Saturday, July 28, 2007

MIRLN - Misc. IT Related Legal News [8-28 July 2007; v10.10]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of the American Bar Association’s Cyberspace Law Committee and Dickinson Wright PLLC. Dickinson Wright’s IT & Security Law practice group is described at

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley ( with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at and blogged at

**************End of Introductory Note***************

APPEALS COURT DISMISSES SUIT AGAINST NSA SPY PROGRAM (CNET, 6 July 2007) - In a setback for foes of a controversial Bush administration wiretapping program, a federal appeals court on Friday threw out an American Civil Liberties Union lawsuit that alleged illicit snooping on Americans’ calls and e-mails. In a 2-1 decision (PDF), the 6th Circuit Court of Appeals in Cincinnati dismissed a federal district court ruling from last August that found the National Security Agency’s Terrorist Surveillance Program violated the U.S. Constitution and ordered it to stop. The majority’s ruling did not address the legality of the program; rather, it tossed out the case on narrow procedural grounds [i.e., standing].

GOOGLE APOLOGIZES FOR BLOG CRITICIZING `SICKO’ (, 6 Jly 2007) - Search engine Google apologized after an employee criticized Michael Moore’s new documentary “Sicko” in a corporate blog. Google account planner Lauren Turner wrote on the company’s health care advertising blog last week that Moore’s expose` of the health care industry was one-sided and failed to note the industry has also contributed to philanthropy and raised awareness of patient care. Turner suggested that health care companies buy Google ads to counter the negative portrayal. But after angry readers peppered Turner with complaints, she wrote another blog post explaining that her comments were her opinion - not Google’s. The Mountain View company followed up with an apology on its main corporate blog, saying the original blog posting did not reflect its official position.

ISP TOLD TO BLOCK ILLEGAL P2P TRAFFIC (VNUnet, 6 July 2007) - Belgian ISP Scarlett, formerly part of Tiscali, has been ordered by a judge to block all peer-to-peer traffic by its customers in a landmark ruling that could set a precedent in Europe. The court in Belgium found that Scarlett had a duty to stop the traffic in illegal content over its network with a variety of technical means that are currently on the market, in particular filtering technology developed by Audible Magic. The case was brought by Sabam, the association of authors and composers in Belgium. The move has been welcomed by the International Federation of the Phonographic Industry (IFPI), which represents recording companies and artists worldwide. IFPI chairman John Kennedy said: “This is an extremely significant ruling which bears out exactly what we have been saying for the past two years. “The internet’s gatekeepers, the ISPs, have a responsibility to help control copyright-infringing traffic on their networks.

- but -

MUSIC FILE-SHARERS GET BOOST IN TOP EU COURT (Reuters, 18 July 2007) - Telecoms companies in Europe are not required to hand over information on clients believed to be running music-sharing websites in civil cases, an adviser to the European Union’s top court said on Wednesday. The case was brought by a Spanish music and audiovisual association after telecoms provider Telefonica refused to hand over the names and addresses of its Internet clients suspected of running illegal file sharing sites. The association, Promusicae, wanted to identify the clients, who used the file-sharing programme KaZaA, so it could start taking action against them. But advocate general Juliane Kokott, whose role is to advise the judges, said on Wednesday that it is compatible with EU law for European countries to exclude communication of personal data in the context of a civil, as distinct from criminal, action. The court follows the advice of advocates general on most occasions.

- and -

UNIVERSITIES TO RIAA: TAKE A HIKE (Harvard’s Berkman Center, 9 July 2007) - Recently, the president of the Recording Industry Association of America, Cary Sherman, wrote to Harvard to challenge the university administration to stop acting as a “passive conduit” for students downloading music. We agree. Harvard and the 22 universities to which the RIAA has sent “pre-litigation notices” ought to take strong, direct action...and tell the RIAA to take a hike. This Spring, 1,200 pre-litigation letters arrived unannounced at universities across the country. The RIAA promises more will follow. These letters tell the university which students the RIAA plans on suing, identifying the students only by their IP addresses, the “license plates” of Internet connections. Because the RIAA does not know the names behind the IP addresses, the letters ask the universities to deliver the notices to the proper students, rather than relying upon the ordinary legal mechanisms. Universities should have no part in this extraordinary process. [Editor: There’s more, worth reading.]

- and, on the other hand -

UNIVERSITY OF KANSAS ADOPTS ONE-STRIKE POLICY FOR COPYRIGHT INFRINGEMENT (ArsTechnica, 20 July 2007) - In response to the RIAA and MPAA’s campaign against file-sharing, the University of Kansas has announced a stringent policy for students found sharing copyrighted content on the university network. Students fingered for file-sharing would be kicked off of the residence hall network, although they would still be able to use campus computer labs. A brief notice on the University of Kansas ResNet site explains the university’s new position very succinctly. “If you are caught downloading copyrighted material, you will lose your ResNet privileges forever,” reads the notice. “No second notices, no excuses, no refunds. One violation and your ResNet internet access is gone for as long as you reside on campus.” Presumably, the University is referring to illegally downloaded copyrighted material, as there is plenty of copyrighted material that can be downloaded legally. Formerly, KU had a three strikes policy, but the new policy is one of the most stringent we have seen. Other schools have tightened their policies on copyright infringement since Big Content ratcheted up its fight against on-campus file-sharing. For one, Stanford University has made file-sharing a potentially very expensive proposition with its reconnection fees. First-time offenders will have to pay a $100 reconnection fee, with subsequent offenses assessed reconnection fees of $500 and $1,000. Along with the $1,000 fee, students will be referred to Judicial Affairs for disciplinary action after a third offense.

NINTH CIRCUIT UPHOLDS USE OF INTERNET PEN REGISTER (MIRLN reader, 8 July 2007) - In United States v. Forrester, issued today, the Ninth Circuit ratified DOJ’s longstanding position on the constitutional status of Internet addressing information – such as IP addresses and email addresses – associated with network transmissions. Specifically, the court found that collecting such information does not intrude upon a reasonable expectation of privacy, and thus does not implicate the Fourth Amendment. “Neither this nor any other circuit has spoken to the constitutionality of computer surveillance techniques that reveal the to/from addresses of e-mail messages, the IP addresses of websites visited and the total amount of data transmitted to or from an account. We conclude that these surveillance techniques are constitutionally indistinguishable from the use of a pen register that the Court approved in Smith [v. Maryland]. First, e-mail and Internet users, like the telephone users in Smith, rely on third-party equipment in order to engage in communication. Smith based its holding that telephone users have no expectation of privacy in the numbers they dial on the users’ imputed knowledge that their calls are completed through telephone company switching equipment. 442 U.S. at 742. Analogously, e-mail and Internet users have no expectation of privacy in the to/from addresses of their messages or the IP addresses of the websites they visit because they should know that these messages are sent and these IP addresses are accessed through the equipment of their Internet service provider and other third parties. […]” Note, however, the reservation in footnote 6 concerning URL collection: “Surveillance techniques that enable the government to determine not only the IP addresses that a person accesses but also the uniform resource locators (“URL”) of the pages visited might be more constitutionally problematic. A URL, unlike an IP address, identifies the particular document within a website that a person views and thus reveals much more information about the person’s Internet activity. For instance, a surveillance technique that captures IP addresses would show only that a person visited the New York Times’ website at, whereas a technique that captures URLs would also divulge the particular articles the person viewed.” Full opinion at$file/0550410.pdf?openelement Press coverage at

CORPORATE USERS DUMP MICROSOFT’S SOFTWARE ASSURANCE (Computer World, 9 July 2007) - Microsoft Corp. faces a revolt among enterprise customers over its Software Assurance maintenance program, an analyst said today, because of long stretches between upgrades and simple economics. In research published today, Forrester Research Inc. analyst Julie Giera said that based on interviews with 63 Microsoft customers, 25% won’t renew their maintenance contracts and another third remain undecided. “There are more in the ‘mad as hell’ category than I’ve ever seen,” said Giera regarding customers’ feelings about Software Assurance. “A number of companies, higher than I’ve seen since 2001 when I started to track this, are deciding to buy [licenses] later.” Software Assurance is the Microsoft program that gives corporate customers software upgrade rights and other benefits during a multiyear contract in exchange for a flat annual fee. It’s an important part of the company’s revenue picture; based on Microsoft’s own numbers for the program’s contribution to the bottom line, Software Assurance delivered about $4.1 billion in the quarter that ended March 31.

77 PERCENT OF SECURITY PROFESSIONALS WANT EU DATA BREACH LAWS (Computerworld UK, 9 July 2007) - Around three out of four IT security professionals think companies should be legally obliged to inform customers and regulators of data security breaches, a survey reveals. Of those that are in favour of introducing this law, nearly half (49%) said that businesses should be forced to disclose a security breach immediately, rather than delaying the announcement. This is the result of a survey of IT security professionals conducted by database security company Secerno at Europe’s annual information security conference, Infosec 2007. The European Commission is expected to pass the European Directive on Data Protection this year, which would require companies to inform all customers and regulators of any data security breaches. However, it could take years for the UK or other Eureopan countries to adopt this directive into law. Paul Davie, founder of Secerno, commented that the UK public does not know the full scale of data security breaches, as there is no legal obligation to reveal them. “There is a clear demand from security professionals and consumers that the Government and the EU should follow the US’s lead and impose a legal framework that forces companies to disclose breaches.

GOOGLING “HOW TO CRACK A SAFE” NETS ROBBERS $12,000 (ArsTechnica, 10 July 2007) - Google has become so ubiquitous in many people’s daily lives that it serves as the all-encompassing information source on how to do nearly anything: jump a car, tie a tie, fold a pocket square, remove ketchup stains. Oh, and crack open a safe to steal $12,000. That’s what a couple of burglars did last month in Colorado, when they broke into an indoor amusement center called Bigg City armed with the knowledge they thought they needed in order to get into a couple of safes. The burglars knew the passcodes to the safes in question but were still unable to open them after several tries, so they eventually resorted to their good friend Google to tell them how. These burglars may not have been the sharpest tacks in the box to begin with; they attempted to cover a security camera lens not with spray paint or some other opaque agent, but the clear, cleaning properties of WD-40, and attempted to do the same to a fire alarm that they thought was a camera. But at least they were resourceful; after spending an hour and 15 minutes attempting to unsuccessfully crack the safe using their handy passcodes, according to the Colorado Springs Gazette, they used the computer in the next room to search Google for “how to crack a safe.” The Google search proved fruitful for the two burglars, as they were able to get the information they needed and walk away with $12,000 in cash as well as a PlayStation and a laptop. And despite their inept attempts to outwit the security cameras, they have not yet been arrested.

NEW WEB SITE ENCOURAGES FIRMS TO REPORT CORRUPTION (CNET, 11 July 2007) - Multinational firms like Wal-Mart, Target and Tyco International on Wednesday endorsed a new Web site where companies and individuals can report bribery and corruption in countries where they do business., launched by Trace, a Maryland-based nonprofit group that represents multinational companies, lets anyone volunteer information about incidents of corruption or bribery in the United States or abroad. The information compiled from Bribeline will help companies determine where corruption is most prevalent and will help governments strengthen their ability to tackle corruption. “Bribeline will further Wal-Mart’s efforts to ensure we are allocating the necessary resources to combat corruption in those countries where we do business,” said Alberto Mora, vice president and general counsel for the international department at Wal-Mart. Businesses looking into ventures in certain countries will be forewarned about what kinds of bribery they can expect. “If you know the terrain, it’s easier to map out a business solution for survival,” said Michelle Gavin, a board member of Trace. The Web site does not require participants to identify themselves, which some critics say would encourage malicious or false reporting. “We had to make a decision early on between anonymity or verification,” said Trace President Alexandra Wrage, “You can’t have both.” The World Bank, which has a similar disclosure program that encourages firms to admit when they paid bribes while doing work for the bank, has estimated that bribery around the world amounts to about $1 trillion, and affects the poorest citizens the most. “The World Bank knows from experience that nobody wants their names mentioned,” said Suzanne Rich Folsom, director of the Department of Institutional Integrity at the World Bank. Fear is often a deterrent in reporting corruption, she added. “Bribeline will be real-time information to all of us who are trying to fight corruption,” said Folsom. “This may begin to level the playing field...and lower the cost of doing business.”

EU ACCEPTS U.S. TREASURY’S PROMISES TO PROTECT SWIFT DATA (Steptoe & Johnson’s E-Commerce Law Week, 11 July 2007) - The European Union announced last month that the U.S. Treasury Department has made a unilateral commitment to handle “EU originating personal data” it obtains from the Brussels-based banking consortium known as SWIFT in a manner that “take[s] account of EU data protection concerns.” The EU stated that the European Commission considers Treasury’s representations - in combination with SWIFT’s promises to abide by “safe harbor” principles and inform customers that their personal data will be sent to the United States, where it will be subject to subpoena - “sufficient to guarantee respect for and the enforcement of European data protection rights.” The EU’s announcement provides a window into the procedures U.S. authorities will follow to avoid running afoul of EU data protection law. Companies might want to consult the specifics of this deal (once they’re publicly released) when considering whether or how to provide personal data from the EU to U.S. authorities.

WHOLE FOODS CEO PANNED WILD OATS ON WEB (Reuters, 12 July 2007) - The chief executive of Whole Foods Market Inc. posted messages on a Yahoo! chat forum under an alias for years, talking up his own company while predicting a bleak future for Wild Oats Markets Inc., the rival it has since sought to acquire. Company CEO John Mackey posted messages on a Yahoo! financial forum under the user name “rahodeb,” according to a court document filed by the U.S. Federal Trade Commission and postings on Yahoo! Mackey’s messages painted a bright future for Whole Foods, the largest U.S. natural and organic grocer, and downplayed the threat posed by competitors. “The writing is on the wall. The end game is now underway for (Wild Oats) .... Whole Foods is systematically destroying their viability as a business - market by market, city by city,” Mackey wrote in a March 28, 2006 posting. It was cited by the FTC as part of a lawsuit aimed at blocking Whole Foods’ planned $565 million (278 million pounds) acquisition of Wild Oats on grounds the deal would hobble competition and increase prices to consumers. “Bankruptcy remains a distinct possibility (for Wild Oats) IMO if the business isn’t sold within the next few years,” rahodeb said in another March 29, 2006 posting on Yahoo! Whole Foods confirmed Mackey had made the “rahodeb” postings between 1999 and 2006. It said references to those comments were among millions of documents the company provided to the FTC as part of the agency’s antitrust lawsuit. In a statement, the company said Mackey posted comments under an alias “to avoid having his comments associated with the company and to avoid others placing too much emphasis on his remarks.” Washington Post story about informal SEC investigation:

SPAM FILTER COSTS LAWYERS THEIR DAY IN COURT (IDG News Service, 12 July 2007) - The trouble at Franklin D. Azar & Associates PC began with pornographic spam. Last May the Aurora, Colo., law firm was being bombarded with offensive messages, and enough of it was seeping through the company’s spam filters that employees complained to management, and IT administrator Kevin Rea was told to do something. On the morning of May 21, Rea dialed up the spam settings on the Barracuda Spam Firewall 200 Azar & Associates was using to block unwanted mail. The changes made it harder for spam to land on the desktops of company employees but they also had one unforeseen consequence: The Barracuda Networks appliance began blocking e-mail from the U.S. District Court for the District of Colorado, including a notice advising company lawyers of a May 30 hearing in a civil lawsuit. Azar & Associates lawyers blew their court date, and this week the judge overseeing the matter ordered the company to pay attorney fees and expenses incurred by the lawyers who showed up representing the other side of the case. Rea did not return a call seeking comment on the matter. What happened to Azar & Associates is unusual, but reflects a legitimate worry for law firms. “This is an IT guy’s nightmare if you work in a law firm,” said Matt Kesner, CTO with Fenwick & West LLP, a Bay Area law firm with about 250 attorneys. “It doesn’t take a very high percentage of false-positives in the antispam world to misidentify a crucial piece of correspondence.” Fenwick & West has missed e-mailed court notices in the past, although it has not blown court dates as a consequence, Kesner said.,134460-pg,1/article.html

SITE PLANS TO SELL HACKS TO HIGHEST BIDDER (Washington Post, 12 July 2007) - A Swiss Internet start-up is raising the ire and eyebrows of the computer security community with the launch of an online auction house where software vulnerabilities are sold to the highest bidder. The founders of (pronounced wobby-sobby-lobby) say they hope the service presents a legitimate alternative for security researchers who might otherwise be tempted to sell their discoveries to criminals. Several established vulnerability management companies already purchase information about software flaws from researchers, yet the terms of those deals are private and generally set by the companies. Letting all interested parties bid on security vulnerabilities in an “eBay”-style auction assures that researchers receive the fair market value for the work they do in finding the flaws, said Herman Zampariolo, WabiSabiLabi’s chief executive.

SONY BMG SUES ANTI-PIRACY COMPANY [over rootkit problems] (BBC, 13 July 2007) - Record company Sony BMG is suing a firm that designed controversial anti-piracy software used on CDs sold by the label. Sony BMG filed papers in a New York state court seeking $12m in damages from the Arizona-based Amergence Group. It says Amergence’s Mediamax software landed it with a $5.75m (£2.83m) bill for compensation after users reported problems with their computers. Amergence disputes the claims and blames another company’s software for the problems. Amergence, formerly known as SunnComm, developed the Mediamax anti-piracy program, which was used on 32 Sony CDs released in the US and Canada. In December 2005, Sony BMG issued a statement highlighting problems with the Mediamax software and urging users to install a patch that closed a security loophole which it said MediaMax opened on PCs. At the same time, other consumers took action over Sony CDs that were being protected with another anti-piracy technology known as XCP. Sony eventually recalled all the CDs that used XCP and offered to swap customers’ existing discs for ones that did not use the software. A statement from Amergence said the problems had resulted from “Sony’s undertested release of a competitor’s technology” and “BMG’s ‘final authority’ input in determining the functional specifications of the Mediamax copy protection”.

30 COUNTRIES MOVE TO PROTECT ONLINE CONSUMERS (Network World, 16 July 2007) - Spurred to find ways to protect consumers as online shopping grows, the 30 countries belonging to the international economic and social-development group Organization for Economic Co-Operation and Development (OECD) announced Monday an accord on dispute resolution. After two years of wrangling over the policy document, the Paris-based OECD said its 30 members - which include the European countries, Japan, Korea, Mexico, the United States and the United Kingdom among others - have signed off on a legal framework intended to lead to better policing and resolution of consumer complaints, particularly in cross-border disputes involving e-commerce. But it remains unclear whether concrete change will come from the policy agreement, which the OECD countries now must find a way to put into effect. Called the “OECD Recommendation on Consumer Dispute Resolution and Redress,” the 13-page document states principles that include: [story continues]

U.S. DETAILS SOME DATA-MINING PROGRAMS, HINTS AT OTHERS (Wired, 16 July 2007) - Justice Department and Homeland Security inspectors slid a broad range of government data-mining programs under a microscope last week in two reports to Congress that covered systems both sinister and banal. But while the reports - required under two separate federal laws - convey a sense of the breadth of these powerful agencies’ data mining, they only hint at several projects powerful enough to accidentally land innocent Americans in the cross hairs of the government’s antiterrorism efforts. On the innocent side, the Justice Department has separate data-mining programs to ferret out identity-theft gangs, Medicare fraud, staged automobile accidents, online pharmacy scams and illegal housing sales, according to the report by Justice Department Inspector General Glenn Fine. Some of that data mining is conducted with tools available to anyone with a copy of Microsoft Office. And once anomalies in the data are identified, agents follow up on the leads. A more ambitious system under development will be used by the Foreign Terrorism Tracking Task Force - an FBI group responsible for preventing terrorist attacks inside the United States. Called the System to Assess Risk, or STAR, the program will let agents enter names of suspected terrorists into a computer, which then calculates how likely each of those people is to pose a terrorist threat, based on 35 factors. Data mining in the broad sense is everywhere these days, from online services that analyze blog server logs to supermarket loyalty cards used to decide what coupons are mailed to shoppers’ houses. The term has many meanings, but usually refers to attempts to use smart algorithms to discover unseen patterns in large pools of data. The most notorious government data-mining effort was Darpa’s highly secretive Total Information Awareness program, which would have crawled through every possible database, public and private, to identify potential terrorists in the planning stages of an attack. In 2003, amid privacy concerns, Congress stepped in to defund much of that effort, and sent components of the program into the black budget with the promise that the tools would only target non-Americans. and DHS report at

GOOGLE COOKIES WILL ‘AUTO DELETE’ (BBC, 17 July 2007) - Google has said that its cookies, tiny files stored on a computer when a user visits a website, will auto delete after two years. They will be deleted unless the user returns to a Google site within the two-year period, prompting a re-setting of the file’s lifespan. The company’s cookies are used to store preference data for sites, such as default language and to track searches. All search engines and most websites store cookies on a computer. Currently, Google’s are set to delete after 2038. Peter Fleischer, Google’s global privacy counsel, said in a statement: “After listening to feedback from our users and from privacy advocates, we’ve concluded that it would be a good thing for privacy to significantly shorten the lifetime of our cookies.” He said the company had to “find a way to do so without artificially forcing users to re-enter their basic preferences at arbitrary points in time.” So if a user visits a Google website, a cookie will be stored on their computer and will auto-delete after two years. But if the user returns to a Google service, the cookie will re-set for a further two years.

- and -

SEARCH ENGINE ASK TO STOP KEEPING SEARCH DATA UPON REQUEST (, 20 July 2007) - became the first major search engine to promise users it won’t store data on their queries, giving the privacy conscious the option of conducting research on the Internet in relative anonymity. The move comes amid increasing concerns about the release of search information through leaks or subpoenas. In some cases, the search terms a person uses can reveal plenty about medical conditions, marital troubles or kinky interests. “What everyone’s starting to see is competition for privacy,” said Ari Schwartz, deputy director of the Center for Democracy and Technology, a Washington-based nonprofit that had consulted with Ask on the changes. Company officials acknowledged Friday that the decision alone likely won’t raise Ask’s ranking among search engines. Ask, a unit of IAC/InterActiveCorp., is far behind Google Inc., Yahoo Inc., Microsoft Corp.’s MSN and Windows Live in the share of U.S. search queries. “The number of people this is important to is small,” said Doug Leeds, Ask’s vice president of product management. “But to these people, it’s very important.” The new controls won’t guarantee user anonymity, however. As Ask’s advertising partner, Google would receive and could retain the data in question. Search terms also appear in the Web address sent to Ask, and Internet service providers could retain that. But Leeds said Ask would review contracts with Google and other third parties to limit what they could do Advertisement Click Here! with the information, and the company hoped the move would pressure rivals to also adopt tighter privacy controls. Related story at

SEC ISSUES INTERPRETIVE GUIDANCE ON ICFR (Duane Morris Alert, 17 July 2007) - On June 20, 2007, the Securities and Exchange Commission issued interpretive guidance to assist management of public companies in evaluating their internal control over financial reporting (“ICFR”), as required by Section 404 of the Sarbanes-Oxley Act of 2002 and Rules 13a-15(c) and 15d-15(c) of the Securities Exchange Act of 1934. The Guidance provides management with an approach to conduct a top-down, risk-based evaluation of ICFR. The same day, the SEC issued two rule releases. In one release, the SEC adopted final rules in which it:
· adopted amendments to its rules to facilitate management evaluations of ICFR by sanctioning the Guidance as a safe harbor;
· adopted amendments to its rules regarding the auditor’s attestation report on the effectiveness of ICFR; and
· defined the term “material weakness.” In the other release, the SEC proposed a rule defining the term “significant deficiency.” In a coordinated action, the Public Company Accounting Oversight Board (“PCAOB”) adopted a new auditing standard for use by auditors in their audits of ICFR. SEC guidance at

STUDENTS’ TRIAL BY FACEBOOK (The Guardian, 17 July 2007) - Oxford University staff are logging on to Facebook and using evidence they find on student profiles to discipline students. Photos on the social networking website of undergraduates celebrating the end of their exams have been emailed to students by the proctors, Oxford’s disciplinary body, as evidence of breaches of the University’s code of conduct. Students now face fines of up to £100 after proctors collected evidence of students celebrating the end of exams by “trashing” their friends, covering them with champagne, confetti, flour, and even foodstuffs including raw meat and octopus. Students may be unable to graduate until the disciplinary hearings are resolved. Proctors emailed third-year mathematics and philosophy student Alex Hill with links to photographs of her on Facebook on Friday. “I have been charged by the proctors for breaching rules and being ‘disorderly’, on the basis of photographic evidence from Facebook,” she said.,,2128265,00.html

WILL SECURITY FIRMS DETECT POLICE SPYWARE? (Wired, 17 July 2007) - A recent federal court decision raises the question of whether antivirus companies may intentionally overlook spyware that is secretly placed on computers by police. In the case decided earlier this month by the 9th U.S. Circuit Court of Appeals, federal agents used spyware with a keystroke logger-call it fedware-to record the typing of a suspected Ecstasy manufacturer who used encryption to thwart the police. A CNET survey of 13 leading antispyware vendors found that not one company acknowledged cooperating unofficially with government agencies. Some, however, indicated that they would not alert customers to the presence of fedware if they were ordered by a court to remain quiet. Most of the companies surveyed, which covered the range from tiny firms to Symantec and IBM, said they never had received such a court order. The full list of companies surveyed: AVG/Grisoft, Computer Associates, Check Point, eEye, IBM, Kaspersky Lab, McAfee, Microsoft, Sana Security, Sophos, Symantec, Trend Micro and Websense. Only McAfee and Microsoft flatly declined to answer that question. Because only two known criminal prosecutions in the United States involve police use of key loggers, important legal rules remain unsettled. But key logger makers say that police and investigative agencies are frequent customers, in part because recording keystrokes can bypass the increasingly common use of encryption to scramble communications and hard drives. Microsoft’s Windows Vista and Apple’s OS X include built-in encryption. This isn’t exactly a new question. After the last high-profile case in which federal agents turned to a key logger, some security companies allegedly volunteered to ignore fedware. The Associated Press reported in 2001 that “McAfee Corp. contacted the FBI... to ensure its software wouldn’t inadvertently detect the bureau’s snooping software.” McAfee subsequently said the report was inaccurate. Later that year, the FBI confirmed that it was creating spy software called “Magic Lantern” that would allow agents to inject keystroke loggers remotely through a virus without having physical access to the computer. (In both the recent Ecstasy case and the earlier key logging case involving an alleged mobster, federal agents obtained court orders authorizing them to break into buildings to install key loggers.) Government agencies and backdoors in technology products have a long and frequently clandestine relationship. One 1995 expose by the Baltimore Sun described how the National Security Agency persuaded a Swiss firm, Crypto, to build backdoors into its encryption devices. In his 1982 book, The Puzzle Palace, author James Bamford described how the NSA’s predecessor in 1945 coerced Western Union, RCA and ITT Communications to turn over telegraph traffic to the feds.

- and -

FBI REMOTELY INSTALLS SPYWARE TO TRACE BOMB THREAT (CNET, 18 July 2007) - The FBI used a novel type of remotely installed spyware last month to investigate who was e-mailing bomb threats to a high school near Olympia, Wash. Federal agents obtained a court order on June 12 to send spyware called CIPAV to a MySpace account suspected of being used by the bomb threat hoaxster. Once implanted, the software was designed to report back to the FBI with the Internet Protocol address of the suspect’s computer, other information found on the PC and, notably, an ongoing log of the user’s outbound connections. While there’s been plenty of speculation about how the FBI might deliver spyware electronically, this case appears to be the first to reveal how the technique is used in practice. The FBI did confirm in 2001 that it was working on a virus called Magic Lantern but hasn’t said much about it since. The two other cases in which federal investigators were known to have used spyware-the Scarfo and Forrester cases-involved agents actually sneaking into offices to implant key loggers. An 18-page affidavit filed in federal court by FBI Agent Norm Sanders last month and obtained by CNET claims details about the governmental spyware are confidential. The FBI calls its spyware a Computer and Internet Protocol Address Verifier, or CIPAV. “The exact nature of these commands, processes, capabilities, and their configuration is classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardize other ongoing investigations and/or future use of the technique,” Sanders wrote. A reference to the operating system’s registry indicates that CIPAV can target, as you might expect given its market share, Microsoft Windows. Other data sent back to the FBI include the operating system type and serial number, the logged-in user name, and the Web URL that the computer was “previously connected to.” has posted Sanders’ affidavit and a summary of the CIPAV results that the FBI submitted to U.S. Magistrate Judge James Donohue. There have been hints in the past that the FBI has employed this technique. In 2004, an article in the Minneapolis Star Tribune reported that the bureau had used an “Internet Protocol Address Verifier” that was sent to a suspect via e-mail. But bloggers at the time dismissed it-in hindsight, perhaps erroneously-as the FBI merely using an embedded image in an HTML-formatted e-mail message, also known as a Web bug.

CT RULES JURISDICTION CLAIM REQUIRES TARGETED INTERACTIVITY (BNA’s Internet Law News, 19 July 2007) - BNA’s Electronic Commerce & Law Report reports on a decision by a federal court in Kansas that ruled that interactive features on a Web site will not support jurisdiction in a forum unless users there actually accessed the features. The court also said that the site owner must intend its interactive features to reach the forum in order to satisfy purposeful availment. Case name is Capitol Federal Savings Bank v. Eastern Bank Corp.

DOJ PITCHES LEGISLATION TO STRENGTHEN IDENTITY THEFT LAWS (Information Week, 20 July 2007) - The U.S. Department of Justice submitted proposed legislation to Congress on Thursday, looking to beef up laws that would take on the burgeoning problem of identity theft. The bill - the Identity Theft Enforcement and Restitution Act of 2007 - seeks, in part, to make sure identity theft victims are paid back for the time they spend trying to repair the damage inflicted upon them and their financial standing, according to a DoJ notice. The bill also would add to the current identity theft and aggravated identity theft statutes, which focus on stealing the identity of individuals. The bill supplements that by making sure people who steal information from companies and organizations can be prosecuted, as well. The bill comes out of the President’s Task Force on Identity Theft plan, which was released in April. The task force was pulled together to formulate a plan to attack identity theft at all levels in the public and private sectors. As for the bill that the DoJ is proposing, it also seeks to ensure that federal law enforcement has jurisdiction over the theft of identifying information by closing a loophole in the current statute. Under the proposed act, federal jurisdiction could be obtained if the victim’s computer is used in interstate or foreign commerce, the same standard used in other computer hacking offenses.

GOOGLE, STATE TO PARTNER ON PUBLIC RECORDS (Detroit Free Press, 20 July 2007) - State officials said this week they are partnering with Google Inc. to make some Michigan public records easier to find for Web surfers. The new technology enables Internet search engines to access and index the records in online databases. That makes the records accessible in search results. Google already has partnered with four other states — Arizona, California, Utah and Virginia — in similar efforts. Google is helping to implement the Michigan Web site improvements at no cost, state officials said in a press release. Some of the state applications that will be affected include school standardized test results, lane closures on Michigan roads and child day care centers.

- but -

JUDGES RESPOND TO SITE OUTING INFORMANTS (Washington Post, 23 July 2007) - In response to a Web site that outs criminal informants and undercover agents, some U.S. judges are withholding certain court documents from the Internet. Federal judges in eastern Pennsylvania and southern Florida are keeping plea and sentencing memos out of online case files because of concerns that the information is being posted on a Web site called The documents still will be available in person at the federal courthouse. “It’s better in my view to act sooner rather than later, before any tragedy occurs,” Chief U.S. District Judge Harvey Bartle III said Friday. His colleagues in the Eastern District of Pennsylvania unanimously agreed on the plan, which was hatched in meetings with prosecutors and public defenders, he said. “We’re not going to have secret documents,” Bartle said. “It will still be available for anybody that still wants to walk into the courthouse office and get it.”

Curing “SENDER’S REMORSE” (AND SCREW-UPS) WITH SELF-DESTRUCTING E-MAIL (ArsTechnica, 23 July 2007) - Everyone has had one of those moments when you realize that you shouldn’t have sent that e-mail. Maybe you sent it out of anger (or drunkenness), it was sent to the wrong person (that was not supposed to go to the boss!), or it was just plain incomplete. A recently announced e-mail service called BigString hopes to eliminate sender’s remorse by offering users a way to send “self-destructing, recallable e-mail.” We were intrigued by some earlier reports on the service and decided to dig into it a little more to see what it was all about. BigString has three tiers of service: a free, web-based account, a premium account with POP3 access, and a business account that can send from corporate e-mail addresses. Through the service, users can specify any number of criteria by which the message might expire: it can expire automatically after a certain number of minutes, it can expire after a certain number of times the recipient has opened the e-mail, or it can simply be set to be “recallable,” so that the message will no longer be accessible whenever the sender feels like deeming it so. But how is it possible? E-mail messages sent through BigString are actually encoded into images that are hosted off of BigString’s servers and linked in an e-mail to the recipient. This not only makes it difficult for the recipient to copy and paste the content of the message, it also makes it easy for BigString to track how many times the image been viewed, how long it has been on the server, and whether it’s been viewed by people at different IP addresses (to prevent forwarding of the message). When the sender decides to destroy the message, the image is merely removed from the server and disappears from the e-mail message on the recipient side; the message is still sitting there in the inbox, and the recipient still knows that someone tried to send him or her an e-mail, but it no longer has any content. BigString also offers several other features with its e-mail packages. For example, users can track when and how many times a message has been viewed and edit sent e-mails for typos or corrections (which updates the image on the server). There are several annoyances with using BigString, however, as it practically removes all searchability of the e-mails you send. We suppose this is part of the “point,” but it’s annoying nonetheless for practical e-mail use. [Editor: *LOTS* of interesting implications here - privacy, security, record-retention, discovery, etc.]

LAWYERS GET COURT APPROVAL FOR POP-UP ADS ON INTERNET (New York Times, 24 July 2007) - A federal judge in Syracuse has cleared the way for lawyers in New York State to use pop-up ads on the Internet, but did not answer the bigger but more subtle issue of whether firms must label newsletters and e-mail messages to clients as advertising. The decision, issued Friday, said that statewide rule changes that took effect on Feb. 1 violated the free speech of lawyers. The ruling resulted from a lawsuit filed by Public Citizen, an advocacy group, on behalf of Alexander & Catalano, a personal-injury firm from Syracuse that had challenged limits placed on advertising by a committee of judges in New York’s appellate division. The firm had called itself “heavy hitters” in ads and had run TV commercials depicting its lawyers as giants towering over skyscrapers, counseling space aliens about an insurance dispute and speeding to reach a client. Gregory A. Beck of Public Citizen, who argued the case, called the images in the advertisements “silly stuff,” but added: “Attention-getting is what advertisements do.” Judge Frederick J. Scullin Jr. of Federal District Court found that the justices who adopted the limits had “no statistical or anecdotal evidence of consumer complaints with or complaints about misleading lawyer advertising,” and had instead cited public comments by a New York Court of Appeals justice on the poor taste of billboards appearing in upstate New York. For major firms, Judge Scullin’s ruling did not address regulations that have confused their marketing officers — whether e-mail messages had to be labeled advertisements and Web sites needed disclaimers. “The portions that were knocked out would not have had a major impact on the large firms here in New York City. I don’t know of any big firms that use pop-up advertisements,” said David G. Keyko, a lawyer with Pillsbury Winthrop Shaw Pittman who is on a City Bar Association task force regarding the new rules.

WHITE HOUSE PRIVACY ADVISER: WE DON’T NEED MORE AUTHORITY (CNET, 24 July 2007) - Congress is already well on its way to bestowing new powers on an internal White House panel that’s supposed to judge whether Bush administration programs like the National Security Agency’s electronic surveillance regime pose privacy and civil liberties concerns. But the board’s chairman on Tuesday had one message for the politicians backing the new authority: thanks, but no thanks. Civil liberties advocates have long dogged the Privacy and Civil Liberties Oversight Board-which was created within the White House by Congress in 2004 at the recommendation of the 9/11 Commission but didn’t meet until 2006-for its perceived inability to make real assessments without executive branch officials looking over its shoulder and its lack of transparency to the public. In fact, what is supposed to be a five-member body has already recorded one dropout-former Clinton Administration special counsel Lanny Davis-who cited precisely those concerns when he stepped down in May. So both the House of Representatives and the Senate have passed bills this year that attempt to address those concerns. The House version proposes the more drastic changes: severing the body from the White House and making it a standalone, independent agency with subpoena power. (The Senate version would leave the board within the White House but require the chairman to work full time and confirmation of all members-not just the chairman and vice chairman-to staggered six-year terms.) But at an hour-long hearing Tuesday afternoon in a House of Representatives Judiciary subcommittee, board vice chairman Alan Raul said the House approach in particular is “potentially unwise.” He argued such a move would deprive the board of its current “unparalleled” access to executive branch officials, would be inefficient in that it requires appointment of a whole new board, and could limit the number of private meetings members are permitted to have. Raul, a partner at the law firm Sidley Austin in Washington and a former Reagan White House attorney, also complained that Congress never bothered to hold “formal hearings” to hear board members’ views before passing those bills. (The two chambers are currently meeting to reconcile the differences between those two proposals, which focus more broadly on implementing 9/11 Commission recommendations.)

SENATORS TO ABANDON ‘08 E-VOTING PAPER TRAIL MANDATE (CNET, 25 July 2007) - Democratic senators on Wednesday made another push for banning electronic voting machines that lack paper trails, but they’ve backed away from doing so in time for next year’s presidential election. Sen. Dianne Feinstein (D-Calif.), the chief sponsor of a contentious bill called the Ballot Integrity Act that proposes such changes, said she fears requiring all states to employ so-called voter-verified paper records in their systems, with some primaries only six months away, “could be an invitation to chaos.” Earlier this year, she called for enacting such changes by 2008. After listening to a rash of concerns about the bill’s approach at Wednesday’s hearing, Feinstein said it may be necessary to move any proposed deadline for a paper trail mandate “out a little farther.” Introduced just before the Memorial Day recess, Feinstein’s bill is co-sponsored by 10 Democrats-including presidential hopefuls Hillary Clinton, Barack Obama and Christopher Dodd-and Vermont Independent Bernie Sanders. Clinton made a brief appearance on Wednesday to make a pitch for “21st century reforms” to the nation’s voting system. In her view, that action includes requiring the use of voter-verified paper records that would serve as the official ballot of record, banning undisclosed e-voting software source code, and prohibiting wireless communications devices in voting systems. (A separate bill called the Count Every Vote Act, which she proposed earlier this year, also includes such steps.) Election watchdog groups and prominent computer scientists have long argued that paper ballots are one of the surest ways for voters to verify their intent was recorded, especially amid evidence that touch-screen machines are vulnerable to security flaws and glitches. But election officials and some voting machine reviewers have argued paperless machines are not as flawed as their critics claim and that replacing them would be unduly time-consuming and expensive.

**** RESOURCES ****
GAO REPORT: Cybercrime: Public and Private Entities Face Challenges in Addressing Cyber Threats (20 June 2007) - Cybercrime has significant economic impacts and threatens U.S. national security interests. Various studies and experts estimate the direct economic impact from cybercrime to be in the billions of dollars annually. The annual loss due to computer crime was estimated to be $67.2 billion for U.S. organizations, according to a 2005 FBI survey. In addition, there is continued concern about the threat that our adversaries, including nation-states and terrorists, pose to our national security. For example, intelligence officials have stated that nation-states and terrorists could conduct a coordinated cyber attack to seriously disrupt electric power distribution, air traffic control, and financial sectors. Also, according to FBI testimony, terrorist organizations have used cybercrime raise money to fund their activities. Despite the estimated loss of money a information and known threats from adversaries, the precise impact of cybercrime is unknown because it is not always detected and reported (cybercrime reporting is discussed further in GAO’s challenges section).

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. Internet Law & Policy Forum,
6. BNA’s Internet Law News,
7. Crypto-Gram,
8. McGuire Wood’s Technology & Business Articles of Note,
9. Steptoe & Johnson’s E-Commerce Law Week,
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: