Saturday, September 08, 2007

MIRLN - Misc. IT Related Legal News [19 August - 8 September 2007; v10.12]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of the American Bar Association’s Cyberspace Law Committee and Dickinson Wright PLLC. Dickinson Wright’s IT & Security Law practice group is described at http://tinyurl.com/joo5y.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (vpolley@REMOVETHISSTRINGvip-law.com) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/.

**************End of Introductory Note***************

COST OF DATA BREACH AT TJX SOARS TO $256M (Boston Globe, 15 August 2007) - TJX Cos. said its costs from the largest computer data breach in corporate history, in which thieves stole more than 45 million customer credit and debit card numbers, have ballooned to $256 million. The figure is more than 10 times the roughly $25 million the Framingham retailer estimated just three months ago, though at the time it cautioned it didn’t know the full extent of its exposure from the breach. The costs include fixing the company’s computer system and dealing with lawsuits, investigations, and other claims stemming from the breach, which lasted more than a year before the company discovered the problem in December. TJX disclosed the higher costs in its second-quarter earnings report, released yesterday. For that quarter alone, costs related to the data theft lowered TJX’s profit by $118 million, or 25 cents a share, after accounting for taxes. Yet the company noted that strong sales during the same period suggested customers were not scared away from its stores, which include TJ Maxx and Marshalls. After the disclosure yesterday, shares fell 8 cents to close at $27.58 on the New York Stock Exchange, 8 percent below their level the day before TJX disclosed the security breach in January. http://www.boston.com/business/globe/articles/2007/08/15/cost_of_data_breach_at_tjx_soars_to_256m/ and http://www.forbes.com/markets/2007/08/14/tjx-retail-update-markets-equity-cx_jl_0814markets31.html

ABA LAUNCHES LEGAL RESOURCE SITE FOR SMALL ONLINE BUSINESSES (ComputerWorld, 16 August 2007) - Want to start an online business? Well, you’re probably going to have some questions, right? But if you don’t want to spend $200 or more an hour for an attorney, you can log onto Safeselling.org and get some questions answered. The American Bar Association launched the online resource at its annual meeting last week to help individuals and small business owners with questions about setting up, launching and operating an online store or other e-commerce venture. Among the sections covered are obtaining a domain name, selling out of state and how to verify who your customers are. “We wanted the site to be intuitive for the typical small business owner,” said Jonathan Rubens, editorial director of the site, in a statement. “From obtaining a domain name to protecting customer privacy, our Safeselling.org site offers a complete range of logically listed minitopics to help our target audience find the facts they need.” The site also advises users on such issues as including the products and services they can sell online as well as those that are prohibited; how to draft a terms and conditions agreement; laws and regulations governing online sales; taxes; payment processing; as well as delivery and return processes. Safeselling.org is a companion site to Safeshopping.org, a site that provides information to consumers about buying online. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9031043&source=NLT_PM&nlid=8

CONSULTING FIRM PAYS $300K FOR ILLEGALLY USING COPYRIGHTED CONTENT (ComputerWorld, 17 August 2007) - A California-based market research company has agreed to pay a $300,000 settlement for illegally distributing copyrighted articles, research reports and other information without proper licenses or permission to employees via e-mail newsletters. The Software & Information Industry Association (SIIA), a Washington-based trade group for software vendors and content providers, announced Thursday (download PDF) that it had reached the copyright infringement settlement with Knowledge Networks Inc. in Menlo Park, Calif. The SIIA said it learned about the activities at Knowledge Networks after receiving an anonymous tip from an informant, who is being paid a $6,000 reward. Scott Bain, the SIIA’s litigation counsel, said the case is the first to be settled under a new Corporate Content Anti-Piracy Program, which expands the trade group’s protective blanket beyond its existing software piracy programs. “It recently became obvious that while there has been progress on the software side, there’s another problem with infringement of [published] content,” Bain said. Companies often use newspaper, magazine and newswire stories, newsletters, databases and other kinds of information without obtaining licenses or permissions from the content owners, he added. “It’s gotten worse with the advent of online delivery,” Bain said. “It’s just so easy to copy and forward [information] that people do it without thinking.” In the Knowledge Networks case, the SIIA said, company employees received e-mail messages with newsletters that included articles copyrighted by members of the trade group such as the Associated Press, Reed Elsevier and United Press International. As part of the settlement, Knowledge Networks agreed to create an internal program to avoid future infringements. The program will include educating executives and other employees about copyright compliance and licensing issues, and ensuring that proper licenses are obtained for use of copyrighted materials. Bain said that the $300,000 payment being made by Knowledge Networks is “far more” than the materials would have cost the company if they had been acquired legally. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9031239&source=NLT_PM&nlid=8

COMPANIES CLAMPING DOWN ON MESSAGING (AP, 20 August 2007) - Whenever a doctor, nurse or administrator in Georgia’s DeKalb Medical Center sends an e-mail, the message detours through a special box in the three-hospital system’s computing cluster. The box analyzes the e-mail, scanning for sensitive information like patient names, prescription histories and Social Security numbers. More than 1,200 times a month, the box finds such private data and automatically routes the message to a server that encrypts it for secrecy before sending it to its original destination. Sometimes, though, the box is unsure what to do, so it asks Sharon Finney. Finney is the information security administrator, which makes her responsible for keeping the hospital in tune with medical privacy laws. Several times a week, the messaging-control system, set up by Proofpoint Inc., alerts Finney to e-mails awaiting her review. “What I’m looking for is not so much someone sending out something intentional or volumes of info” inappropriately leaving the hospital, she says. “I’m looking at, is this a legitimate recipient?” Maybe an e-mail address was mistyped, for example, or one too many people was copied in on a spreadsheet with patient account numbers. Such careful oversight is becoming more common. Many organizations, fearful that inside information can slip out through innumerable digital avenues, now govern precisely what employees can or cannot put into e-mails, instant messages, Web postings and even offline documents. But employers can’t hold their workers’ hands all the time — so they’re increasingly turning to software that tries to do it for them. http://news.yahoo.com/s/ap/20070820/ap_on_hi_te/office_computer_control_2;_ylt=AozYizAkODePCGaBrp.H05cE1vAI

IN GOOGLE EARTH, A SERVICE FOR SCANNING THE HEAVENS (New York Times, 22 August 2007) - After turning millions of Internet users into virtual explorers of the world with Google Earth, the Internet search giant is now hoping to turn many of them into virtual stargazers. Google is unveiling within Google Earth today a new service called Sky that will allow users to view the skies as seen from Earth. Like Google Earth, Sky will let users fly around and zoom in, exposing increasingly detailed imagery of some 100 million stars and 200 million galaxies. “You will be able to browse into the sky like never before,” said Carol Christian, an astronomer with the Space Telescope Science Institute, a nonprofit academic consortium that supports the Hubble Space Telescope. While other programs allow users to explore the skies, they typically combine a mix of representations of stars and galaxies that are overlaid with photographs, Ms. Christian said. “These are really the images of the sky. Everything is real.” The Sky imagery was stitched together from more than one million photographs from scientific and academic sources, including the Sloan Digital Sky Survey, the Palomar Observatory at the California Institute of Technology and the NASA-financed Hubble. Google said that it developed the project strictly because some of its engineers were interested in it, and that it had no plans to make money from it for now. http://www.nytimes.com/2007/08/22/technology/22sky.html?ex=1345435200&en=54c20b9d89f2e2df&ei=5090&partner=rssuserland&emc=rss

TOP LAWYERS BILL $1,000 AN HOUR (ABA Journal, 22 August 2007) - Lawyers at some of New York’s top firms are billing $1,000 an hour. The move was a reluctant one for some law firms, the Wall Street Journal (sub. req.) reports. “We have viewed $1,000 an hour as a possible vomit point for clients,” a partner at one New York firm told the newspaper. Firms that have hit the four-figure mark for top partners include: Simpson Thacher & Bartlett; Cadwalader, Wickersham & Taft; and Fried, Frank, Harris, Shriver & Jacobson. The Wall Street Journal’s Law Blog ran photos of the top billers and proclaimed them members of a new elite fraternity: the Law Blog Thousand-Dollar Bar. Barry Ostrager of Simpson Thacher says he’s worth the high price. “I haven’t personally experienced resistance to my billing rates,” he told the newspaper. “The legal marketplace is very sophisticated.” Some clients agree. Mike Dillon, the general counsel of Sun Microsystems Inc., says the pay is lower than that of major league baseball players, who make the equivalent of $15,000 per hour. “One thousand dollars for very seasoned lawyers who can solve complex problems doesn’t seem to be inappropriate,” he told the newspaper. http://www.abajournal.com/weekly/top_lawyers_bill_1000_an_hour

CT RULES CONTRACT MAY BE UNCONSCIONABLE EVEN WHEN TERMS READ (BNA’s Internet Law News, 23 August 2007) - BNA’s Electronic Commerce & Law Report reports that a federal court in California has ruled that a click-through contract of adhesion subject to a class action waiver can be void for substantive unconscionability notwithstanding clear notice of applicable terms and conditions. The court said that notice of applicable terms and conditions eliminated the possibility that a party would be surprised, but it did not eliminate oppression. Case name is Brazil v. Dell Inc.

“SOFTWARE AS A SERVICE” MAY LACK KEY BANKRUPTCY PROTECTION OF TRADITIONAL LICENSING (McGuire Woods client alert, 23 August 2007) - Software as a Service (SaaS) is more than a buzzword in the software industry. It is a rapidly growing business model for software deployment that, according to industry reports, is a $5.1 billion business in 2007 and continuing to grow rapidly. SaaS generally consists of a vendor hosting and managing software on its computers, with the end-user connecting over the Internet to use it remotely. Unlike a traditional software license, the end user does not receive a copy of the software and it is not installed on the end user’s computer. The trendsetting example for large enterprises was salesforce.com; other examples include WebEx, Google Docs and Spreadsheets, and Comdev’s oDesktop. As SaaS solutions become more ubiquitous, there are bound to be SaaS vendors that fail financially and seek protection under bankruptcy law. Corporate IT departments, and the lawyers supporting them, should be aware that one of the key legal protections a licensee has in the event of a vendor bankruptcy under the traditional software licensing model may not be available or effective in the SaaS model. Under a traditional software delivery model (i.e., physical delivery and installation of the software on the licensee’s computer), if the vendor used the bankruptcy law to abrogate the license agreement (“rejection” in bankruptcy terminology), the licensee had the protection of Section 365(n) of the Bankruptcy Code to elect to retain its intellectual property rights. But in the case of SaaS solutions, it is unclear if the same protection exists. Section 365(n) only applies when the debtor is a licensor of a right to intellectual property. Although SaaS contracts provide the SaaS customer a right to access intellectual property (e.g., copyrighted or patented software), by its nature, a SaaS agreement is a services contract and it is not at all certain that the customer is actually using the underlying intellectual property in any way that requires a license. The SaaS vendor hosts, supports and maintains the software on its own equipment, merely allowing the customer to interact with it remotely. Without an intellectual property license, the customer does not have an ability to retain its rights under Section 365(n). Although it is by no means certain that a license under the protection of Section 365(n) can be created merely be saying that a license exists, SaaS customers can help lay the groundwork for this protection by including express license grant language in the SaaS agreement clearly articulating what it is that is being licensed and including language stating that the parties intend to obtain the protection of Section 365(n). For example: “SaaS Vendor hereby grants a license to the Software. This is an intellectual property license subject to 11 U.S.C. Section 365(n). Failure of SaaS Vendor to perform its continuing obligations under this Agreement constitutes a material breach excusing SaaS Customer from performing.” http://www.mcguirewoods.com/news-resources/item.asp?item=2785

CANADIAN PRIVACY COMMISSIONER ISSUES DATA BREACH NOTIFICATION GUIDANCE (Steptoe & Johnson’s E-Commerce Law Week, 23 August 2007) - Canada’s Office of the Privacy Commissioner has released voluntary guidelines for responding to data breaches involving the personal information of residents of the Great White North. The guidelines, which are summarized in an accompanying checklist and were drafted in consultation with the private sector, are intended to lead organizations through the “four key steps” of breach response: containment and preliminary assessment, risk evaluation, notification, and prevention. The guidelines define a breach as the “unauthorized access to or collection, use, or disclosure of personal information,” where such activity is “unauthorized” if it violates the Personal Information Protection and Electronic Documents Act or similar provincial privacy legislation. Although voluntary, these guidelines could help shape future Canadian breach notification legislation. http://www.steptoe.com/publications-4771.html Guidelines here: http://www.privcom.gc.ca/media/nr-c/2007/nr-c_070801_guidelines_e.pdf

WHAT STATE SECRETS? NATIONAL INTELLIGENCE DIRECTOR COPS TO SPYING PROGRAM (ArsTechnica, 23 August 2007) - In an in-depth interview with the El Paso Times yesterday, National Intelligence Director Mike McConnell offered new details about the government’s surveillance activities and the administration’s recent full-court press for expanded wiretapping powers. McConnell described the hectic week of negotiations that led up to the passage of this month’s FISA legislation, and he denied charges that he had negotiated in bad faith. Several versions of the legislation were circulated on Capitol Hill in the last week before the August recess, and McConnell said he didn’t have time to review the Senate’s latest draft until Friday evening. At that point, he found provisions he considered unacceptable and insisted that the Senate pass a different version that had first circulated two days earlier. The Senate passed McConnell’s preferred version and adjourned, forcing the House to either pass the Senate’s language or no language at all. McConnell charged that as a result of press reports and Congressional debates regarding surveillance activities, “some Americans are going to die.” That’s because disclosures about surveillance activities will tip off terrorists to the existence of American surveillance programs and prompt them to use alternate communication methods, making it more difficult for the authorities to stop terrorist attacks before they occur. McConnell also acknowledged “under the president’s program, the terrorist surveillance program, the private sector had assisted us. Because if you’re going to get access you’ve got to have a partner and they were being sued.” Although he didn’t mention AT&T by name, McConnell’s statement appears to be a tacit admission of the accusations in the Electronic Frontier Foundation’s lawsuit against AT&T. That’s a surprising admission because in April, McConnell filed a sworn statement that “The disclosure of any information that would tend to confirm or deny... an alleged classified intelligence relationship between the NSA and MCI/Verizon, would cause exceptionally grave harm to the national security.” EFF lost no time in pointing out the inconsistency. “On the government’s theory, the truth that is as plain as the nose on your face remains secret until the private sectors’ assistance has been officially acknowledged by the Administration,” writes Derek Slater on the EFF blog. “The evidence already on the record is sufficient to move forward with the case, but McConnell’s statement should absolutely settle the question.” McConnell must have realized that his statements would weaken the government’s state secret arguments, suggesting that the White House may have decided to shift its legal strategy in the telecom liability cases. The administration may be worried about an embarrassing legal setback if the Ninth Circuit rejects its state secrets argument. McConnell may have concluded that going public about the program would help him obtain legislation from Congress granting telecom companies retroactive blanket immunity for their participation in the wiretapping program. http://arstechnica.com/news.ars/post/20070823-what-state-secrets-national-intelligence-director-cops-to-spying-program.html

- and -

U.S. MAY INVOKE ‘STATE SECRETS’ TO SQUELCH SUIT AGAINST SWIFT (Int’l Herald Tribune, 31 August 2007) - The Bush administration is signaling that it plans to turn once again to a favorite legal tool known as the “state secrets” privilege to try to shut down a lawsuit brought against a Belgium banking cooperative that secretly supplied millions of private financial records to the U.S. government, court documents show. The lawsuit against the banking consortium, which is known as Swift, threatens to disrupt the operations of a vital national security program and to reveal “highly classified information” if it is allowed to continue, the Justice Department said in several recent court filings asserting its strong interest in seeing the lawsuit dismissed. A hearing on the future of the lawsuit was scheduled for Friday in federal court in Alexandria, Virginia. The “state secrets” privilege, allowing the government to shut down public litigation on national security grounds, was once a rarely used tool. But the Bush administration has turned to it dozens of times in terrorism-related cases in seeking to end public discussion of everything from an FBI whistle-blower’s claims to the abduction of a German terrorism suspect. Most notably, the Bush administration has sought to use the state secrets assertion to kill numerous lawsuits against telecommunications carriers over the National Security Agency’s domestic eavesdropping program, but a judge in California rejected that claim. The issue is now pending before an appeals court, where judges in a hearing two weeks ago expressed skepticism about the administration’s claims. http://iht.com/articles/2007/08/31/america/swift.php

A NEW METHOD TO DETECT SOFTWARE THEFT (IDW-online.de, 23 August 2007) - Developing software is expensive. This tempts some programmers to illegally include third-party software in their own programs. Researchers at Saarland University have developed a new method for detecting this kind of software theft. It analyzes the behavior of one program and looks for similarities in other programs. Today, most software consists of independent components, which makes it easy to include parts of a software into another program. Yet, for a code owner such theft is difficult to prove in court. David Schuler, researcher at Saarland University, developed a tool called API BIRTHMARK that measures the degree of similarity between programs. A company that suspects code theft may use API BIRTHMARK to run both its own program and a foreign program. When this yields a high degree of similarity, code theft is likely and further investigations are warranted. The novelty of Schuler’s method is that it compares the behavior of programs rather than their code. A program’s code can easily be obfuscated without destroying it. Such obfuscation tools are freely available on the internet. On the other hand, a program’s behavior is difficult to change without breaking the program, just like a birthmark. David Schuler and his co-authors Valentin Dallmeier and Christian Lindig have shown that birthmarks from Java programs are immune against the best obfuscation tools available. A paper on the birthmarking technique has been accepted at the Automated Software Engineering (ASE 2007) conference which will be held in Atlanta, USA. This year, only 37 submissions out of 312 got accepted to ASE 2007. http://idw-online.de/pages/de/news222661

LINUX FELON FORCED TO INSTALL WINDOWS (CNET, 24 August 2007) - A Linux user who was jailed for uploading a film onto a peer-to-peer service has been told he will have to switch to Windows if he wants to use a computer again. Scott McCausland, who used to be an administrator of the EliteTorrents BitTorrent server before it was shut down by the FBI, pleaded guilty in 2006 to two copyright-related charges over the uploading of Star Wars: Episode III to the Internet. As a result, he was sentenced to five months in jail and five months’ home confinement. McCausland-who also goes by the name “sk0t”-has since been released from jail, but on Tuesday he reported on his blog that the terms of his sentence meant he would have to install Windows if he wanted to use a computer during his probation. “I had a meeting with my probation officer today, and he told me that he has to install monitoring software onto my PC,” wrote McCausland. “No big deal to me...that is part of my sentence.” http://news.com.com/2100-1030_3-6204348.html [Editor: 8th Amendment?] also http://techdirt.com/articles/20070822/221127.shtml

BEIJING SOFTWARE COMPANY SUES OVER CHINESE CHARACTER FONTS IN ‘WORLD OF WARCRAFT’ (SiliconValley.com, 24 August 2007) - A Beijing-based software company has filed a lawsuit against the creator of the “World of Warcraft” and the game’s local operator for allegedly using its Chinese character fonts illegally. Founder Group’s lawsuit seeks $13.2 million in damages, company spokesman Song Zhenying said Friday. The Chinese version of “World of Warcraft,” run by Shanghai-based The9 Ltd., uses five Chinese character fonts developed by Founder without authorization, Song said. Founder employees discovered the alleged violations while playing the game. http://www.siliconvalley.com/news/ci_6709880 [Editor: font copyright claims have been around for a while, but seemingly are becoming more common.]

CONSUMER INNOVATIONS TO INFORM WEB SITE FOR SPIES (Washington Post, 25 August 2007) - Government agents may soon find valuable information through an online-recommendation system like the one on Amazon.com: Spies who read this report, it might say, also found these reports useful. That is one of several features the Office of the Director of National Intelligence might borrow from mainstream technology as it designs its new Web-based information-sharing system. The DNI is working on a new system intended to “tunnel through” the 16 different intelligence-gathering agencies in hopes of streamlining data sharing, said Michael Wertheimer, DNI’s assistant deputy director for analytic transformation and technology. The system, called A-Space, will only be open to those cleared to use it and is scheduled to go live in December. The DNI said it was taking its cues from social networking sites, Web-based mail, online maps and other commonly used online tools. Next month, it will take its concepts to a conference in Chicago, where universities, tech companies and other government agencies will be invited to scrutinize the project. “This is a revolutionary concept for us,” Wertheimer said. “This is unlike any other technology we’ve created.” This is not the government’s first attempt to imitate consumer technology. Last year, inspired by the popular user-generated encyclopedia Wikipedia, the government launched Intellipedia, an internal site aimed at information exchange in the intelligence community. http://www.washingtonpost.com/wp-dyn/content/article/2007/08/24/AR2007082401868.html

- and -

LOGGED IN AND SHARING GOSSIP, ER, INTELLIGENCE (New York Times, 2 Sept 2007) - America’s spies, like America’s teenagers, are secretive, talk in code and get in trouble if they’re not watched closely. It’s hard to imagine spies logging on and exchanging “whuddups” with strangers, though. They’re just not wired that way. If networking is lifeblood to the teenager, it’s viewed with deep suspicion by the spy. The intelligence agencies have something like networking in mind, though, as they scramble to adopt Web technologies that young people have already mastered in the millions. The idea is to try to solve the information-sharing problems inherent in the spy world — and blamed, most spectacularly, for the failure to prevent the Sept. 11 attacks. In December, officials say, the agencies will introduce A-Space, a top-secret variant of the social networking Web sites MySpace and Facebook. The “A” stands for “analyst,” and where Facebook users swap snapshots, homework tips and gossip, intelligence analysts will be able to compare notes on satellite photos of North Korean nuclear sites, Iraqi insurgents and Chinese missiles. A-Space will join Intellipedia, the spooks’ Wikipedia, where intelligence officers from all 16 American spy agencies pool their knowledge. Sixteen months after its creation, officials say, the top-secret version of Intellipedia has 29,255 articles, with an average of 114 new articles and more than 4,800 edits to articles added each workday. A separate online Library of National Intelligence is to include all official intelligence reports sent out by each agency, offering Amazon.com-style suggestions: if you liked that piece on Venezuela’s oil reserves, how about this one on Russia’s? And blogs, accessible only to other spies, are proliferating behind the security fences. “We see the Internet passing us in the fast lane,” said Mike Wertheimer, of the office of the Director of National Intelligence, who is overseeing the introduction of A-Space. “We’re playing a little catch-up.” It remains to be seen, however, whether technology alone can bring to secretive bureaucracies the connectedness that comes naturally to cybersurfers in the outside world. Skeptics say turf — the curse of the spy world — might keep analysts from using the tools. Mr. Wertheimer acknowledges that some managers discourage their people from adding to the Web encyclopedia, fearing that their agencies will lose credit for scoops. And for the intelligence world, putting the Web tools to work requires a cultural revolution. “Need to know” has long been the agencies’ mantra. The juiciest stuff is still called S.C.I., or Sensitive Compartmented Information, and walling off data offers protection against leaks and moles, or so the theory goes. But the Sept. 11 attacks revealed how hoarding information could lead to catastrophe. In a report released last month, the Central Intelligence Agency’s inspector general described a dysfunctional spy family, in which the National Security Agency refused to share intercepts from Al Qaeda with the C.I.A., and the C.I.A., in turn, withheld information from the F.B.I. More than 50 C.I.A. officers read cables in early 2000 about two future hijackers but failed to ask the State Department to put them on a watch list, the report said. To prevent such blunders, Congress created the post of director of national intelligence in late 2004 with orders to rope the 16 spy agencies into a single enterprise. The National Counterterrorism Center serves as a hub for threat information. There are plans to train analysts from different agencies together. http://www.nytimes.com/2007/09/02/weekinreview/02shane.html?ex=1346385600&en=9ef7336e97799b9a&ei=5090&partner=rssuserland&emc=rss

BREACHES OF PERSONALLY IDENTIFYING DATA NOT ENOUGH FOR CLASS ACTION (ArsTechnica, 27 August 2007) - Unless you’ve been living in a concrete bomb shelter at the end of a gravel road beside a Wyoming mountain lake (Hi, Uncle Jasper!), you’ve seen a flood of news stories over the last few years about data breaches and the resulting identity theft worries. While the breaches themselves often make news and elicit the outrage of the punditocracy, what happens months later when the victims file class action lawsuits? An appeals court decision last week provides the answer: not much. The US Court of Appeals for the Seventh District has just agreed with a lower court that consumers were not entitled to form a class against Old National Bancorp after a 2005 data breach revealed personal information including Social Security numbers and financial details. That’s because the prospective class members did not suffer any actual damage from the breach. “Significantly, the plaintiffs did not allege any completed direct financial loss to their accounts as a result of the breach,” said the court in its opinion. “Nor did they claim that they or any other member of the putative class already had been the victim of identity theft as a result of the breach.” Indiana law requires that claims for damages be based on actual rather than speculative damages. The court also noted that five other federal judges had rejected requests for “the cost of credit monitoring as an alternative award for what would otherwise be speculative and unrecoverable damages.” In a nutshell: victims can come back when there’s a demonstrated problem. Until then, they get nothing, even if they shell out privately for credit monitoring. http://arstechnica.com/news.ars/post/20070827-identity-theft-alone-not-enough-for-class-action-lawsuit.html and http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9032778&source=NLT_AM&nlid=1

SEC PUBLISHES RULE REQUIRING INTERNET POSTING OF PROXY MATERIALS (Duane Morris client alert, 28 August 2007) - The SEC recently published final regulations on Shareholder Choice Regarding Proxy Materials. The amendments to the proxy rules under the Securities Exchange Act of 1934 (“Amendments”) require issuers and other soliciting persons to post proxy materials on a publicly accessible Internet web site and to provide notice to shareholders of the availability of those materials. Issuers and other soliciting persons must follow a notice and access model, which allows two options to issuers to provide proxy materials to shareholders: (1) the “notice only” option and (2) the “full set delivery” paper option. If the issuer chooses to post its proxy materials on the Internet web site, under the “notice only” option, shareholders may elect to receive these proxy materials in paper copy format. [More, at http://www.duanemorris.com/alerts/alert2607.html]

POINT, CLICK ... EAVESDROP: HOW THE FBI WIRETAP NET OPERATES (Wired, 29 August 2007) - The FBI has quietly built a sophisticated, point-and-click surveillance system that performs instant wiretaps on almost any communications device, according to nearly a thousand pages of restricted documents newly released under the Freedom of Information Act. The surveillance system, called DCSNet, for Digital Collection System Network, connects FBI wiretapping rooms to switches controlled by traditional land-line operators, internet-telephony providers and cellular companies. It is far more intricately woven into the nation’s telecom infrastructure than observers suspected. It’s a “comprehensive wiretap system that intercepts wire-line phones, cellular phones, SMS and push-to-talk systems,” says Steven Bellovin, a Columbia University computer science professor and longtime surveillance expert. DCSNet is a suite of software that collects, sifts and stores phone numbers, phone calls and text messages. The system directly connects FBI wiretapping outposts around the country to a far-reaching private communications network. Many of the details of the system and its full capabilities were redacted from the documents acquired by the Electronic Frontier Foundation, but they show that DCSNet includes at least three collection components. http://www.wired.com/politics/security/news/2007/08/wiretap?currentPage=all [Editor: gosh.]

CT RULES SINGLE EBAY SALE SUFFICIENT TO ASSERT JURISDICTION (BNA’s Internet Law News, 30 August 2007) - BNA’s Electronic Commerce & Law Report reports that the Louisiana Court of Appeal has ruled that sellers using eBay purposefully avail themselves of forums where their buyers reside by virtue of the eBay site’s interactivity. The court analyzed an eBay sale gone wrong under the interactivity test established in Zippo. The court concluded that because eBay is more than an “information only” site, all sales facilitated through it were the result of intentional contacts that would support jurisdiction. Case name is Crummey v. Morgan.

BRITISH LABOR GROUP SAYS WORKERS SHOULD BE ALLOWED TO USE FACEBOOK ON JOB (SiliconValley.com, 30 August 2007) - Employers should allow their workers to befriend, chat and “poke” each other through online networking sites while at work, Britain’s largest labor federation said Thursday. While accepting that employers were within their rights to block employees from using sites such as Facebook and MySpace, the Trades Union Congress, or TUC, said a ban “may be something of an overreaction.” “Sensible employers, realizing that their staff spend much of their waking hours in work and lead busy lives, should be trusted to spend a few minutes of their lunch break ‘poking’ their friends or making plans for outside work,” the TUC said in guidance published on its Web site. The sites can be a headache for employers and educators - especially when users affiliated with a school or company post inflammatory, indiscreet or just plain embarrassing content. Organizations as diverse as the Ministry of Defense and Oxford University have issued guidance within the past month on using the sites. The TUC said bosses needed to give their employees guidance on what was and was not acceptable online, rather than imposing a ban. It warned that in the absence of any workplace rules, British Facebook users were millions of “accidents waiting to happen.” “It’s unreasonable for employers to try to stop their staff from having a life outside work, just because they can’t get their heads around the technology,” TUC General Secretary Brendan Barber said in a statement. “Better to invest a little time in working out sensible conduct guidelines, so that there don’t need to be any nasty surprises for staff or employers.”‘ http://www.siliconvalley.com/news/ci_6760221 [Editor: The New York Times ran such a story in 1997: http://tinyurl.com/39d2e5; I agree.]

NIST ISSUES GUIDELINES ON SECURING WEB SERVICES (GCN, 30 August 2007) - The National Institute of Standards and Technology has released a 128-page guide to help organizations understand the security challenges of Web services in service-oriented architecture. NIST Special Publication 800-95, “Guide to Secure Web Services,” provides practical guidance on current and emerging standards applicable to Web services in addition to background information on the most common security threats to SOAs based on Web services. The guidelines are hardware and software independent and do not address perimeter security devices such as firewalls or access control tools. http://www.gcn.com/online/vol1_no1/44962-1.html?topic=security&CMP=OTC-RSS Guide at http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf; useful introduction at http://www.stsc.hill.af.mil/CrossTalk/2007/09/0709Goertzel.html

AT RAPLEAF, YOUR PERSONALS ARE PUBLIC (CNET, 31 August 2007) - In the cozy Facebook social network, it’s easy to have a sense of privacy among friends and business acquaintances. But sites like Rapleaf will quickly jar you awake: Everything you say or do on a social network could be fair game to sell to marketers. Rapleaf, based in San Francisco, is building a business on that premise. The privately held start-up, whose investors include Facebook-backer and PayPal co-founder Peter Thiel, runs two consumer Web sites: Rapleaf.com, a people search engine that lets you retrieve the name, age and social-network affiliations of anyone, as long as you have his or her e-mail address; and Upscoop.com, a similar site to discover, en masse, which social networks to which the people in your contact list belong. To use Upscoop, you must first give the site the username and password of your e-mail account at Gmail, Hotmail, Yahoo or AOL. By collecting these e-mail addresses, Rapleaf has already amassed a database of 50 million profiles, which might include a person’s age, birth date, physical address, alma mater, friends, favorite books and music, political affiliations, as well as how long that person has been online, which social networks he frequents, and what applications he’s downloaded. All of this information could come in handy for Rapleaf’s third business, TrustFuse, which sells data (but not e-mail addresses) to marketers so they can better target customers, according to TrustFuse’s Web site. http://news.com.com/2100-1038_3-6205716.html

- and -

FACEBOOK LETS USERS CHOOSE TO PUBLICIZE THEMSELVES (Washington Post, 5 Sept 2007) - Facebook Inc, the social-network site that has enjoyed explosive growth in new members over the past three months, said it plans to let users tell the rest of the world how to find them on the site. Starting later on Wednesday, Facebook will begin notifying members they have a choice over whether to keep their listings private or to allow Facebook to make their name and profile picture available when outsiders search the site. The Palo Alto, California-based site has grown to 39 million members, up 62.5 percent from 24 million in late May. By publicizing member profiles, Facebook could attract a new wave of users. Unlike most sites on the Web, Facebook has previously denied access by search services to information on the site. But after notifying users over the next 30 days of its plans to open up basic profile listings of its members, Facebook plans to begin allowing sites like Google, Yahoo or others to “crawl,” or index, its public member profiles. http://www.washingtonpost.com/wp-dyn/content/article/2007/09/05/AR2007090500300.html

GOOGLE NEWS IN LICENSING DEALS WITH WIRE SERVICES (Reuters, 31 August 2007) - Google is giving more credit to the original reporting of news agencies like the Associated Press while setting the stage to generate advertising revenue from Google News, the company said on Friday. Josh Cohen, business product manager of Google News, said his company is looking to reduce the proliferation of the same story from multiple news sites on Google News and thereby allow it to feature a greater variety of different news stories. “When you have many versions of the same story you are not providing different perspectives,” Cohen said in a phone interview. “For the users, we will be able to display a better selection of stories with less duplication,” Cohen said. The partners, which include Britain’s Press Association, Canadian Press, Agence France-Presse and the Associated Press of the United States, will have their stories featured with the organizations’ own brands on Google News-hosted landing pages. The changes won’t affect the ranking of what stories turn up in the search results of Google News, Cohen stressed. If an AP story ranked eighth among different versions of a story previously, it would still rank eighth under the new service. http://news.com.com/2100-1024_3-6205577.html

GOOGLE SETTLES SUIT OVER AD KEYWORDS (SiliconValley.com, 1 Sept 2007) - Google settled a lawsuit with American Blind & Wallpaper Factory on Friday, ending a long-running battle about whether its keyword-advertising policy infringed trademarks. Eric Goldman, director of the High Tech Law Institute at Santa Clara University, said the outcome amounted to a “stunning victory” for Google. American Blind sued Google four years ago for selling ads to its competitors that were triggered by search terms, also known as keywords, that exactly or nearly matched its brands. A verdict that found Google had infringed trademarks could have had major implications for Internet advertising. However, the Michigan company ran into a big problem in April when Judge Jeremy Fogel, of U.S. District Court in San Jose, said in a pretrial ruling that the company’s trademarks - “American Blind” and “American Blinds” - were descriptive terms and unenforceable. Fogel did allow the case to proceed, however, based on three other trademarks, “American Blind Factory,” “Decoratetoday” and “American Blind & Wallpaper Factory.” Fogel also noted that there is a significant public interest in determining whether Google’s advertising program violated trademark law. Google has lost trademark cases overseas; however, no definitive ruling has been entered in the United States. But the two sides decided to settle. Under the terms of the pact, Google will continue to follow its current trademark policy. http://www.siliconvalley.com/news/ci_6779007

PENTAGON E-MAIL SYSTEM BREACHED (Reuters, 4 Sept 2007) - The Pentagon on Tuesday said computer hackers gained access to an unclassified e-mail system in the office of Defense Secretary Robert Gates, but declined comment on a report that the Chinese army was responsible. The security breach occurred late last spring when Defense Department monitors detected the penetration of “elements of an unclassified e-mail system” that was immediately taken off line, Pentagon spokesman Bryan Whitman told reporters. The e-mail system, located in the office of the secretary of defense, did not return to full operation for up to three weeks. “There was never any threat to the classified systems,” Whitman said. “There was no disruption to (defense) operations or adverse impact to ongoing operations that the department was conducting ... all precautionary measures were taken and the system was restored to service,” he said. Whitman spoke after the Financial Times newspaper quoted current and former U.S. officials as saying that Chinese People’s Liberation Army hackers broke into a Defense Department network in June and removed data. The Financial Times cited one source familiar with the Pentagon incident as saying there was a “very high level of confidence ... trending towards total certainty” that the Chinese army was behind it. http://news.yahoo.com/s/nm/20070904/wr_nm/china_usa_hacking_dc_4;_ylt=AlTFU9z0fnCnIQabK3L_OL8E1vAI

FEC RESOLVED TWO MATTERS INVOLVING INTERNET ACTIVITY; APPLIES MEDIA EXEMPTION TO POLITICAL BLOGS (FEC, 4 Sept 2007) - The Federal Election Commission announced today that it has unanimously resolved two complaints alleging that Internet blog activity is subject to Commission regulation, finding that the activity is exempt from regulation under the media or volunteer exemption. In Matter Under Review (MUR) 5928, the Commission determined that Kos Media, L.L.C., which operates the website DailyKos, did not violate the Federal Election Campaign Act. The Commission rejected allegations that the site should be regulated as a political committee because it charges a fee to place advertising on its website and it provides “a gift of free advertising and candidate media services” by posting blog entries that support candidates. The Commission determined that the website falls squarely within the media exemption and is therefore not subject to federal regulation under the Act. Since 1974, media activity has been explicitly exempted from federal campaign finance regulation. In March 2006, the Commission made clear that this exemption extends to online media publications and that “costs incurred in covering or carrying a news story, commentary, or editorial by any broadcasting station. . . , Web site, newspaper, magazine, or other periodical publication, including any Internet or electronic publication,” are not a contribution or expenditure unless the facility is owned by a political party, committee, or candidate. With respect to MUR 5928, the FEC found that Kos Media meets the definition of a media entity and that the activity described in the complaint falls within the media exemption. Thus, activity on the DailyKos website does not constitute a contribution or expenditure that would trigger political committee status. The Commission therefore found no reason to believe Kos Media, DailyKos.com, or Markos Moulitsas Zuniga violated federal campaign finance law. In MUR 5853, the Commission rejected allegations that Michael L. Grace made unreported expenditures when he leased space on a computer server to create a “blog” which advocated the defeat of Representative Mary Bono in the November 2006 election. The Commission also rejected allegations that Grace coordinated these expenditures with Bono’s opponent in the race, David Roth, and found that no in-kind contributions to Roth’s campaign resulted from Grace’s blogging activity. The Commission also found that the respondent did not fraudulently misrepresent himself in violation of 2U.S.C. § 441h. The Act exempts from regulation volunteer activity by individuals. In the FEC’s Internet regulations, the Commission clarified that an individual’s use, without compensation, of equipment and personal services for blogging, creating, or hosting a website for the purpose of influencing a Federal election are not expenditures subject to the restrictions of campaign finance law. Even if there were some costs or value associated with Mr. Grace’s blog, these costs are exempt from Commission regulations. The FEC therefore found no reason to believe Mr. Grace or the Roth campaign violated federal campaign finance law. http://www.fec.gov/press/press2007/20070904murs.shtml

SURFING THE NET IS NOW WORK FOR LAWYERS (ABA Journal, 4 Sept 2007) - When a Minnesota doctor recently saw a young patient with an unusual bulging eye, he had no trouble finding multiple experts to consult with him right away about the case. Dozens of physicians offered suggestions via a social networking site exclusively for physicians. Such sites are a growing trend, offering an alternative to Facebook and other mainstream social networks for doctors and other professionals, reports the Wall Street Journal. It says an online suggestion on 25,000-member Sermo.com helped Dr. Michael Tomblyn diagnose a fast-growing cancer in his 21-year-old patient. A new social networking site for attorneys called LawLink launched last week after two years of development. It already has 200 members, according to Steven Choi, an Oakland, Calif., civil litigator who is one of its founders. Free to members—who must be licensed attorneys—the site is intended to serve as a forum for referrals, discussion of professional issues and information-sharing, Choi tells ABAJournal.com. Still on the drawing board is Legal OnRamp, a similar online, members-only community of corporate in-house counsel and the law firm attorneys that represent their companies. It is the brainchild of Mark Chandler, general counsel of Cisco Systems. He envisions a limited-access site that serves both as a marketplace for corporations to find qualified legal counsel and as an information-sharing forum for discussion of issues and strategies, according to the ABA Journal. Members of the LawLink site can post a photo, profile and brochure about themselves; view the same information in linked networks of colleagues; post and view classified ads seeking anything from a law firm employee to a date; or surf the site to participate in discussion forums and meet other attorneys. “I’ve been involved in the Internet since the inception, and I’m very familiar with the social networking sites,” Choi says. “It was just my own desire that there would be a social networking site for attorneys, only for attorneys, not for anybody else.” http://www.abajournal.com/weekly/surfing_the_net_is_now_work_for_lawyers/

HBO BUYS FILM MADE IN SECOND LIFE (Reuters, 4 Sept 2007) - HBO said on Tuesday it has acquired the rights to a short-form documentary shot entirely within Second Life, as entertainment companies increasingly turn to virtual worlds as a source for new content. “My Second Life: The video diaries of Molotov Alta” purports to tell the story of a man who “disappeared from his California home” and began issuing video dispatches from Second Life. The popular virtual world, which has its own currency and a growing economy, has drawn millions of users who create alter egos called avatars d interact with people from around the world. HBO, the premium channel owned by Time Warner Inc, paid a six-figure sum for the rights, Douglas Gayeton, who made the film, said in an interview. Gayeton, who uses the avatar Molotov Alta in Second Life, said the documentary is scheduled for release in 2008. Second Life has hosted dozens of real world companies in the past year, usually as a means of promoting products like cars or movies. However, Hollywood has been increasingly interested in using worlds like Second Life as virtual movie sets, a process known as machinima. For example, CBS created a machinima Super Bowl ad for its TV show “Two and a Half Men,” and will feature footage shot within Second Life in an upcoming episode of its popular show CSI. http://news.yahoo.com/s/nm/20070904/wr_nm/hbo_secondlife_dc_2;_ylt=AvSsMuNa9NRLl.pKC84BUd0E1vAI Episode 1 online at http://youtube.com/watch?v=wa7u0a9pUSs

- and -

GO INTO REAL AND VIRTUAL DEBT WITH SECOND LIFE’S METACARD (Wired, 5 Sept 2007) - Just what Second Life needed. After the collapse of virtual bank Ginko Financial last month, a Singapore company has come along and is readying the first “virtual credit card” for Second Life. Compliments of FirstMeta, the so-called MetaCard works just like its real-life counterparts. You’ll be able to obtain basic and gold versions (what, no Platinum?) and fully succumb to that “buy it now, figure out how to pay for it later” spirit we here in the U.S. have fully embraced. Okay, that’s not entirely true. For one thing, the basic card is subject to an avatar check and actually provides only a relatively small credit limit of 5000 Lindens, or about $18.60, per month. The Gold, on the other hand, pushes that credit limit up to 10,000 Lindens, or $37.20 per month, according to FirstMeta. Keep in mind the card also can only be used at certain in-world stores, which at the time of writing number about 75. While FirstMeta says there are no maintenance, minimum balance or withdrawal fees, interest will be charged to balances at between 0.13 and 0.15 percent a day, compounding, which is equivalent to a 47.45% to 54.75% annual percentage rate - which by any measure is an exorbitant amount of interest. Interestingly, FirstMeta is offering Second Life citizens credit that is linked to a real world account, making that line between the real and virtual money even fuzzier. Linden Lab has already weighed in on the whole virtual banking matter, so it’ll be interesting to see how a financial services company that would, in the real world, be subject to regulatory laws does in the metaverse. http://blog.wired.com/business/2007/09/go-into-real-an.html

DHS KILLS DATA-MINING PROGRAM THAT USED PERSONAL INFORMATION WITHOUT PROTECTING PRIVACY (SiliconValley.com, 5 Sept 2007) - The Homeland Security Department scrapped an ambitious anti-terrorism data-mining tool after investigators found it was tested with information about real people without required privacy safeguards. The department has spent $42 million since 2003 developing the software tool known as ADVISE, the Analysis, Dissemination, Visualization, Insight and Semantic Enhancement program, at the Lawrence Livermore and Pacific Northwest national laboratories. It was intended for wide use by DHS components, including immigration, customs, border protection, biological defense and its intelligence office. Pilot tests of the program were quietly suspended in March after Congress’ Government Accountability Office warned that “the ADVISE tool could misidentify or erroneously associate an individual with undesirable activity such as fraud, crime or terrorism.” Since then, Homeland Security’s inspector general and the DHS privacy office discovered that tests used live data about real people rather than made-up data for one to two years without meeting privacy requirements. The inspector general also said ADVISE was poorly planned, time-consuming for analysts to use and lacked adequate justifications. ADVISE was one of the broadest of 12 data-mining projects in the agency. A DHS research official said in 2004 it would be able to ingest 1 billion pieces per hour of structured information, such as databases of cargo shippers, and 1 million pieces per hour from unstructured text, such as government intelligence reports. The system was supposed to identify links between bits of information that could otherwise go unnoticed. And it would graphically display results in charts of relationships and links. A DHS workshop report in 2004 said it hoped to answer queries like: “Identify any suspicious group of individuals that passed through customs at JFK (airport in New York) in January 2004.” The GAO said in March that DHS should notify the public about how an individual’s personal information would be verified, used and protected before ADVISE was implemented on live data. Then, in separate reports released without fanfare in July and August, the DHS inspector general and privacy office concluded that between 2004 and 2007, three pilot tests of ADVISE used personally identifiable information without first issuing required privacy impact assessments. The privacy office said this “created unnecessary privacy risks.” http://www.siliconvalley.com/news/ci_6809649

JUSTICE DEPARTMENT OPPOSES ‘NET NEUTRALITY’ LAWS (SiliconValley.com, 6 Sept 2007) - The Justice Department on Thursday said Internet service providers should be allowed to charge a fee for priority Web traffic. The agency told the Federal Communications Commission, which is reviewing high-speed Internet practices, that it is opposed to “Net neutrality,” the principle that all Internet sites should be equally accessible to any Web user. Several phone and cable companies, such as AT&T Inc., Verizon Communications Inc. and Comcast Corp., have previously said they want the option to charge some users more money for loading certain content or Web sites faster than others. The Justice Department said imposing a Net neutrality regulation could hamper development of the Internet and prevent service providers from upgrading or expanding their networks. It could also shift the “entire burden of implementing costly network expansions and improvements onto consumers,” the agency said in its filing. Such a result could diminish or delay network expansion and improvement, it added. The agency said providing different levels of service is common, efficient and could satisfy consumers. As an example, it cited that the U.S. Postal Service charges customers different guarantees and speeds for package delivery, ranging from bulk mail to overnight delivery. “Whether or not the same type of differentiated products and services will develop on the Internet should be determined by market forces, not regulatory intervention,” The agency’s stance comes more than two months after Federal Trade Commission Chairwoman Deborah Platt Majoras cautioned policy makers to enact Net neutrality regulation. http://www.siliconvalley.com/news/ci_6818144?nclick_check=1

***** RESOURCES ******
NIXONTAPES.ORG - Between 1971 and 1973, President Richard Nixon secretly recorded 3,700 hours of his phone calls and meetings. These recordings were made in the Oval Office (commonly designated by the abbreviation “OVAL”), his hideaway office in the Executive Office Building (“EOB”), the Cabinet Room (“CAB”), Camp David (“CDHW”), and on various White House telephones (“WHT”). Currently, approximately 2,100 hours of these tapes have been declassified, released, and are available to the public. However, neither the National Archives and Records Administration (NARA) nor the Nixon Presidential Library has made official transcriptions. Instead, they have left this monumental task-a task that NARA once estimated took 100 hours of staff time to transcribe 1 hour of tape-to researchers. The purpose of this website is to make these transcripts available, side-by-side multiple audio formats, to members of the public who are not able to travel to the National Archives. http://www.nixontapes.org/

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: