judge in California ordered TorrentSpy, a website that offers dot-torrent files for download by users, to preserve and produce information about users’ interaction with the site, even though this information is purposely not logged but only stored temporarily in the RAM of either the TorrentSpy server, located in the Netherlands, or of servers controlled by a third-party middleman, located around the world. The ruling was based on the Federal Rules of Civil Procedure, which require litigants to retain and produce “electronically stored information” relevant to a case. The court rejected the defendants’ various arguments for why retention and production should not be required – including costs, the website’s privacy policy, the Stored Communications Act (SCA), the Wiretap Act, the pen register statute, the First Amendment, the potential loss of users’ good will, and conflicts with Dutch data protection law. If this ruling becomes the norm in discovery, it could lead to much greater retention and production of communication records, website logs, and search terms during litigation. More broadly, if courts routinely order data retention during discovery, even where such retention is not part of a company’s normal business practices, the slope leading to a broad data retention mandate seems likely to get a lot more slippery. http://www.steptoe.com/publications-4575.html

NCAA ‘CLARIFIES’ RULE ON BLOGGERS (InsideHigherEd.com, 22 June 2007) -- The National Collegiate Athletic Association has issued what it is calling a clarification of its policy on blogging by reporters during championship games. Under the clarified policy, blogging about scores is permitted, and only “live play-by-play information” is banned (except of course by the press entities that have paid for broadcast rights). The NCAA has infuriated many bloggers and several news organizations in recent weeks by revoking press credentials for reporters blogging during games. In doing so, the NCAA said that blogging during games could cover “atmosphere, crowd and other details during a game but may not mention anything about game action.” The clarification said that “incorrect information” has been issued in response to the bloggers. It is unclear if the clarification will resolve the matter as some blogging organization are asserting First Amendment rights. http://insidehighered.com/news/2007/06/22/qt Clarification at http://www.ncaa.org/wps/portal/%21ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4j3CQHJgFjGpvqRqCKOcAFvfV-P_NxU_QD9gtzQiHJHRUUAbGvNAw%21%21/delta/base64xml/L3dJdyEvUUd3QndNQSEvNElVRS82XzBfTFU%21?CONTENT_URL=http://www2.ncaa.org/portal/media_and_events/press

APPLE’S ITUNES WAS 3RD BIGGEST MUSIC RETAILER BY UNITS SOLD IN 1Q (SiliconValley.com, 22 June 2007) -- Apple Inc.’s iTunes online store was the third-largest overall music retailer in the United States, leapfrogging ahead of Amazon.com and Target Corp. in units sold, a market research firm said Friday. ITunes had a 9.8 percent market share in the first quarter, ranking behind Wal-Mart Stores Inc.’s 15.8 percent and Best Buy Co.’s 13.8 percent, according to The NPD Group. Online retailer Amazon.com’s share was 6.7 percent, slightly ahead of Target’s 6.6 percent, NPD said. The firm counted every 12 tracks purchased online as equivalent to an album in compact disc format, said Russ Crupnick, NPD’s vice president. http://www.siliconvalley.com/news/ci_6205926

NEW YORK LEGISLATORS KEEP E-VOTING SOFTWARE IN PUBLIC HANDS (ComputerWorld, 25 June 2007) -- With this year’s New York Senate and Assembly session now ended, local voting activists are chalking up a victory for the public at the expense of Microsoft Corp. and the e-voting industry. The activists had feared that Microsoft and a handful of e-voting device vendors would quietly weaken the state’s strict e-voting software escrow law before the current legislative session ended on Friday. Approved two years ago by the legislature (download PDF), the law requires voting system vendors to place all source code and other related software in escrow for the New York State Board of Elections so it can be examined as needed. The law also dictates that a voting system vendor waives all intellectual property and trade right secret rights should the software need to be reviewed in court. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025618&source=NLT_AM&nlid=1

CDA IMMUNITY DOES NOT SHIELD EMPLOYER FROM LIABILITY FOR EMPLOYEES’ ONLINE ACTIVITY, COURT RULES (Steptoe & Johnson’s E-Commerce Law Week, 28 June 2007) -- As “provider[s]” of an “interactive computer service,” websites and ISPs can generally claim immunity under section 230(c)(1) of the Communications Decency Act (CDA) from suits based on content provided by a third party. Despite the statute’s apparently broad scope, however, a federal court in Tennessee recently held that the CDA does not immunize a company against a former employee’s claim that the company had created a “hostile work environment,” in violation of Title VII of the Civil Rights Act, by permitting her coworkers to view pornography on a workplace computer. In Avery v. Idleaire Technologies Corp., the defendant company moved for summary judgment, contending that section 230 “by its own terms ... prohibits any federal or state claim that seeks to hold an employer that provides computer systems to its employees for use on the job from being held liable based upon the content of the information ‘provided by another information content provider.’” The court rejected the company’s argument, noting only that it was “not aware of any federal case in the country that has applied this Act in such a manner” and pointing out that the company had “cite[d] no authority” supporting its position. In fact, at least one state court has gone the other way. Regardless, the Avery decision is another instance of what seems to be a nascent trend towards narrower interpretation of section 230’s protections. http://www.steptoe.com/publications-4602.html

MYSPACE WINS PRIVATE ACTION TESTING APPLICABILITY OF CAN-SPAM ACT WITHIN COMMUNITY WEBSITE (Wiley Rein, 29 June 2007) -- An unpublished opinion in a recent case involving the popular MySpace social networking website raises interesting questions about the availability of private lawsuits under the federal CAN-SPAM Act to website operators. MySpace, Inc. v. The Globe.com, Inc. (CV 06-3391-RGK (C.D. Cal. Feb. 27, 2007)). However, the litigation has now settled, so the district court decision will not receive appellate review, and its unpublished status may reduce its precedential value. Therefore, a final adjudication on these issues must await another case. The facts of the case were straightforward. The popular MySpace social networking site allows “members” to create personal profiles and exchange messages with others. MySpace sued TheGlobe.com for opening some 95 MySpace accounts fraudulently and using those accounts to send nearly 400,000 unsolicited marketing emails to other MySpace “members.” MySpace asserted violations of numerous provisions of the CAN-SPAM Act and California law, and sought liquidated damages based on the MySpace terms of service. In an unpublished opinion on cross motions for summary judgment, the District Court ruled in favor of MySpace on most issues, leaving one issue for trial. The parties recently settled on undisclosed terms. In the CAN-SPAM Act, Congress provided for private civil enforcement actions by a “provider of Internet access service” adversely affected by violations of the law. What is most interesting about the MySpace case is its holding that a community website has standing under this provision. The issue was squarely posed by the defendant’s contention that websites such as MySpace have no standing to bring such private actions under the CAN-SPAM Act, and that such actions are available only to email services providers (presumably such as America Online, which has filed a number of actions against spammers). http://www.wileyrein.com/publication_newsletters.cfm?ID=10&year=2007&publication_ID=13161&keyword=

PIRACY POLICE RAID HONEYWELL SITE (BBC, 29 June 2007) -- The British Phonographic Industry (BPI) is investigating allegations of an extensive illegal music filesharing ring at a Honeywell plant in Scotland. Investigators from the BPI raided the plant in Motherwell with police officers at 0840 BST yesterday morning. The investigators made copies of the contents of computers for detailed forensic analysis. Honeywell said that it was cooperating fully with both the police and the BPI over the investigation. The BPI says the raid follows a two-month investigation prompted by a tip-off from a Honeywell employee. The BPI said the information from the insider pointed to “thousands of music files being shared illegally”. This is the first time that the BPI has raided a business in pursuit of illegal music filesharing. Previous such raids have concentrated on domestic filesharing. http://news.bbc.co.uk/2/hi/business/6253874.stm

FREE SOFTWARE FOUNDATION RELEASES GPL 3 (CNET, 29 June 2007) -- After 18 months of sometimes inflamed debate, the Free Software Foundation on Friday released version 3 of the General Public License, a highly influential legal document that embodies the principles of the free- and open-source programming movement. The new license adjusts to software industry changes that have arisen in the 16 years since the foundation’s founder and president, Richard Stallman, released GPL 2. One of the biggest changes: the free- and open-source programming movement has been transformed from an academic, legal and philosophical curiosity to a powerful force in the commercial computing industry. Among those giving the new license a warm reception are IBM, dominant Linux sellers Red Hat and Novell, and open-source database seller MySQL. “GPL 3 code will be flowing from IBM...We’ll tell our customers we’re fine with it,” said Dan Frye, vice president of IBM open systems development. “As with any consensus process, you don’t get everything you asked for. But we got listened to. What came out is absolutely a commercially viable license.” The text of the new license can be read on a foundation Web page concerning GNU (Gnu’s Not Unix), the effort Stallman announced in 1983 to create an operating system similar to Unix but free of its proprietary software constraints. The Linux kernel project, governed by GPL 2, was grafted onto GNU, and the result has been an operating system that’s widely used on servers and strongly competitive with Microsoft Windows and Unix. http://news.com.com/2100-7344_3-6194139.html and http://arstechnica.com/news.ars/post/20070629-gpl-3-officially-released.html; License at http://www.gnu.org/

EU ALLOWS US TO HAVE UNPRECEDENTED ACCESS TO PERSONAL DATA (VNUnet.com, 29 June 2007) -- The European Union (EU) has reached an agreement to allow the US government unprecedented access to data on flight passengers and also banking details. The first of the new agreements allows the US to retain information about passengers travelling from Europe for up to 15 years and places no limitation on what US authorities are allowed to do with the data. Peter Hustinx, the European data protection supervisor - a watchdog role similar to that of the Information Commissioner in the UK - says the agreement could violate the rights of EU citizens, but Washington will allow European officials to visit the US and see how the data is used. The EU has also approved a deal setting conditions for the US treasury department to consult records of the international banking network Swift in anti-terror probes. ‘We agreed on Swift,’ said an EU diplomat. The agreement aims to allay European data privacy concerns over the US fight against terrorism. Under the deal data would be kept for a maximum of five years and the US can only use it for counter-terrorism purposes. http://www.vnunet.com/computing/news/2193144/eu-does-double-deal

UNDER NFL RULE, MEDIA WEB SITES ARE GIVEN JUST 45 SECONDS TO SCORE (Washington Post, 30 June 2007) -- Thanks to a new NFL policy, something will soon be in short supply on news-media Web sites: video of almost anything related to the NFL or its players. In a move designed to protect the Internet operations of its 32 teams, the pro football league has told news organizations that it will no longer permit them to carry unlimited online video clips of players, coaches or other officials, including video that the news organizations gather themselves on a team’s premises. News organizations can post no more than 45 seconds per day of video shot at a team’s facilities, including news conferences, interviews and practice-field reports. The policy, announced last month with little fanfare, has frustrated journalists, who say it constricts the public’s access to information about the nation’s most popular spectator sport. A coalition of news organizations has been quietly lobbying the league for months to change the rule. http://www.washingtonpost.com/wp-dyn/content/article/2007/06/29/AR2007062902187.html?hpid=topnews

AT&T OFFERS FREE WI-FI FOR SELECT CUSTOMERS (Information Week, 2 July 2007) -- Looks like telecom carriers are warming up to the idea of Wi-Fi as an alternate way for subscribers to connect to the mobile Internet. AT&T on Monday began offering free access to its nationwide Wi-Fi network. AT&T said subscribers with higher-speed broadband plans can now get access to about 10,000 Wi-Fi hotspots at different locations across the United States, including airports, McDonald’s restaurants, Barnes & Noble bookstores, coffee shops, and sporting venues. “Providing customers with more high-speed access in more places also gives us a competitive edge because we’re able to offer an on-the-go broadband experience that cable can’t match,” said Rick Welday, chief marketing officer of AT&T’s consumer division, in a statement. There’s a catch, however. Residential and small business broadband subscribers have to have one of the following broadband packages to quality for the free service: AT&T Yahoo High Speed Internet Pro, AT&T Yahoo High Speed Internet Elite, FastAccess Xtreme, or FastAccess Xtreme 6.0. The major U.S. telecom carriers have been reluctant to offer Wi-Fi support -- both through Wi-Fi hotspots and built-in Wi-Fi technology in phones -- for fear that it will cannibalize their cellular business. In 2005, Verizon Wireless pulled the plug on its free Wi-Fi Internet service offered in New York City. Instead the carrier decided to focus on building out its third-generation (3G) cellular network based on technology called EV-DO. http://www.informationweek.com/management/showArticle.jhtml?articleID=200001927&articleID=200001927

BSA RAISES REWARD TO $1 MILLION FOR REPORTS OF PIRACY (Computerworld, 2 July 2007) -- The Business Software Alliance (BSA) has temporarily raised the reward that’s part of controversial program encouraging people to report software piracy from $200,000 to $1 million, the trade group announced Monday. The BSA, representing large software vendors such as Microsoft Corp., Apple Inc. and IBM Corp., will pay the sum for accurate reports of software copyright infringement between now and Oct. 2, the trade group said. There are some restrictions on the reward payments. The BSA has also launched a national radio and Internet advertising campaign titled, “blow the whistle.” The trade group will also target several states, including California, Texas, Illinois, New York and Florida over the next year. Since the BSA launched its Rewards program in the U.S. in late 2005, it has reached settlements with hundreds of companies, bringing in nearly $22 million. The retail value of software pirated in the U.S. during 2006 was $7.3 billion, according to a study from IDC. The new reward shows BSA’s commitment to fighting software piracy, the trade group said. “Businesses often have a million excuses for having unlicensed software on office computers,” Jenny Blank, BSA’s director of enforcement, said in a statement. “BSA is now offering up to a million dollars for employees who turn them in.” Businesses caught with unlicensed software can pay up to $150,000 per violation. Critics of the program say it encourages disgruntled former employees to snitch on companies. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9026060&source=rss_news10

COURT UPHOLDS RULING VS. PUBLISHER (SiliconValley.com, 4 July 2007) -- Credit card companies that process payments for Internet pirates are not liable for copyright infringement, a federal appeals court ruled Tuesday. The 9th U.S. Circuit Court of Appeals in San Francisco decided that a judge in San Jose was right in dismissing a lawsuit brought by a publisher in Beverly Hills against Visa International, MasterCard and other financial companies. The 2-1 decision found that Perfect 10, a publisher of adult magazines and Web sites, failed to prove that credit card providers were liable because the financial companies played no role in helping people find or download the infringing images. The decision dealt a setback to Perfect 10’s efforts to cripple Web sites that sell access to its erotic photographs without permission. The company said it would request a new hearing by a larger panel of appeals court judges. A majority of the three-judge panel found it a stretch that such peripherally involved third parties could be liable for copyright infringement. If credit card companies were found to contribute to infringement, so might computer makers, software companies and even utility companies. “The electric companies should be liable far faster than Visa and MasterCard,” Andrew P. Bridges, the San Francisco attorney who represented Visa and MasterCard, said facetiously. “Hey, it takes electrons to fire up computer severs to actually engage in the infringement.” http://www.siliconvalley.com/news/ci_6295736 Decision at http://caselaw.findlaw.com/data2/circs/9th/0515170P.pdf

-- but --

COURT HOLDS BELGIAN ISP RESPONSIBLE FOR FILE-SHARING (Macworld, 5 July 2007) -- A court has ruled that the Belgian ISP Scarlet Extended SA is responsible for blocking illegal file-sharing on its network, setting a precedent that could affect other ISPs in Europe, according to a recording industry group. Belgium’s Court of First Instance has given the Internet service provider six months to install technology to prevent its customers from sharing pirated music and video files, the International Federation of the Phonographic Industry said. If it fails to do so it will be fined €2,500 (US$3,400) per day, according to the ruling, published June 29. The music industry has long sought to hold ISPs responsible for illegal file-sharing on their networks, although in the U.S. it has been largely unsuccessful. ISPs have argued that they provide a service like a post office or a telephone company, and shouldn’t be required to police the traffic on their networks. The Brussels ruling is based on Belgium’s interpretation of the European Union’s Information Society Directive, often called the E.U. copyright directive, and as such could set a precedent for other cases in Europe, the IFPI said. http://www.macworld.com/news/2007/07/05/filesxharing/index.php

FRENCH COURT PERMITS PEEPING ON P2P USERS’ IP ADDRESSES (Steptoe & Johnson’s E-Commerce Law Week, 5 July 2007) -- In 2005, we reported that the French data protection authority, the Commission Nationale de I’Informatique et Libertés (CNIL) had barred four music industry groups -- including the Société des Auteurs, Compositeurs et Editeurs de Musique (SACEM), and the Société Civile des Producteurs de Phonogrammes en France (SPPF) -- from using automated monitoring of users of P2P file sharing systems in their fight against piracy. Last month, France’s highest court of appeal for administrative decisions, the Conseil d’Etat, largely overturned this ruling, concluding that the groups’ request to automatically track downloads of the 10,000 most popular songs in their combined catalogs would further legitimate anti-piracy interests that outweigh associated privacy concerns. In response to the Conseil d’Etat’s ruling, the CNIL restated its commitment to guaranteeing “the right balance between the protection of author’s rights and of the private life of Internet users,” and indicated that it will seek to rebuild a “constructive relationship” with the music industry groups. Although we would like to take this spirit of compromise at face value, we certainly don’t expect the court’s decision to end the battles between the music industry and privacy interests over P2P file sharing in Europe -- where the law is generally less favorable to disclosure of subscriber information than it is in the United States. http://www.steptoe.com/publications-4613.html

GAO: CONNECTING DATA BREACHES, ID THEFTS IS DIFFICULT (SiliconValley.com, 5 July 2007) -- Personal information about Americans is stolen or lost from some government or private computer almost daily, but congressional auditors can link only a few identity thefts to the breaches. That’s primarily because links are so hard to find that nobody knows how frequently security lapses lead to fraud, the Government Accountability Office said Thursday. “No comprehensive data are available on the consequences of data breaches” from law enforcement agencies, industry and trade associations, consumer groups or privacy advocates, according to GAO, which is Congress’ auditing arm. At the federal level, investigators questioned the FBI, Secret Service, U.S. Postal Inspection Service, and Immigration and Customs Enforcement. “Representatives of all these agencies told us that their investigations of data breaches do not typically allow them to fully ascertain how stolen data are used,” the GAO said. “Similarly, they noted that investigations of identity theft do not always reveal the source of the data used to commit the crime.” GAO looked at 24 of the largest reported breaches between January 2000 and June 2005 in state governments, colleges and universities, retailers, medical facilities, and financial and information services companies. Compromised data was used to open unauthorized new accounts in one case and to commit fraud on existing accounts in three cases. There wasn’t information to tell if harm resulted in two cases. In 18 cases, no identity thefts could be attributed to the breaches. Victim company representatives said sometimes they could tell no unauthorized person had looked at the data. But in other instances where they were not aware of any fraud, “they acknowledged that there was no way to know for sure,” GAO said. http://www.siliconvalley.com/news/ci_6306043 Report at http://www.gao.gov/new.items/d07737.pdf

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.