Friday, July 06, 2007

MIRLN -- Misc. IT Related Legal News [17 June - 7 July 2007; v10.09]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of the American Bar Association’s Cyberspace Law Committee and Dickinson Wright PLLC. Dickinson Wright’s IT & Security Law practice group is described at http://tinyurl.com/joo5y.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (vpolley@REMOVETHISSTRINGvip-law.com) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/.

**************End of Introductory Note***************

YOUTUBE - UTUBE SHOWDOWN STAYS ALIVE IN FEDERAL COURT (The Register, 12 June 2007) -- For the Universal Tube & Rollform Equipment Corporation, operator of uTube.com, its domain name means cash - and with a federal court’s recent refusal to dismiss the company’s suit against YouTube, the possibility of even more cash in the future. The company has operated uTube.com as a means to sell used pipe and tube mills and rollform machinery since 1996. After YouTube’s launch in 2005, the sleepy little Ohio website went from around 1,500 visitors a month to roughly 70,000 per day. The company alleges that this caused its web host’s servers to crash, which disrupted its business and sullied its reputation. It also claims that bandwidth overages bumped its hosting fees from $100 a month to $2,500. In true Midwestern fashion, the company made the best of a bad situation by adding a ringtone search engine to the site, as well as links to dating, insurance and gambling sites. These new features now pull in $1,000 a day or more, according to one report. In addition to capitalizing on the name confusion by hawking Internet crap, uTube has also sued YouTube in federal court. The company has asked for monetary damages, as well as injunctions to stop YouTube’s operation and for the court to transfer the YouTube.com domain to uTube. The judge hearing the case just dismissed a number of uTube’s complaints, but also refused to grant YouTube’s motion to dismiss the entire suit. The judge also gave uTube permission to amend its complaint to see if it can revive any of the dismissed causes of action. Specifically, the court said that uTube didn’t have a case for trespass to chattels, since some physical contact with an object must be involved for such a claim to go forward. Domain names aren’t physical objects, the court argued, and uTube used a third-party hosting service, so it couldn’t claim ownership in the computer equipment that crashed as a result of the influx of visitors. Moreover, the court continued, the visitors to the site were the ones that “violated” the site, so YouTube itself wouldn’t be liable even if there had been a trespass. The court also quickly dismissed one of uTube’s nuisance allegations, since nuisance claims must involve land, and uTube had not shown that a domain name, website, or host server somehow constitute real property in any way. http://www.theregister.co.uk/2007/06/12/youtube_utube_alive/

MYSPACE, FACEBOOK PRIVACY LIMITS TESTED IN EMOTIONAL DISTRESS SUIT (Law.com, 14 June 2007) -- The operators of MySpace and Facebook social networking sites assure their millions of subscribers that only designated “friends” can read registrants’ private postings. But do the postings stay private if the registrant becomes the plaintiff in an emotional distress case? Can the defendant get the texts of MySpace and Facebook messages to support a defense that the distress claim is bogus? And is the expectation of privacy by users of such sites higher than it is for customers of common e-mail providers such as Microsoft and Comcast? A New Jersey judge weighed those questions and gave a preliminary answer: Without a particularized showing that the texts are relevant, the plaintiff’s privacy interests prevail. http://www.law.com/jsp/article.jsp?id=1181725536838

FBI NABS THREE ‘BOT HERDERS’ (ComputerWorld, 14 June 2007) -- The FBI yesterday announced that its “Operation Bot Roast” anti-botnet sweep has so far identified more than 1 million hijacked personal computers and resulted in the arrest of three men charged with everything from spamming to infecting systems at several hospitals. The operation is an ongoing effort to disrupt the bot trade and identify botnet controllers, the FBI said at a news conference. “Bot” is the term for an infected personal computer. A “botnet” is a large number of hijacked PCs controlled by a hacker, called a “bot herder.” Botnets are used by spammers, criminals launching distributed-denial-of-service (DDoS) attacks and malware authors looking to spread their applications. “The majority of victims are not even aware that their computer has been compromised or their personal information exploited,” James Finch, FBI assistant director for the cyber division, said in a statement. With the help of the CERT Coordination Center at Carnegie Mellon University, the FBI is also trying to notify the owners of the million-plus victimized computers it has fingered as bots. “Through this process, the FBI may uncover additional incidents in which botnets have been used to facilitate other criminal activity,” the agency said. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9024720&source=rss_topic17

VA SETS ASIDE $20 MILLION TO HANDLE LATEST DATA BREACH (Gov’t Executive.com, 14 June 2007) -- The Veterans Affairs Department has set aside more than $20 million to respond to its latest data breach, the agency’s top technology officer said Thursday. The department does not expect to spend the full $20 million, but designated that much because the breach potentially puts the identities of nearly a million physicians and VA patients at risk, said Bob Howard, the department’s chief information officer. Howard spoke at The E-Gov Institute’s Government Health IT Conference and Exhibition in Washington. “We have no evidence that [information is at risk]. None whatsoever, but we don’t take the chance,” Howard said. “The attitude of the VA right now is if we think we’ve put anybody’s information at risk, then we need to step up to the plate and try to remedy that.” The breach occurred in January, when a hard drive went missing from a Birmingham, Ala., VA medical research facility. The drive contained highly sensitive information on nearly all U.S. physicians and medical data for more than a half million VA patients. Any physician who billed Medicaid and Medicare through 2004 could be affected. The hard drive has not been recovered. The VA estimates that about half of the 1.3 million doctors whose information was on the hard drive, and 254,000 veterans, are potentially at risk. This group was notified by mail at the end of May. The letters noted that VA is providing credit monitoring services through a General Services Administration blanket purchase agreement from the multiple award schedules program. http://www.govexec.com/story_page.cfm?articleid=37191&dcn=todaysnews

-- and --

FEDERAL INFO SECURITY ISN’T JUST ABOUT FISMA COMPLIANCE, AUDITOR SAYS (ComputerWorld, 14 June 2007) -- Despite some progress in recent years, most federal agencies still have significant gaps in their information security controls, according to Gregory Wilshusen, director of information security issues at the Government Accountability Office (GAO). In testimony last week before the House Committee on Oversight and Government Reform, Wilshusen said that continued security problems in several key areas -- including access control and configuration management -- pose a clear danger to the confidentially, integrity and availability of critical government systems and data. In an interview, Wilshusen said the problem may have to do with the way agencies are dealing with the Federal Information Security Management Act (FISMA). Excerpts from that interview follow: What should federal agencies take away from your testimony? The key message to take away from my testimony last week is that agencies need to move away from mere compliance with the FISMA requirement and focus on effective security. One of the things we found is that while agencies are increasingly performing a number of different types of control activities on a greater percentage of their systems and personnel, many of these controls are not effectively implemented. What we got are information security reviews. For example, under FISMA agencies are reporting that an increasing number of their systems have been certified and accredited. For 2006, I think it increased up to 88% of all federal systems. But the IGs [inspectors general] at 10 of the agencies reported that the quality of the agency certification and accreditation process was either poor or failing. When we go out and conduct our security control reviews at federal agencies, we often find serious and significant vulnerabilities in systems that have been certified and accredited. Part of it, I think, is just that agencies may be focusing on just trying to get the systems certified and accredited but not effectively implementing the processes that the certification and accreditation is supposed to reflect. Whether agencies are focusing on just performing those activities and taking more of a checklist approach in order to get a higher FISMA grade is one issue. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9024658

AVVO SUED OVER ITS LAWYER RANKINGS (Law.com, 18 June 2007) -- Avvo Corp. of Seattle, an Internet-based startup that “rates and profiles every lawyer so you can choose the right lawyer,” is facing a class action brought by those rankled by the rankings. The company, which ranks lawyers on a scale of one to 10, with the three lowest categories being “extreme caution,” “strong caution” and “caution,” has made for lively chatter in the legal blogosphere since it debuted last week -- and has upset lawyers slighted by its ratings. John Henry Browne, a Seattle criminal defense solo practitioner, said that the peer-reviewed Martindale-Hubble lists him AV (legal abilities “very high to pre-eminent” and ethical standards “very high”), but Avvo originally assigned him a 3.7, or “caution.” The rank has since been increased to 5.2, or “average.” Browne said that attorney Steve W. Berman, managing partner of Hagens Berman Sobol Shapiro in Seattle, asked him to represent a class of lawyers who allege that the site does not do them justice. Berman, who filed the action Thursday in federal court in Seattle, called the rankings “unreliable and meaningless, misleading to a consumer trying to find a lawyer. “A lawyer who was disbarred and dead has a higher ranking than the dean of Stanford Law School,” Berman said, adding that one of the owners has a higher ranking than his former law firm colleague who is going to be president of the American Bar Association. Avvo Chief Executive Mark Britton said that the company stands by the Avvo rating, “applied consistently and evenly to all attorneys.” Browne got a low rating because he was disciplined by the Washington State Bar, Britton said. Browne said he received an admonition in 2005 involving a contigency fee issue, noting that an admonition is not an infraction. He added that, in the same year, he got a pro bono award from the bar. Roy S. Ginsburg, a solo marketing ethics practitioner in Minneapolis, said he is watching this and a New Jersey case with interest. His clients include Super Lawyers magazine, which got into trouble in New Jersey for ranking lawyers. Last July, the New Jersey Supreme Court’s Committee on Attorney Advertising held marketing that mentions a lawyer’s selection as a “Super Lawyer” or a “Best Lawyer in America” violates ethics rules against misleading advertising by creating an unjustified expectation about results the lawyer could achieve. http://www.law.com/jsp/law/LawArticleFriendly.jsp?id=1181898353512

NOW AND THEN: MINORITIES AND MICHIGAN (InsideHigherEd, 19 June 2007) -- The percentage of African American, Hispanic and Native American students admitted to the University of Michigan Law School for next fall fell from 39.6 percent for those students whose applications were considered before enactment of a state law banning race-based preferences in December to 5.5 percent thereafter. While critics of affirmative action read the numbers as proof of the unfair impact of preferences based on race, advocates for affirmative action said the numbers were early indicators of just how damaging the law will be. http://insidehighered.com/news/2007/06/19/michigan

HIPAA AUDIT: THE 42 QUESTIONS HHS MIGHT ASK (Computerworld, 19 June 2007) -- In March, Atlanta’s Piedmont Hospital became the first institution in the country to be audited for compliance with the security rules of the Health Insurance Portability and Accountability Act (HIPAA). The audit was conducted by the office of the inspector general at the U.S. Department of Health and Human Service (HHS) and is being seen by some in the health care industry as a precursor of similar audits to come at other institutions. Neither Piedmont nor HHS officials have publicly confirmed the audit or spoken about it. That silence has sparked considerable curiosity about why Piedmont was targeted as well as the scope of the audit and the kind of information HHS was seeking. A document obtained by Computerworld from a reliable source indicates that Piedmont was presented with a list of 42 items that HHS officials wanted information on within 10 days. Specificially, Piedmont was asked to provide policies and procedures for * * * http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025253&source=rss_topic17

COURT UPHOLDS INJUNCTION AGAINST WARRANTLESS EMAIL SEIZURES (BNA’s Internet Law News, 19 June 2007) -- The 6th Circuit Court of Appeals has upheld a lower court’s injunction injunction against secret warrantless seizures of email. This case was brought by Steven Warshak to stop the government’s repeated secret searches and seizures of his stored email using the federal Stored Communications Act (SCA). In a landmark ruling, the district court held that the SCA violates the Fourth Amendment by allowing secret, warrantless searches and seizures of email stored with a third party. Case name is Warshak v. USA. Decision at http://www.ca6.uscourts.gov/opinions.pdf/07a0225p-06.pdf

WHITE HOUSE AIDES’ E-MAIL RECORDS GONE (Washington Post, 19 June 2007) -- E-mail records are missing for 51 of the 88 White House officials who had electronic message accounts with the Republican National Committee, the House Oversight Committee said Monday. The Bush administration may have committed “extensive” violations of a law requirin that certain records be preserved, said the committee’s Democratic chairman, adding that the panel will deepen its probe into the use of political e-mail accounts. The committee’s interim report said the number of White House officials who had RNC e-mail accounts, and the number of messages they sent and received, were more extensive than previously realized. The administration has said that about 50 White House officials had RNC e-mail accounts during Bush’s presidency. But the House committee found at least 88. The RNC has preserved e-mails from some of the heaviest users, including 140,216 messages sent or received by Bush’s top political adviser in the White House, Karl Rove. However, “the RNC has preserved no e-mails for 51 officials,” said the interim report, issued by committee chairman Henry Waxman, D-Calif. The 51 include Ken Mehlman, a former White House political director who reportedly used his RNC account frequently, the report said. “Given the heavy reliance by White House officials on RNC e-mail accounts, the high rank of the White House officials involved, and the large quantity of missing e-mails,” the report said, “the potential violation of the Presidential Records Act may be extensive.” http://www.washingtonpost.com/wp-dyn/content/article/2007/06/18/AR2007061800876.html

FRENCH GOVERNMENT, FEARING U.S. SNOOPING, BANS BLACKBERRY USE BY OFFICIALS (SiliconValley.com, 20 June 2007) -- BlackBerry handhelds have been called addictive, invasive, wonderful - and now, a threat to French state secrets. That, at least, is the fear of French government defense experts, who have advised against their use by officials in France’s corridors of power, reportedly to avoid snooping by U.S. intelligence agencies. “It’s not a question of trust,” French lawmaker Pierre Lasbordes told The Associated Press. “We are friends with the Americans, the Anglo-Saxons, but it’s economic war.” Le Monde newspaper, which broke the story, described BlackBerry withdrawal among those who have given them up. “We feel that we are wasting huge amounts of time, having to relearn how to work in the old way,” the daily quoted a ministry office director as saying. E-mails sent from “Le BlackBerry” pass through servers in the United States and Britain, and France fears that makes the system vulnerable to snooping by the U.S. National Security Agency, Le Monde reported. The company that makes BlackBerrys, however, denies such spying is possible. http://www.siliconvalley.com/news/ci_6185447?nclick_check=1

RIAA EX PARTE DISCOVERY APPLICATION AGAINST UNIVERSITY OF NEW MEXICO DENIED (Recording Industry v. The People blog, 20 June 2007) -- The RIAA’s ex parte motion to compel the University of New Mexico to disclose the identities of its students has been denied, in the District Court of New Mexico, by Magistrate Judge Lorenzo F. Garcia, in Capitol v. Does 1-16. The Judge ruled that there was no reason for the motion to be ex parte, reasoning as follows: “Plaintiffs contend that unless the Court allows ex parte immediate discovery, they will be irreparably harmed. While the Court does not dispute that infringement of a copyright results in harm, it requires a Coleridgian “suspension of disbelief” to accept that the harm is irreparable, especially when monetary damages can cure any alleged violation. On the other hand, the harm related to disclosure of confidential information in a student or faculty member’s Internet files can be equally harmful. As the Plaintiffs do not presently know the identity of the Defendants, there is no reasonable way to ensure that those prospective Defendants are given notice or even an opportunity to respond in opposition to the request for disclosure. Rather, Plaintiffs seek to obtain information directly from the University of New Mexico. Plaintiffs propose that the University will be able to notify subscribers that a subpoena was served. However, the Court needs to ensure that subscribers actually receive notification and are given a reasonable opportunity to intervene in order to stop the disclosure of sensitive information. In any event, the Court[...] sees no need to act on an ex parte application. Rather, it would appear appropriate that Plaintiffs and the University of New Mexico confer on an appropriate process to ensure that, if a subpoena is served, the University not turn over information until it has given notice to individual subscribers that a subpoena has been issued and allow those subscribers to intervene in this proceeding to protect disclosure of sensitive information. Moreover, ex parte proceedings should be the exception, not the rule. Accordingly, the Court declines to grant Plaintiffs’ request for ex parte application.” http://recordingindustryvspeople.blogspot.com/2007/06/riaa-ex-parte-discovery-application.html and http://arstechnica.com/news.ars/post/20070620-judge-deals-blow-to-riaa-says-students-can-respond-to-john-doe-lawsuit.html

-- and --

UNIV. OF WASHINGTON TO FORWARD RIAA LEGAL NOTICES TO SUSPECTED STUDENT PIRATES (ComputerWorld, 28 June 2007) -- The University of Washington (UW) at Seattle this week became the latest educational institution in the U.S. to be pressured by the Recording Industry Association of America (RIAA) into notifying students about the potential legal consequences of illegal music sharing. The notice to students went out in a campuswide e-mail sent Monday by Eric Godfrey, vice provost for student life at UW. In the e-mail, Godfrey said that the university had been asked by the RIAA to forward letters on the association’s behalf to students it says have engaged in copyright violations. The letter, called an Early Settlement Letter, gives alleged copyright violators 20 days to pay anywhere from $3,000 to $5,000 to avoid being formally sued by the RIAA. Since it launched the campaign earlier this year, the RIAA has been sending similar letters to several other universities in the country. “The university has been notified by the RIAA that we will be receiving a number of these early settlement letters,” Godfrey said in his e-mail. “After careful consideration, we have decided to forward the letters to the alleged copyright violators.” Robert Roseth, UW’s director for news and information, said that a group of administrators and students met to discuss the situation after receiving the RIAA letters. “At this point, RIAA has Internet addresses where the alleged violations took place, that’s all,” he said. “The university is not taking steps to identify students -- that’s being done by the RIAA, presumably,” Roseth said. “The university is not turning anything over to RIAA -- not the names of students, not their contact information.” But once it receives the letters from the RIAA, the university will forward them to the students whose IP addresses match those cited in in the letter. “By not forwarding the letters, the university could be criticized by those students for denying them one option in dealing with the claim that they had violated copyright law,” he said. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025847&source=NLT_PM&nlid=8

COURT RAMS HOME MESSAGE: TEMPORARY STORAGE MAY NOT BE SO TEMPORARY (Steptoe & Johnson’s E-Commerce Law Week, 21 June 2007) -- Data privacy and data retention are hot issues these days. While American and European legislatures and regulators wring their hands over how to balance the interests of privacy, law enforcement, and commercial imperatives, courts are not hesitating to step into the breach in unexpected ways. Last month, in Columbia Pictures Indus. v. Bunneli, a federal magistrate judge in California ordered TorrentSpy, a website that offers dot-torrent files for download by users, to preserve and produce information about users’ interaction with the site, even though this information is purposely not logged but only stored temporarily in the RAM of either the TorrentSpy server, located in the Netherlands, or of servers controlled by a third-party middleman, located around the world. The ruling was based on the Federal Rules of Civil Procedure, which require litigants to retain and produce “electronically stored information” relevant to a case. The court rejected the defendants’ various arguments for why retention and production should not be required – including costs, the website’s privacy policy, the Stored Communications Act (SCA), the Wiretap Act, the pen register statute, the First Amendment, the potential loss of users’ good will, and conflicts with Dutch data protection law. If this ruling becomes the norm in discovery, it could lead to much greater retention and production of communication records, website logs, and search terms during litigation. More broadly, if courts routinely order data retention during discovery, even where such retention is not part of a company’s normal business practices, the slope leading to a broad data retention mandate seems likely to get a lot more slippery. http://www.steptoe.com/publications-4575.html

NCAA ‘CLARIFIES’ RULE ON BLOGGERS (InsideHigherEd.com, 22 June 2007) -- The National Collegiate Athletic Association has issued what it is calling a clarification of its policy on blogging by reporters during championship games. Under the clarified policy, blogging about scores is permitted, and only “live play-by-play information” is banned (except of course by the press entities that have paid for broadcast rights). The NCAA has infuriated many bloggers and several news organizations in recent weeks by revoking press credentials for reporters blogging during games. In doing so, the NCAA said that blogging during games could cover “atmosphere, crowd and other details during a game but may not mention anything about game action.” The clarification said that “incorrect information” has been issued in response to the bloggers. It is unclear if the clarification will resolve the matter as some blogging organization are asserting First Amendment rights. http://insidehighered.com/news/2007/06/22/qt Clarification at http://www.ncaa.org/wps/portal/%21ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4j3CQHJgFjGpvqRqCKOcAFvfV-P_NxU_QD9gtzQiHJHRUUAbGvNAw%21%21/delta/base64xml/L3dJdyEvUUd3QndNQSEvNElVRS82XzBfTFU%21?CONTENT_URL=http://www2.ncaa.org/portal/media_and_events/press

APPLE’S ITUNES WAS 3RD BIGGEST MUSIC RETAILER BY UNITS SOLD IN 1Q (SiliconValley.com, 22 June 2007) -- Apple Inc.’s iTunes online store was the third-largest overall music retailer in the United States, leapfrogging ahead of Amazon.com and Target Corp. in units sold, a market research firm said Friday. ITunes had a 9.8 percent market share in the first quarter, ranking behind Wal-Mart Stores Inc.’s 15.8 percent and Best Buy Co.’s 13.8 percent, according to The NPD Group. Online retailer Amazon.com’s share was 6.7 percent, slightly ahead of Target’s 6.6 percent, NPD said. The firm counted every 12 tracks purchased online as equivalent to an album in compact disc format, said Russ Crupnick, NPD’s vice president. http://www.siliconvalley.com/news/ci_6205926

NEW YORK LEGISLATORS KEEP E-VOTING SOFTWARE IN PUBLIC HANDS (ComputerWorld, 25 June 2007) -- With this year’s New York Senate and Assembly session now ended, local voting activists are chalking up a victory for the public at the expense of Microsoft Corp. and the e-voting industry. The activists had feared that Microsoft and a handful of e-voting device vendors would quietly weaken the state’s strict e-voting software escrow law before the current legislative session ended on Friday. Approved two years ago by the legislature (download PDF), the law requires voting system vendors to place all source code and other related software in escrow for the New York State Board of Elections so it can be examined as needed. The law also dictates that a voting system vendor waives all intellectual property and trade right secret rights should the software need to be reviewed in court. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025618&source=NLT_AM&nlid=1

CDA IMMUNITY DOES NOT SHIELD EMPLOYER FROM LIABILITY FOR EMPLOYEES’ ONLINE ACTIVITY, COURT RULES (Steptoe & Johnson’s E-Commerce Law Week, 28 June 2007) -- As “provider[s]” of an “interactive computer service,” websites and ISPs can generally claim immunity under section 230(c)(1) of the Communications Decency Act (CDA) from suits based on content provided by a third party. Despite the statute’s apparently broad scope, however, a federal court in Tennessee recently held that the CDA does not immunize a company against a former employee’s claim that the company had created a “hostile work environment,” in violation of Title VII of the Civil Rights Act, by permitting her coworkers to view pornography on a workplace computer. In Avery v. Idleaire Technologies Corp., the defendant company moved for summary judgment, contending that section 230 “by its own terms ... prohibits any federal or state claim that seeks to hold an employer that provides computer systems to its employees for use on the job from being held liable based upon the content of the information ‘provided by another information content provider.’” The court rejected the company’s argument, noting only that it was “not aware of any federal case in the country that has applied this Act in such a manner” and pointing out that the company had “cite[d] no authority” supporting its position. In fact, at least one state court has gone the other way. Regardless, the Avery decision is another instance of what seems to be a nascent trend towards narrower interpretation of section 230’s protections. http://www.steptoe.com/publications-4602.html

MYSPACE WINS PRIVATE ACTION TESTING APPLICABILITY OF CAN-SPAM ACT WITHIN COMMUNITY WEBSITE (Wiley Rein, 29 June 2007) -- An unpublished opinion in a recent case involving the popular MySpace social networking website raises interesting questions about the availability of private lawsuits under the federal CAN-SPAM Act to website operators. MySpace, Inc. v. The Globe.com, Inc. (CV 06-3391-RGK (C.D. Cal. Feb. 27, 2007)). However, the litigation has now settled, so the district court decision will not receive appellate review, and its unpublished status may reduce its precedential value. Therefore, a final adjudication on these issues must await another case. The facts of the case were straightforward. The popular MySpace social networking site allows “members” to create personal profiles and exchange messages with others. MySpace sued TheGlobe.com for opening some 95 MySpace accounts fraudulently and using those accounts to send nearly 400,000 unsolicited marketing emails to other MySpace “members.” MySpace asserted violations of numerous provisions of the CAN-SPAM Act and California law, and sought liquidated damages based on the MySpace terms of service. In an unpublished opinion on cross motions for summary judgment, the District Court ruled in favor of MySpace on most issues, leaving one issue for trial. The parties recently settled on undisclosed terms. In the CAN-SPAM Act, Congress provided for private civil enforcement actions by a “provider of Internet access service” adversely affected by violations of the law. What is most interesting about the MySpace case is its holding that a community website has standing under this provision. The issue was squarely posed by the defendant’s contention that websites such as MySpace have no standing to bring such private actions under the CAN-SPAM Act, and that such actions are available only to email services providers (presumably such as America Online, which has filed a number of actions against spammers). http://www.wileyrein.com/publication_newsletters.cfm?ID=10&year=2007&publication_ID=13161&keyword=

PIRACY POLICE RAID HONEYWELL SITE (BBC, 29 June 2007) -- The British Phonographic Industry (BPI) is investigating allegations of an extensive illegal music filesharing ring at a Honeywell plant in Scotland. Investigators from the BPI raided the plant in Motherwell with police officers at 0840 BST yesterday morning. The investigators made copies of the contents of computers for detailed forensic analysis. Honeywell said that it was cooperating fully with both the police and the BPI over the investigation. The BPI says the raid follows a two-month investigation prompted by a tip-off from a Honeywell employee. The BPI said the information from the insider pointed to “thousands of music files being shared illegally”. This is the first time that the BPI has raided a business in pursuit of illegal music filesharing. Previous such raids have concentrated on domestic filesharing. http://news.bbc.co.uk/2/hi/business/6253874.stm

FREE SOFTWARE FOUNDATION RELEASES GPL 3 (CNET, 29 June 2007) -- After 18 months of sometimes inflamed debate, the Free Software Foundation on Friday released version 3 of the General Public License, a highly influential legal document that embodies the principles of the free- and open-source programming movement. The new license adjusts to software industry changes that have arisen in the 16 years since the foundation’s founder and president, Richard Stallman, released GPL 2. One of the biggest changes: the free- and open-source programming movement has been transformed from an academic, legal and philosophical curiosity to a powerful force in the commercial computing industry. Among those giving the new license a warm reception are IBM, dominant Linux sellers Red Hat and Novell, and open-source database seller MySQL. “GPL 3 code will be flowing from IBM...We’ll tell our customers we’re fine with it,” said Dan Frye, vice president of IBM open systems development. “As with any consensus process, you don’t get everything you asked for. But we got listened to. What came out is absolutely a commercially viable license.” The text of the new license can be read on a foundation Web page concerning GNU (Gnu’s Not Unix), the effort Stallman announced in 1983 to create an operating system similar to Unix but free of its proprietary software constraints. The Linux kernel project, governed by GPL 2, was grafted onto GNU, and the result has been an operating system that’s widely used on servers and strongly competitive with Microsoft Windows and Unix. http://news.com.com/2100-7344_3-6194139.html and http://arstechnica.com/news.ars/post/20070629-gpl-3-officially-released.html; License at http://www.gnu.org/

EU ALLOWS US TO HAVE UNPRECEDENTED ACCESS TO PERSONAL DATA (VNUnet.com, 29 June 2007) -- The European Union (EU) has reached an agreement to allow the US government unprecedented access to data on flight passengers and also banking details. The first of the new agreements allows the US to retain information about passengers travelling from Europe for up to 15 years and places no limitation on what US authorities are allowed to do with the data. Peter Hustinx, the European data protection supervisor - a watchdog role similar to that of the Information Commissioner in the UK - says the agreement could violate the rights of EU citizens, but Washington will allow European officials to visit the US and see how the data is used. The EU has also approved a deal setting conditions for the US treasury department to consult records of the international banking network Swift in anti-terror probes. ‘We agreed on Swift,’ said an EU diplomat. The agreement aims to allay European data privacy concerns over the US fight against terrorism. Under the deal data would be kept for a maximum of five years and the US can only use it for counter-terrorism purposes. http://www.vnunet.com/computing/news/2193144/eu-does-double-deal

UNDER NFL RULE, MEDIA WEB SITES ARE GIVEN JUST 45 SECONDS TO SCORE (Washington Post, 30 June 2007) -- Thanks to a new NFL policy, something will soon be in short supply on news-media Web sites: video of almost anything related to the NFL or its players. In a move designed to protect the Internet operations of its 32 teams, the pro football league has told news organizations that it will no longer permit them to carry unlimited online video clips of players, coaches or other officials, including video that the news organizations gather themselves on a team’s premises. News organizations can post no more than 45 seconds per day of video shot at a team’s facilities, including news conferences, interviews and practice-field reports. The policy, announced last month with little fanfare, has frustrated journalists, who say it constricts the public’s access to information about the nation’s most popular spectator sport. A coalition of news organizations has been quietly lobbying the league for months to change the rule. http://www.washingtonpost.com/wp-dyn/content/article/2007/06/29/AR2007062902187.html?hpid=topnews

AT&T OFFERS FREE WI-FI FOR SELECT CUSTOMERS (Information Week, 2 July 2007) -- Looks like telecom carriers are warming up to the idea of Wi-Fi as an alternate way for subscribers to connect to the mobile Internet. AT&T on Monday began offering free access to its nationwide Wi-Fi network. AT&T said subscribers with higher-speed broadband plans can now get access to about 10,000 Wi-Fi hotspots at different locations across the United States, including airports, McDonald’s restaurants, Barnes & Noble bookstores, coffee shops, and sporting venues. “Providing customers with more high-speed access in more places also gives us a competitive edge because we’re able to offer an on-the-go broadband experience that cable can’t match,” said Rick Welday, chief marketing officer of AT&T’s consumer division, in a statement. There’s a catch, however. Residential and small business broadband subscribers have to have one of the following broadband packages to quality for the free service: AT&T Yahoo High Speed Internet Pro, AT&T Yahoo High Speed Internet Elite, FastAccess Xtreme, or FastAccess Xtreme 6.0. The major U.S. telecom carriers have been reluctant to offer Wi-Fi support -- both through Wi-Fi hotspots and built-in Wi-Fi technology in phones -- for fear that it will cannibalize their cellular business. In 2005, Verizon Wireless pulled the plug on its free Wi-Fi Internet service offered in New York City. Instead the carrier decided to focus on building out its third-generation (3G) cellular network based on technology called EV-DO. http://www.informationweek.com/management/showArticle.jhtml?articleID=200001927&articleID=200001927

BSA RAISES REWARD TO $1 MILLION FOR REPORTS OF PIRACY (Computerworld, 2 July 2007) -- The Business Software Alliance (BSA) has temporarily raised the reward that’s part of controversial program encouraging people to report software piracy from $200,000 to $1 million, the trade group announced Monday. The BSA, representing large software vendors such as Microsoft Corp., Apple Inc. and IBM Corp., will pay the sum for accurate reports of software copyright infringement between now and Oct. 2, the trade group said. There are some restrictions on the reward payments. The BSA has also launched a national radio and Internet advertising campaign titled, “blow the whistle.” The trade group will also target several states, including California, Texas, Illinois, New York and Florida over the next year. Since the BSA launched its Rewards program in the U.S. in late 2005, it has reached settlements with hundreds of companies, bringing in nearly $22 million. The retail value of software pirated in the U.S. during 2006 was $7.3 billion, according to a study from IDC. The new reward shows BSA’s commitment to fighting software piracy, the trade group said. “Businesses often have a million excuses for having unlicensed software on office computers,” Jenny Blank, BSA’s director of enforcement, said in a statement. “BSA is now offering up to a million dollars for employees who turn them in.” Businesses caught with unlicensed software can pay up to $150,000 per violation. Critics of the program say it encourages disgruntled former employees to snitch on companies. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9026060&source=rss_news10

COURT UPHOLDS RULING VS. PUBLISHER (SiliconValley.com, 4 July 2007) -- Credit card companies that process payments for Internet pirates are not liable for copyright infringement, a federal appeals court ruled Tuesday. The 9th U.S. Circuit Court of Appeals in San Francisco decided that a judge in San Jose was right in dismissing a lawsuit brought by a publisher in Beverly Hills against Visa International, MasterCard and other financial companies. The 2-1 decision found that Perfect 10, a publisher of adult magazines and Web sites, failed to prove that credit card providers were liable because the financial companies played no role in helping people find or download the infringing images. The decision dealt a setback to Perfect 10’s efforts to cripple Web sites that sell access to its erotic photographs without permission. The company said it would request a new hearing by a larger panel of appeals court judges. A majority of the three-judge panel found it a stretch that such peripherally involved third parties could be liable for copyright infringement. If credit card companies were found to contribute to infringement, so might computer makers, software companies and even utility companies. “The electric companies should be liable far faster than Visa and MasterCard,” Andrew P. Bridges, the San Francisco attorney who represented Visa and MasterCard, said facetiously. “Hey, it takes electrons to fire up computer severs to actually engage in the infringement.” http://www.siliconvalley.com/news/ci_6295736 Decision at http://caselaw.findlaw.com/data2/circs/9th/0515170P.pdf

-- but --

COURT HOLDS BELGIAN ISP RESPONSIBLE FOR FILE-SHARING (Macworld, 5 July 2007) -- A court has ruled that the Belgian ISP Scarlet Extended SA is responsible for blocking illegal file-sharing on its network, setting a precedent that could affect other ISPs in Europe, according to a recording industry group. Belgium’s Court of First Instance has given the Internet service provider six months to install technology to prevent its customers from sharing pirated music and video files, the International Federation of the Phonographic Industry said. If it fails to do so it will be fined €2,500 (US$3,400) per day, according to the ruling, published June 29. The music industry has long sought to hold ISPs responsible for illegal file-sharing on their networks, although in the U.S. it has been largely unsuccessful. ISPs have argued that they provide a service like a post office or a telephone company, and shouldn’t be required to police the traffic on their networks. The Brussels ruling is based on Belgium’s interpretation of the European Union’s Information Society Directive, often called the E.U. copyright directive, and as such could set a precedent for other cases in Europe, the IFPI said. http://www.macworld.com/news/2007/07/05/filesxharing/index.php

FRENCH COURT PERMITS PEEPING ON P2P USERS’ IP ADDRESSES (Steptoe & Johnson’s E-Commerce Law Week, 5 July 2007) -- In 2005, we reported that the French data protection authority, the Commission Nationale de I’Informatique et Libertés (CNIL) had barred four music industry groups -- including the Société des Auteurs, Compositeurs et Editeurs de Musique (SACEM), and the Société Civile des Producteurs de Phonogrammes en France (SPPF) -- from using automated monitoring of users of P2P file sharing systems in their fight against piracy. Last month, France’s highest court of appeal for administrative decisions, the Conseil d’Etat, largely overturned this ruling, concluding that the groups’ request to automatically track downloads of the 10,000 most popular songs in their combined catalogs would further legitimate anti-piracy interests that outweigh associated privacy concerns. In response to the Conseil d’Etat’s ruling, the CNIL restated its commitment to guaranteeing “the right balance between the protection of author’s rights and of the private life of Internet users,” and indicated that it will seek to rebuild a “constructive relationship” with the music industry groups. Although we would like to take this spirit of compromise at face value, we certainly don’t expect the court’s decision to end the battles between the music industry and privacy interests over P2P file sharing in Europe -- where the law is generally less favorable to disclosure of subscriber information than it is in the United States. http://www.steptoe.com/publications-4613.html

GAO: CONNECTING DATA BREACHES, ID THEFTS IS DIFFICULT (SiliconValley.com, 5 July 2007) -- Personal information about Americans is stolen or lost from some government or private computer almost daily, but congressional auditors can link only a few identity thefts to the breaches. That’s primarily because links are so hard to find that nobody knows how frequently security lapses lead to fraud, the Government Accountability Office said Thursday. “No comprehensive data are available on the consequences of data breaches” from law enforcement agencies, industry and trade associations, consumer groups or privacy advocates, according to GAO, which is Congress’ auditing arm. At the federal level, investigators questioned the FBI, Secret Service, U.S. Postal Inspection Service, and Immigration and Customs Enforcement. “Representatives of all these agencies told us that their investigations of data breaches do not typically allow them to fully ascertain how stolen data are used,” the GAO said. “Similarly, they noted that investigations of identity theft do not always reveal the source of the data used to commit the crime.” GAO looked at 24 of the largest reported breaches between January 2000 and June 2005 in state governments, colleges and universities, retailers, medical facilities, and financial and information services companies. Compromised data was used to open unauthorized new accounts in one case and to commit fraud on existing accounts in three cases. There wasn’t information to tell if harm resulted in two cases. In 18 cases, no identity thefts could be attributed to the breaches. Victim company representatives said sometimes they could tell no unauthorized person had looked at the data. But in other instances where they were not aware of any fraud, “they acknowledged that there was no way to know for sure,” GAO said. http://www.siliconvalley.com/news/ci_6306043 Report at http://www.gao.gov/new.items/d07737.pdf

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: