Friday, October 19, 2007

MIRLN - Misc. IT Related Legal News [1-20 October; v10.14]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product of the American Bar Association’s Cyberspace Law Committee and Dickinson Wright PLLC. Dickinson Wright’s IT & Security Law practice group is described at http://tinyurl.com/joo5y.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (vpolley@REMOVETHISSTRINGvip-law.com) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/.

**************End of Introductory Note***************

NOT MUCH ANONYMITY FOR UNPROTECTED FILE-SHARERS (UC Riverside Newsroom, 25 Sept 2007) - The same technology that allows easy sharing of music, movies and other content across a network also allows government and media companies easy access to who is illegally downloading that content. In a paper called “P2P: Is Big Brother Watching You?” three University of California, Riverside researchers show that a substantial number of people on file sharing networks, approximately 15 percent, are there to troll for illegal file sharing activity on behalf of the recording industry or the government. Graduate student Anirban Banerjee, and computer science professors Michalis Faloutsos and Laxmi Bhuyan, decided to find out whether file-sharers are always being observed. Over 90 days in mid-2006 they recorded file-sharing traffic on Gnutella, a common fire-sharing network. “We found that a naïve user has no chance of staying anonymous,” said Banerjee. “One hundred percent of the time, unprotected file-sharing was tracked by people there to look for copyright infringement.” However, the research showed that “blocklist” software such as (PeerGuardian, Bluetack, and Trusty Files) are fairly effective at reducing the risks of being observed down to about 1 percent. http://www.newsroom.ucr.edu/cgi-bin/display.cgi?id=1673

ENCRYPTION FAULTED IN TJX HACKING (Boston.com, 25 Sept 2007) - Hackers stole millions of credit card numbers from discount retailer TJX Cos. by intercepting wireless transfers of customer information at two Miami-area Marshalls stores, according to an eight-month investigation by the Canadian government. The probe led by Canadian Privacy Commissioner Jennifer Stoddart faulted TJX for failing to upgrade its data encryption system by the time the electronic eavesdropping began in July 2005. The break-in ultimately gave hackers undetected access to TJX’s central databases for a year and a half, exposing at least 45 million credit and debit cards to potential fraud. http://www.boston.com/business/technology/articles/2007/09/25/wireless_systems_faulted_in_tjx_theft/

HP OFFERS ARCHIVE SYSTEM FOR LEGAL DISCOVERY (PC World, 27 Sept 2007) - Hewlett-Packard Co., which had some well publicized legal troubles of its own not long ago, has unveiled a data back-up system to help other companies when they are hit with a lawsuit or regulatory audit. The HP Integrated Archive Platform is a combination of hardware and software that companies can use to create an archive of all their e-mail, images and other files and then search and retrieve them when they need to. “Basically you have an information collector that sits on your Microsoft Exchange server, or your Lotus Notes server, or your file servers, and as e-mail flows in and out, or as documents change, that information all gets captured,” [said Jonathan Martin, chief marketing officer for HP’s information management software]. “We also have partners like Vignette who are able to push information from their content management systems into the archive.” Rivals IBM Corp., EMC Corp. and Sun Microsystems Inc. also sell products for building data archives. http://www.pcworld.com/article/id,137753-pg,1/article.html

PFIZER TO ASSIGN E-PEDIGREES TO VIAGRA BOTTLES (Information Week, 27 Sept 2007) - Pfizer has licensed software from SupplyScape to assign and manage electronic pedigrees for Viagra and other drugs it manufacturers, SupplyScape announced Thursday. The deal indicates that Pfizer is starting to move beyond the early work it’s done with RFID to authenticate packages of Viagra in the supply chain. The license deal comes 15 months before a California law goes into effect requiring that manufacturers assign e-pedigrees for the drugs they produce so that drugs can be tracked from manufacturer to wholesaler to retailer, reducing opportunities for counterfeiting and theft. Other states are considering similar laws. SupplyScape’s E-Pedigree software creates an electronic pedigree, or record, for drugs and manages those records throughout the supply chain. Pfizer is expected to assign pedigrees at the item level for high-risk drugs (such as Viagra), while lower-risk drugs may receive e-pedigrees at the case level, said SupplyScape chairman Shabbir Dahod. Pfizer already uses SupplyScape’s RxAuthentication software, which lets pharmacies and wholesalers verify the authenticity of RFID-chipped Viagra packages. http://www.informationweek.com/management/showArticle.jhtml?articleID=202102411&articleID=202102411

ASIA FINDS SECURITY IN OPEN SOURCE (ZDnet Asia, 28 Sept 2007) - Better security protection tops the list of buying criteria for open source software, reveals a new study conducted on Australia, China, India and Korea. According to IDC’s latest study released Friday on open source trends and challenges, security was the top reason for deploying open source technology, followed by budget constraints and the availability of better management tools and utilities. “The results indicate that organizations perceived open source technology as providing better security compared to proprietary products,” said Prianka Srinivasan, a market analyst for IDC Asia-Pacific. The study also concluded that more SMBs (small and medium-sized businesses) were using open source compared to large businesses, while India and China seemed to be the bigger adopters of open source compared to Australia and Korea. Although cost-efficiency remained a key decision factor, Srinivasan said, the results also suggested that organizations looked to primarily fulfill their requirements for specific functionalities. The study also revealed a growing interest in the adoption of open source versions of “higher-end” software beyond the current infrastructure and database applications. http://www.zdnetasia.com/news/software/printfriendly.htm?AT=62032771-39000001c

STUMBLING UPON SECURE DATA (InsideHigherEd, 1 Oct 2007) - Journalists, students and non, often find themselves walking the fine line separating personal privacy from their obligations to the public at large. So when a new hire at Western Oregon University’s student newspaper happened across a file containing former students’ Social Security numbers on the university’s public server in June, he and the student editor resolved to immediately inform the administration — and also make a copy of the file for reporting purposes. The students subsequently published a special issue of the Journal, distributed during graduation week, detailing the security breach but void of any of the private information found in the file. Still, as the Portland Oregonian reported, the student copy editor who initially found the file faced a disciplinary hearing Friday and penalties up to and including expulsion for allegedly violating the institution’s computer use policy. And while officials decided against expulsion Friday — opting instead to require the student to complete a presentation on “acceptable computer use” and write a newspaper commentary on university policies, according to The Oregonian — the adviser for the Journal got a letter in August indicating that her annual contract would not be renewed. http://insidehighered.com/news/2007/10/01/oregon

GERMAN OFFICIAL SAYS ‘NEIN’ TO GOOGLE-DOUBLECLICK DEAL (CNET, 1 Oct 2007) - The data protection commissioner of the German federal state of Schleswig-Holstein has come out against Google’s proposed $3.1 billion acquisition of DoubleClick. Such a merger would “lead to a massive violation of data privacy rights” for consumers in the European Union if the databases of the two companies were combined, says Thilo Weichert, data protection commissioner for Germany’s northernmost state. In a letter to the European Commissioner for Competition, Weichert writes that search engines in general already violate consumer rights to “informational self-determination” by retaining data for so long, among other things. A Google spokesman provided this statement: “We believe that this acquisition will increase competition and benefit both consumers and advertisers, and that it will ultimately be approved by government regulators.” In response to concerns that the companies will combine their databases, Google and DoubleClick have pointed out that DoubleClick does not own, and has limitations on its use of, the data it processes for its publisher and advertiser clients. In addition, the European Consumers’ Organization has lodged a complaint with the European Competition Commissioner, arguing that the merger would lead to a monopoly in the online advertising market, and Yahoo is challenging it there as well. http://www.news.com/8301-10784_3-9788891-7.html

FOUR REASONS WHY SOME BIG RETAILERS ARE STILL NOT PCI-COMPLIANT (Computer World, 1 Oct 2007) - Starting today, big retailers accepting payment card transactions face fines ranging from $5,000 to $25,000 a month if they don’t comply with the Payment Card Industry (PCI) data security standard mandated by the major credit card companies. Under the PCI standard, all companies accepting payment cards are required to implement a set of 12 security controls for protecting card holder data. The controls include ones related to access control and authentication, data encryption, and transaction logging. About 325 Tier 1 merchants, those defined as processing more than 6 million card transactions a year, had until Sept. 30 to show they had implemented all of the required controls. But according to estimates from analyst firm Gartner Inc. and observers in the payment industry, a good half of them are unlikely to have made the deadline for a variety of reasons. Here are four of the likeliest reasons: * * * http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=17&articleId=9040259&intsrc=hm_topic

CONTESTED UK ENCRYPTION DISCLOSURE LAW TAKES EFFECT (Washington Post, 1 Oct 2007) - British law enforcement gained new powers on Monday to compel individuals and businesses to decrypt data wanted by authorities for investigations. The measure is in the third part of the Regulation of Investigatory Powers Act (RIPA), legislation passed in 2000 by the U.K. Parliament to give law enforcement new investigation powers with respect to evolving communication technologies. The government contends law enforcement more frequently encounters encrypted data, which delays investigations. But RIPA Part III wasn’t activated when the act was passed due to the less prevalent use of encryption. But as of Monday, those served with a “Section 49” notice have to either make decryption keys available or put the data in an intelligible form for authorities. Failure to comply could mean a prison sentence of up to two years for cases not involving national security or five years for those that do. A Section 49 request must first be approved by a judicial authority, chief of police, the customs and excise commissioner or a person ranking higher than a brigadier or equivalent. Authorities can also mandate that the recipient of a Section 49 request not tell anyone except their lawyer that they have received it. Critics countered RIPA Part III could put corporate data at risk if mishandled by government officials, although the government wrote a code of practice concerning the handling of encryption keys. http://www.washingtonpost.com/wp-dyn/content/article/2007/10/01/AR2007100100511_pf.html

USE MY PHOTO? NOT WITHOUT PERMISSION (New York Times, 1 Oct 2007) - This is no “star is born” story for the digital age, though at first it may seem like one. One moment, Alison Chang, a 15-year-old student from Dallas, is cheerfully goofing around at a local church-sponsored car wash, posing with a friend for a photo. Weeks later, that photo is posted online and catches the eye of an ad agency in Australia, and Alison appears on a billboard in Adelaide as part of a Virgin Mobile advertising campaign. Four months later, she and her family are in Federal District Court in Dallas suing for damages. On the billboard, Alison’s friend has vanished and so has the Adidas logo on her hat. Her image is accompanied by a mocking slogan — according to the ad, Alison is the kind of loser “pen friend” (pen pal) whom subscribers will finally be able to “dump” when they get a cellphone. The conduit for this unusual bit of cultural exchange, it quickly emerged, was the Flickr photograph-sharing service, which is owned by Yahoo. The image had been uploaded to the site by the photographer, Justin Ho-Wee Wong, Alison’s church youth counselor. There are many accusations of people misusing Flickr photographs, including the case of an Icelandic woman who says an online gallery based in Britain sold her work without her approval, and a German photographer who says a right-wing Norwegian political party used a photo of her sister in its materials also without permission. Chang v. Virgin Mobile USA is not the typical intellectual property rights case. A prolific member of Flickr, Mr. Wong has more than 11,000 photographs there that anyone with the time or inclination could page through. And, until recently, those photographs carried a license from Creative Commons, a nonprofit group seeking alternatives to copyright and license laws. The license he selected allowed them to be used by anyone in any way, including for commercial purposes, as long as Mr. Wong was credited. Instead, the case hinges on privacy, the right of people not to have their likeness used in an ad without permission. So, while Mr. Wong may have given away his rights as a photographer, he did not, and could not, give away Alison’s rights. In the lawsuit, which Mr. Wong is also a party to, there is an argument that Virgin did not honor all the terms of the nonrestrictive license. The lawsuit, filed by the Changs’ lawyer, Ryan Zehl, from the Houston law firm Fitts Zehl, also names Creative Commons. Mr. Zehl said, “as the creator of this new license, they have an obligation to define it succinctly.” Lawrence Lessig, the Stanford law professor who was served the papers on behalf of Creative Commons, said he was sympathetic to the Changs’ plight. But, added that, “the part about us is puzzling. It says we failed to instruct the photographer adequately, but the first question is, ‘do you want to allow commercial uses?’” As for giving more advice about the rights of the subjects who appear in photographs, Mr. Lessig said that Creative Commons has to be careful not to provide “what looks like legal advice.” But, he added, “this photographer did nothing wrong when he took this photo of this girl, and posted it on his Flickr page. What he did wasn’t commercial use, which triggers the legal issues. If there was a problem here, it was by Virgin.” http://www.nytimes.com/2007/10/01/technology/01link.html?ex=1348891200&en=bff7d4530ec244f6&ei=5090&partner=rssuserland&emc=rss

POLL: AMERICANS WRONG ABOUT COMPUTER SECURITY (CNET, 2 Oct 2007) - Most Americans believe their computers are protected against viruses and spyware, but scans found that a large number had outdated or disabled security software, according to a poll released on Monday. Fully 87 percent of Americans polled said they had antivirus software, 73 percent said they had a firewall and 70 percent said they had antispyware software, according to the survey by security software maker McAfee and the National Cyber Security Alliance. But when pollsters asked to remotely scan the respondents’ computers, the story turned out to be very different. While 94 percent of those polled had antivirus software, just half had updated it in the past month, the survey showed. Eighty-one percent had a firewall protecting private information, but just 64 percent had enabled it. And 70 percent said they had antispyware software, but only 55 percent had enabled it. http://www.news.com/Poll-Americans-wrong-about-computer-security/2100-1029_3-6211093.html?tag=nefd.top

STUDY: COMPANIES DIVE INTO WEB 2.0 WITHOUT SECURING RISKS (Information Week, 3 Oct 2007) - While the majority of enterprises are using Web 2.0 technology, they’re not prepared to deal with the security risks that come along with it, according to a study released Wednesday. Forrester Research surveyed 153 IT professionals and found 96% said they are not only using Web 2.0 technologies but their companies are finding value in them. The problem is that the companies may have made the leap into Web 2.0 without thinking about the security consequences. A full 90% reported that they are at the least “very concerned” about related threats. “Today, the Internet is beleaguered with threats such as phishing, viruses, spyware, and botnets, all threatening to challenge your business operations,” said Chenxi Wang, a principal analyst with Forrester, in a written statement. “Forrester’s study ... reveals that most companies are slow to respond to the latest threats, or aren’t sure what to do to adequately secure. We have found that most companies that have implemented any kind of Web protection have only installed URL filtering and signature scanning. Yet, malware writers are now using the Web as a primary vehicle to propagate a plethora of new threats undeterred by traditional security means. The need for more effective Web protection has never been greater.” The problem is that malicious hackers are increasingly focusing their attention on using Web 2.0 technologies as entries into unsecured companies. Hackers and spammers, for instance, can create their own pages on social networking sites and riddle them with malicious code to infect their social networking peers. One worm planted in a MySpace page infected more than 1 million users. And malware writers are beginning to target vulnerabilities in Ajax-based applications, which help make the Web 2.0 sites so dynamic. http://www.informationweek.com/management/showArticle.jhtml?articleID=202200678&articleID=202200678

E-MAIL ATTACKERS TARGET CORPORATE EXECUTIVES (SiliconValley.com, 3 Oct 2007) - During a two-hour period on June 24, something unusual and a bit worrying turned up in e-mail security firm MessageLabs Inc.’s filters: 514 messages tailored to senior executives of corporate clients that contained malicious programs designed to steal sensitive company data. On Sept. 12 and 13 it happened again, but this time the firm captured 1,100 messages in a 16-hour wave. The messages, which included executives’ names and titles, were from a purported employment service and offered attachments supposedly containing information on potential job candidates. The attachments were Microsoft Word documents - a common file type erroneously believed to be safe by most computer users - that if not intercepted would have deposited Trojan horses, or malicious programs disguised as benign ones, onto targeted computers. “All of a sudden somebody new hit the scene,” said Mark Sunner, MessageLabs’ chief security analyst. Who that was isn’t clear because technical tricks disguised the e-mails’ origin, he said. But it’s likely the person or group responsible came from the digital underground centered in Eastern Europe, where malicious-program writers and organized crime have long worked hand-in-hand online to steal and sell data for use in fraud schemes. The newcomers appear to be after corporate secrets, he said. They have sought, specifically, to infiltrate the computers of chief executives, chief financial officers, chief technology officers and other senior managers - and on occasion their assistants. And the Trojan horses were primarily designed to help the attacker gather Microsoft Office files from the “My Documents” directory of infiltrated PCs. http://www.siliconvalley.com/news/ci_7068971?nclick_check=1

CT RULES WEB-REFERENCED TERMS ON INVOICE NOT BINDING (BNA’s Internet Law News, 4 Oct 2007) - BNA’s Electronic Commerce & Law Report reports that a federal court in Michigan has ruled that a statement on a telephone service invoice with a Web link to terms and conditions was insufficient to make those terms-which included an arbitration clause-binding on customers. The court said that a link on an invoice sent after a customer had already begun receiving phone service did not constitute a contract modification. The link was merely informational, the court said, and the terms on the Web site were not binding absent evidence that the customers had agreed to them. Case name is Manasher v. NECC Telecom.

- but -

WEBSITE TERMS ENFORCEABLE AGAINST USER WITH NOTICE (BNA’s Internet Law News, 18 Oct 2007) - BNA’s Electronic Commerce & Law Report reports that a federal court in Texas has ruled that users of an airline’s Web site were bound by the Web site terms of use, the availability of which was mentioned in a hyperlink at the bottom of the site’s home page. Holding that the BoardFirst flight check-in service violated Southwest Airlines’ terms of use prohibiting third-party commercial uses of the site, Judge Jane J. Boyle issued a permanent injunction prohibiting BoardFirst from using the Southwest Airlines Web site in violation of its terms. Case name is Southwest Airlines Co. v. BoardFirst LLC.

ADVOCATES FOR WEB ACCESS FOR BLIND PASS LEGAL HURDLE (WSJ, 4 Oct 2007) - Blind Internet users scored a victory in their battle to gain better access to what is on the Web. A federal judge in California has granted class-action status to a lawsuit against Target Corp. charging that the discount retailer’s site is inaccessible to blind shoppers. The lawsuit already appears to have prodded Target into making improvements to its site, and industry experts say legal challenges have proved to be an effective way for blind advocates to alert Web builders about problems with Internet access. At issue is whether Target’s site is compatible with special software that can vocalize invisible code embedded beneath computer graphics, describing aloud the content of a Web page. Plaintiffs, led by the National Federation for the Blind, are making their case under the Americans with Disabilities Act as well as two California state laws, claiming they “are being denied equal access to Target stores” because of poor access to Target.com. Minneapolis-based Target says it believes its site is “fully accessible and complies with all applicable laws,” and that it plans to appeal. Some outsiders say continuing the fight isn’t worth it. Settling the suit and upgrading its Web site would likely be a “win-win situation” for Target and its customers, says Greg Mersol, a partner at the law firm Baker Hostetler who specializes in class-action litigation. Efforts to write accessibility requirements into federal Internet guidelines have hit roadblocks. The majority of corporate initiatives to improve Internet access to blind and other disabled Web users has been driven by fear of lawsuits, says David Grant, vice president of marketing for Watchfire, an Internet-access consultant owned by International Business Machines Corp. A 1999 lawsuit against America Online over blind access was quickly settled, followed by enhancements at AOL and other Internet-service providers. A 2002 case against Southwest Airlines was thrown out, but the company moved to eliminate obstacles to ticket purchases by blind travelers on its site. http://online.wsj.com/article/SB119141557627247599.html

UPDATE ON FBI-COLLEGE RELATIONS (InsideHigherEd, 4 Oct 2007) - In the two years since the Federal Bureau of Investigation pulled together a panel of university presidents, the 20-person National Security Higher Education Advisory Board has discussed matters ranging from cyber threats to counterterrorism to the Virginia Tech shootings. In a briefing for reporters at FBI headquarters Wednesday, officials involved with the advisory board provided an update as to its activities — though not surprisingly given the subject, specific details were scarce. Among the topics the advisory board has taken up:
* Safeguarding faculty research. While some university researchers are involved with classified research, where the protocols are well-understood, most faculty research is “wide open,” said Pennsylvania State University President Graham B. Spanier, chairman of the board. In an open university culture, Spanier said, faculty members are oriented toward publicizing their work, and publishing it to boot. But John Slattery, deputy assistant director for counterintelligence support at the FBI, said that university partners have been helpful in identifying potentially sensitive research that would benefit from stronger protections. The FBI can then assess whether there’s a threat to such research — which typically falls outside the more obvious purview of projects the agency might identify on its own — “or whether there’s something [universities] should be doing to project their own crown jewels,” Slattery said.
* Cyber security. Spanier cited one instance at an (unnamed) “major university” more than a year ago when a computer breach — and a “particularly unacceptable breach” at that — required immediate response. But while Spanier said he has spent some time introducing college leaders to FBI officials in his capacity as chair, when asked the number of times he’s had to make introductions under emergency circumstances, he said he could count the incidents on his fingers. (He didn’t indicate whether that would be on one hand or two).
* The Commerce Department’s “deemed export” rule — that is, government restrictions that limit the sharing of certain technological information, even through a conversation, to foreign nationals without an export license. After the government proposed ratcheting up export controls a couple years ago, board members expressed concern and the government agreed to review the policy, Spanier said. In addition to receiving the FBI’s input on counterintelligence and counterterrorism issues, the board also exists to advise the FBI on academe’s very specific culture, including its emphasis on academic freedom and openness.
Academics have historically distrusted the FBI and many have watched the cozier relationships between higher education and the agency that have formed since 2001 – including the placement of campus police officers on joint counterterrorism task forces — with some wariness. Yet, when asked whether he gets flak from faculty for his involvement with the FBI, Spanier said no. http://insidehighered.com/news/2007/10/04/fbi

SETTLING IT ON THE WEB (ABA Journal, 4 Oct 2007) - Online dispute resolution was supposed to take over the legal profession. With the rise of the Internet, ar­tificial intelligence and other clever bits of technology, lawyers would be able to solve legal disputes with computers, not courtrooms and judges. “Around 1999 or 2000 we thought this would be huge; every court would have a kiosk out front for ODR,” says Colin Rule, ODR director for eBay and PayPal. But a funny thing happened after the dot-com bust. ODR seemed to fail. And now, instead of being imposed on the legal profession from the outside, it is bubbling up from within the trade. Rule says ODR is integrated into a lot of business models and has become so integral that many people might not even know it’s there. “Look at me: When we started, I worked at a tiny, independent ODR company,” he says. “Now I’m part of this big company that handles millions of disputes online, and nobody thinks twice about it.” Web technology is now slowly making inroads into dispute resolution that had been handled offline. Dan Rainey, director of the office of alternative dispute resolution services for the National Mediation Board, a federal agency, says he hopes to soon handle 10 percent of its arbi­tration cases online. http://www.abajournal.com/magazine/settling_it_on_the_web/

COURT FINDS SECRET SURVEILLANCE DOWNRIGHT UNPATRIOTIC (Steptoe & Johnson’s E-Commerce Law Week, 4 Oct 2007) - Maybe it’s all in the name. First Bill Belichick had to apologize for the New England Patriots’ spying scandal. Then a court found the Foreign Intelligence Surveillance Act (FISA), as amended by the USA PATRIOT Act, unconstitutional. It’s enough to make Nathan Hale, the original Patriot spy, roll over in his unmarked grave. Judge Ann Aiken, a federal judge in Oregon, ruled in Mayfield v. United States that the Patriot Act’s changes to FISA violate the Fourth Amendment by permitting the government to wiretap a suspect or search his property to gather evidence for a criminal prosecution, without having to establish probable cause to believe a crime is being committed. The Patriot Act changed FISA so that the government can obtain a wiretap or search order by certifying (among other things) that collecting intelligence is “a significant purpose” of the surveillance rather than the “primary” purpose. This means, in essence, that the government can use FISA, instead of Title III or criminal search warrants, even where its main purpose is to gather evidence for a criminal prosecution. That change was one of the least politically controversial changes worked by the Patriot Act, and was upheld by the Foreign Intelligence Surveillance Court of Review in 2002. Still, Judge Aiken managed to muster Hale-worth oratory in condemning the change as violating “bedrock principles” of the Constitution and signaling a momentous shift from a Nation based on the “rule of law” to one “based on extra-constitutional authority.” Despite the ringing rhetoric, it’s doubtful that the court’s ruling - a declaratory judgment without any accompanying injunction - will have any immediate practical effect on the government or on the recipients of FISA orders. If the government appeals, though, this case could become the vehicle by which the Supreme Court finally gets to opine on FISA. Whether to appeal therefore may not be as easy a decision for the government as one might think. http://www.steptoe.com/publications-4888.html

RETAILERS, CREDITORS CLASH ON SECURITY (MSNBC, 4 Oct 2007) - Retailers and the credit card industry are at odds as they try to restore consumer confidence after recent massive thefts of credit card information. The National Retail Federation on Thursday urged a card industry organization to stop requiring retailers to keep customers’ card numbers for up to 18 months. The stored data helps track product returns and disputed or suspicious transactions. But retailers say the data would be more secure if only credit card companies and banks that issue the cards stored it. One credit card company said it doesn’t require retailers to store the data. Less than half the nation’s biggest merchants appear to be complying with card industry security standards — which include encryption and other safeguards — despite a Sept. 30 deadline set by Visa USA, which plans to levy monthly fines up to $25,000 against merchant banks that noncompliant retailers rely on. http://www.msnbc.msn.com/id/21139311/

- and -

SCHWARZENEGGER SAYS ‘HASTA LA VISTA’ TO BILL ON DATA BREACH COSTS (ComputerWorld, 15 Oct 2007) - In a move that is likely to come as a major relief to retailers nationwide, California Gov. Arnold Schwarzenegger on Saturday vetoed legislation that would have made merchants in his state financially liable for the costs incurred by financial institutions because of retail data breaches. In a statement explaining his reasons for refusing to sign the bill, formally known as AB 779, Schwarzenegger said that it “attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers.” The measure, which was approved last month by both the California State Assembly and Senate, would have required retailers in California that get hit by data breaches to reimburse banks and credit unions for the cost of alerting customers and reissuing credit and debit cards. It would also have prohibited merchants from storing specific types of authentication data taken from the magnetic stripes on the back of payment cards, while requiring the use of so-called strong authentication technologies for protecting cardholder data. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9042630

A WAY TO FIND YOUR CORNER OF THE INTERNET SKY (New York Times, 7 Oct 2007) - If you know what you’re looking for online, Google and other Internet search engines do a pretty good job of helping you find it. But what if you don’t know exactly what you want? StumbleUpon has 3.5 million registered users. From left are Michael Buhr, general manager; and Geoff Smith and Garrett Camp, co-founders. Say you are a soccer fan, but you are neither in the market for new cleats nor in search of the buzz on Greg Ryan, the coach of the United States women’s team. Instead, you just want to see interesting soccer sites. Googling “interesting soccer” or “great soccer stuff” is not likely to be satisfying. A Web service called StumbleUpon has spent the last six years trying to satisfy such a need, perfecting a formula to help you discover content you are likely to find interesting. You tell the service about your professional interests or your hobbies, and it serves up sites to match them. As you “stumble” from site to site, you will feel as if you are channel-surfing the Internet, or rather, a corner of the Internet that is most relevant to you. Here is how StumbleUpon works: You can use the service directly from its Web site, but for the fullest experience, you’ll want to download its Internet browser toolbar, register and check categories that interest you — say, parenting, the environment or yoga, or all of the above. Then, each time you click on the Stumble toolbar icon, the service shows you sites in those categories that other users have found interesting. You can stumble through a single category or across all your interests. You can choose to view any kind of Web site or just photos or videos. StumbleUpon has about 12 million sites in its database, a sort of “best of the Web” compiled by users of the service. You can influence that collection by giving a thumbs up or thumbs down to any Web site. The service uses that information — and similar data gathered from the 7.5 million “stumbles” its users perform each day — to keep refining what may be interesting to individual users, based on their shared interests and other characteristics. StumbleUpon borrows from two ideas that are familiar to millions of Web users. One is collaborative filtering, the technology used by Amazon.com to recommend books based on what you and others have bought. The other is social networks like Facebook and social sites like Digg or del.icio.us, where users vote on the most popular news stories or share interesting sites. http://www.nytimes.com/2007/10/07/technology/circuits/07stream.html?ex=1349409600&en=c7a23dcb1878c524&ei=5090&partner=rssuserland&emc=rss StumbleUpon is at http://www.stumbleupon.com/

SECURING VERY IMPORTANT DATA: YOUR OWN (New York Times, 7 Oct 2007) - As long as we are willing to relinquish some personal data, Web applications have long allowed us to create virtual identities that can conduct most of the social and financial transactions that typify life in the real world. But the newest generation of these services is starting to collect and store far more than just the standard suite of identity data — name and address, phone, Social Security or credit-card numbers — that populates the databases of banks and credit-card processors. They increasingly store information, generated by us, that is directly linked to those virtual identities. And users are loving them. For example, the start-up Mint.com won this year’s TechCrunch award for its Swiss Army knife approach to personal financial management. In exchange for customers uploading their account information and allowing sponsors to offer them specialized services, Mint will connect nightly to their credit-card providers, banks and credit unions. Then it automatically updates transactions and accounts, balances their checkbooks, categorizes their transactions, compares cash with debt and, based on their personal spending habits, shops for better rates on new accounts and credit cards. Another site, Dopplr, from a company of the same name based in Finland, is still in its beta-test phase. It lets users upload and share their travel itineraries with a group of “trusted fellow travelers.” The site can connect with Facebook friend lists, and in September it announced that it had opened an invitation-only social network to business travelers from 100 leading companies and international organizations, including Google, I.B.M. and Nokia. “We’re in a situation where business holds all the cards,” said Mike Neuenschwander, vice president and research director of identity and privacy strategies at the Burton Group, a technology research and advisory service based in Midvale, Utah. “Businesses put the deal in front of the consumer, they control the playing field and the consumer doesn’t have any say in how the deal plays out.” One way to change this, he said, is to make people more like organizations. To this end, Mr. Neuenschwander and his colleagues have floated the intriguing concept of the L.L.P.: the Limited Liability Persona. This persona would be a legally recognized virtual person in which users could “invest” the financial or identity resources of their choosing. Once their individual personas are created, consumers would be able to use them as their legal “alter ego,” even in financial transactions. “My L.L.P. would have its own mailing address, its own tax ID number, and that’s the information I’d give when I’m online,” Mr. Neuenschwander said. Other benefits include the ability for “personas” to limit their financial exposure in ways that individuals cannot. “When you enter into a relationship with a company and give them your personal information, you’re at tremendous risk — and they aren’t,” he said. “In the U.S., certain kinds of personal information aren’t treated like property at all. It’s very difficult to sue someone for misuse of personal information. And even if you do, they can never give you back your mailing address, your Social Security number or your DNA, for that matter.” But if a company loses or tampers with an L.L.P’s data, “the law allows me to sue them because it’s corporate information,” Mr. Neuenschwander said. “It’s digital-rights management,” he added, referring to the access control technologies used by publishers and other copyright holders to limit use of digital media, “only you’re acting on BEHALF OF YOUR OWN ORGANIZATION.” HTTP://WWW.NYTIMES.COM/2007/10/07/TECHNOLOGY/07FRAME.HTML?EX=1349409600&EN=FA0C566BF7D88D33&EI=5090&PARTNER=RSSUSERLAND&EMC=RSS

MINNESOTA WOMAN TO APPEAL $220,000 RIAA AWARD (CNET, 8 Oct 2007) - Jammie Thomas, the Minnesota woman who last week was ordered to pay the recording industry $222,000 for copyright violations related to sharing songs, has decided to appeal the verdict. Thomas announced her decision Monday morning on cable news channel CNN and on her MySpace.com page. Thomas said on her blog that she and her attorney, Brian Toder, plan to appeal based on the federal jury’s finding that making songs available online violates copyright. “This would stop the RIAA dead in their tracks,” Thomas wrote on her blog. “Every single suit they have brought has been based on this making-available theory, and if we can win this appeal, they would actually have to prove a file was shared.” The jury issued a decision on Thursday that Thomas was guilty of violating copyright for 24 songs and required her to pay $9,250 for each. The jury never found that Thomas had downloaded any music but had infringed by making the music available for to others to download. http://www.news.com/8301-10784_3-9792759-7.html

FINANCIAL INSTITUTIONS SPENDING ON SECURITY AND GOVERNANCE (Computer World UK, 8 Oct 2007) - The Deloitte & Touche annual survey of security practices at 169 financial institutions found that 98% of them are spending more on information security this year than last year, and putting a greater emphasis on IT governance. Security spending is up as much as 15% over last year at 11% of the 169 corporations surveyed, which include banks, and investment and insurance companies from 32 countries. According to the 2007 Global Security Survey, the biggest spending hikes were made in audit or certification costs, logical-access control products, infrastructure protection devices and compliance and risk management. While 38% of the organisations surveyed did not measure their security budget on a per capita basis, of those that did, 7% said they spend more than $1,000 (£490) per person, 7% between $501 (£245) and $1,000 (£490) per person, 14% between $251 (£123) and $500 (£245), 23% between $100 (£49) and $250 (£122), and 11% under $100 (£49). In a related trend, 81% of the financial institutions surveyed said they’ve adopted a formal Information Security Governance framework, up from about 70% last year. The vast majority of the remaining respondents said they are in the process of establishing one. Deloitte & Touche said the higher adoption rate in formal Information Technology Governance frameworks – which detail lines of authority and reporting requirements, business processes, technology and security measures – appears due to the increased pressure of government regulation. http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsid=5522 [Editor: In May 2007 IEEE published my co-authored article titled “A Coherent Strategy for Data Security through Data Governance”; info at http://tinyurl.com/2vyqmv]

SURFING THE WEB FOR A “BRANDEIS BRIEF” (Texas Bar Journal, Oct 2007) - In the past 10 years, the U.S. Supreme Court has cited to the Internet in 111 cases; 37 of those cases were delivered in the past two terms. The U.S. Court of Appeals for the Fifth Circuit has cited to the Internet in 64 cases during the same period, while the Texas Court of Criminal Appeals — no “Thoroughly Modern Millie” — has cited to the Internet in a total of 20 cases. Many of these Internet citations are to government sites, but a significant number are to such sources as the online version of the Washington Post or Wall Street Journal, public or private foundation policy briefs or academic reports, or Wikipedia. Justice Antonin Scalia, that paragon of “originalist” interpretation, has even cited to the Death Penalty Information Center website. We are seeing the convergence of two related trends. One trend, epitomized by Justice Stephen G. Breyer’s reliance upon How to Buy and Care for Tires in Kumho Tire Co. v. Carmichael, is the “delegalization” of judicial authority, especially in cases of first impression. Because of the ease of finding nonlegal information on the Internet, both practitioners and judges are referring to more sociology, psychology, criminology, medical, and economics texts and journals and to more nonacademic books, magazines, and newspapers. No longer must the lawyer or judge leave his or her cloistered law library and take a bus across town to the local public library to access these nonlegal sources. Their use has increased exponentially in the past decade and is likely to continue. The second trend, epitomized by Justice Harry Blackmun’s purported reliance upon the results of a two-week independent medical investigation at the Mayo Clinic in Roe v. Wade, is the increasing use of nonlegal authorities as “legislative facts” in resolving novel legal issues by both trial and appellate judges. Legislative facts are “those which help the tribunal to determine the content of the law and policy and to exercise its judgment or discretion in determining what course of action to take.” Legislative facts are the type of facts — social studies, statistical data, even anecdotes — that legislatures use when they are making law. These facts support the rationale for enacting or amending the current law through the legislative process. Leg- islative facts are also used by courts in analyzing (1) the impact of prior and proposed law to facilitate lawmaking through judi- cial decisions, (2) the legislative history of a statute used to assist in its interpretation, and (3) the public-policy basis for extending or restricting a legal rule. These legislative facts are “established truths, facts, or pronouncements that do not change from case to case but apply universally,” and are relevant to a court’s thinking about what the law ought to be. Adjudicative facts, on the other hand, are relevant to the “who, why, where, when, what” of a specific case: Is Houston in Harris County? Did the sun rise at 6:23 a.m. on the day of the murder? Was this indictment filed within the statute of limitations? [Editor: more] http://www.texasbar.com/Template.cfm?Section=Current_Issue&Template=/ContentManagement/ContentDisplay.cfm&ContentID=19303

COURT REJECTS GOVERNMENT’S EFFORT TO ACCESS DIALED CONTENT WITHOUT A WIRETAP ORDER (Steptoe & Johnson’s E-Commerce Law Week, 11 Oct 2007) - A federal magistrate in New York has ruled that the government must show probable cause and obtain a Title III wiretap order, rather than relying on a pen- register order, before accessing “post-cut-through dialed digits” - i.e., the digits that a caller dials after his call is connected - since such digits often represent call content. The court found that using a pen-register order to gather such dialed content is not permitted by the pen-register statute and would violate the Fourth Amendment, since a pen-register order can be obtained on a mere certification by the government that dialing (or other routing or addressing information) is “relevant” to a criminal investigation. This decision is in line with previous rulings by federal courts in Texas and Florida, suggesting an emerging consensus. Interestingly, the government’s theory for why it should be allowed to obtain communications content without a Title III order - essentially, that it should be allowed to collect whatever it can, subject to “minimization” requirements - bears some resemblance to its recent approach to surveillance under the Foreign Intelligence Surveillance Act. On both fronts, the government is running into serious judicial resistance. http://www.steptoe.com/publications-4900.html Magistrate’s ruling at http://www.steptoe.com/assets/attachments/3197.pdf

LAWYERS FACE SANCTIONS IN QUALCOMM SUIT (AP, 13 Oct 2007) - Chipmaker Qualcomm Inc. dueled Friday in federal court with its hired attorneys over who shoulders the blame for what a judge called “gross misconduct on a massive scale” at a past trial. U.S. Magistrate Judge Barbara Major is considering sanctions against 19 attorneys who represented Qualcomm in a patent lawsuit the cell phone chipmaker filed against rival Broadcom Corp. The possibility of sanctions has threatened the careers of attorneys from two Silicon Valley firms and prolonged a damaging episode for Qualcomm. The company’s legal activity has helped it become the world’s second-largest chipmaker for cell phones. The judge said she was struggling to understand how Qualcomm and its lawyers committed “the fundamental and monumental error” of failing to share more than 200,000 pages of documents with Broadcom until after trial. Neither lawyers for Qualcomm nor the 19 attorneys it hired — and is now arguing with — had clear answers. Joel Zeldin, an attorney for 11 of the lawyers, said Qualcomm hamstrung his defense by deciding to keep its communications with its attorneys confidential. “The lawyers really can’t defend themselves and that’s a real due-process concern,” he said. Zeldin said court filings by several Qualcomm employees suggested his clients failed to do their job. “They give you part of the story,” he said. “They can almost say anything they want with impunity because they know we can’t answer.” Qualcomm attorney William Boggs defended the San Diego-based company’s decision to prevent disclosure of privileged communications with the hired lawyers, and he urged the judge not to fine them. Boggs called the failure to produce the thousands of documents an unintentional mistake. Qualcomm already has been fined $8.5 million and ordered to pay Broadcom’s attorney fees. The sanctions hearing focuses on the actions of two law firms that worked the case for Qualcomm — Day Casebeer Madrid & Batchelder LLP of Cupertino and Heller Ehrman LLP of Menlo Park. In statements filed with court this week, the lawyers said they never sought to mislead anyone.

LAW FIRM TO CLIENTS: FEDS TAPPED OUR PHONES (ABA Journal, 12 Oct 2007) - Lawyers at a Vermont firm that represents clients being held in the U.S. military prison at Guantanamo Bay and in Afghanistan believe the federal government may be wiretapping their law office phones. So Gensburg, Atwell & Broderick sent a letter to other clients of the firm on Oct. 2, warning them it can’t guarantee their telephone conversations with firm lawyers are confidential, reports the Associated Press. The firm’s three attorneys also think the federal government is monitoring the law firm’s computer system. “Although our investigation is not complete, we are quite confident that it is the United States government that has been doing the phone tapping and computer hacking,” they say in the letter. David Sleigh, a lawyer representing attorney Robert Gensburg of the St. Johnsbury firm, says he believes the government can argue, under current federal law, that it is entitled to tap into his client’s phone and computer without a warrant. http://www.abajournal.com/weekly/law_firm_feds_tapped_our_phones

APPEALS COURT TO RECONSIDER SUIT ON ROOMMATE DISCRIMINATION (SFGate.com, 13 Oct 2007) - At the urging of free-speech advocates, a federal appeals court agreed Friday to reconsider a ruling allowing a housing-discrimination suit against an online roommate-matching agency that asks customers if they want to live with someone of a particular age, sex or sexual orientation. The Ninth U.S. Circuit Court of Appeals in San Francisco issued a ruling in May limiting the scope of a federal law that shields Internet providers from legal responsibility for the content of messages posted on their sites. The law says providers of interactive computer services can’t be sued for wrongdoing in a message by a user of the service - for example, libel in a chat room - because providers are only intermediaries and liability might force them to act as censors or curtail their services. But the court panel said a provider like the roommate-matching company, Roommates.com, that invites a specific type of message can be held responsible for its content. On Friday, the full appeals court said a majority of its judges had voted to refer the case to an 11-judge panel for a new hearing. The company’s request for a rehearing was supported by the Electronic Frontier Foundation, an advocacy group for free expression online, as well as the Lycos search engine company and Eric Goldman, director of the High Tech Law Institute at Santa Clara University. Goldman said the earlier ruling had “the potential of reducing the ability of Web sites to provide useful data.” Timothy Alger, a lawyer for Roommates.com, said the ruling conflicted with Congress’ intent “to enhance the exchange of information on the Web.” The company, based in Phoenix, has about 150,000 active listings nationwide and gets about a million page views per day, according to court records. Lawyers for the Fair Housing Councils of the San Fernando Valley and San Diego, which filed the suit, were unavailable for comment. In written arguments opposing a rehearing, Michael Evans, a DePaul University law professor representing the plaintiffs, said Roommates.com is not merely a passive message board but was “designed for the very purpose of having landlords indicate discriminatory preferences.” The Web site, used by rental housing owners as well as tenants, requires users to identify themselves by gender and sexual orientation and say whether they would be willing to live with straight or gay men or women, or with children. With that information, a woman with a child, for example, can search profiles of those with rooms who are willing to live with women and children. Plaintiffs in the lawsuit said that postings that discriminate based on sex or family status would violate federal housing law, and that postings specifying a roommate’s age or sexual orientation would violate California law. http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/10/13/BAC3SP9HS.DTL

RADIOHEAD’S WARM GLOW (New York Times, 14 Oct 2007) - I didn’t pay anything to download Radiohead’s “In Rainbows” last Wednesday. When the checkout page on the band’s Web site allowed me to type in whatever price I wanted, I put 0.00, the lowest I could go. My economist friends say this makes me a rational being. Apparently not everybody is this lucid, at least not in matters related to their favorite British rock band. After Radiohead announced it would allow fans to download its album for whatever price they chose, about a third of the first million or so downloads paid nothing, according to a British survey. But many paid more than $20. The average price was about $8. That is, people paid for something they could get for free. This phenomenon is not new. It’s called tipping. We do it when we go to the restaurant or the barber, or when we ride in a taxi. Though one could argue there are real tangible reasons for this payment — like not losing an ear the next time we get a haircut — the practice of paying more money than we are legally bound to do is still mystifying in an economic sense. For instance, why tip a cabdriver you will probably never see again? Some economists suspect that what is going on is that people get a kick from the act of giving the band money for the album rather than taking it for free. It could take many forms, like pleasure at being able to bypass the record labels, which many see as only slightly worse than the military-industrial comple. xIt could come from the notion that the $8 helps keep Radiohead in business. Or it could make fans feel that they are helping create a new art form — or a new economy. People who study philanthropy call it the “warm glow” that comes from doing something that we, and others, believe to be good. [This] is also potentially comforting news for the recording business. The industry has been struggling to find a business plan that will work in an online market in which — despite billions invested in antipiracy measures — fans can pretty much get their music for free if they want to. Today, music lovers are left but two options: pay list price for an album, or perform what a fan might call a free download and a record company would call theft. Radiohead’s experiment suggests a third way out: let fans pay what they want and give them lots of touchy-feely reasons to want to give as much money as they can. http://www.nytimes.com/2007/10/14/opinion/14sun3.html?ex=1350014400&en=304f58c7e0c1a3a2&ei=5090&partner=rssuserland&emc=rss

COMPETING FOR CLIENTS, AND PAYING BY THE CLICK (New York Times, 15 Oct 2007) - You can do cool things with Google, like take the pulse of the legal profession. Google is, of course, more than a search engine. It also sells advertising, including the shaded “sponsored links” that run next to the real search results. It auctions off those ads to advertisers, who agree to pay a given amount each time someone clicks on their link. “Christmas recipes,” for instance, was going for 54 cents per click the other day. “Britney Spears” cost 36 cents, and “Britney Spears nude” only 21 cents. But “Oakland personal injury lawyer” cost $58.03. “Asbestos attorney” cost $51.68. And “mesothelioma attorney Texas” — mesothelioma is a kind of cancer caused by inhaling asbestos — cost $65.21. A Web site called CyberWyre, at www.cwire.org, posts a regularly updated list of the most expensive search terms. “The four leading industries are definitely law, medicine, finance and travel,” said Sam Elhag, who writes for the site. On a recent visit, lawyers and lung cancer dominated the top 10. Google advertising has the benefit of being narrowly focused, said Walter Olson, a senior fellow at the Manhattan Institute, a conservative research group. “I assume relatively few people searching for ‘mesothelioma’ are doing it out of idle curiosity,” Mr. Olson said. But some of them are looking for medical information, and they are often disappointed. “If you are searching for information on mesothelioma,” Mr. Olson said, “you will have to dodge dozens and dozens of lawyer advertisements.” The top sponsored link that came up yesterday with a search for “mesothelioma,” for instance, was for a site that promised information “about mesothelioma’s causes, symptoms and types of treatment.” It urged readers to contact a toll-free number for more information. In the fine print at the bottom, the site revealed that it was sponsored by a Texas law firm. Personal injury lawyers are not the only ones who advertise on Google. “Tax lawyer” cost $34.32 the other day, “bankruptcy lawyer” $8.46 and “patent lawyer” $5.08. “Pro bono lawyer” — the kind who handles cases without a fee — went for $2.89. Susan Crawford, a visiting professor at the University of Michigan Law School, said lawyers’ enormous enthusiasm for Internet advertising meant the medium might have reached middle age. “Lawyers are usually the slowest to adopt any form of new technology,” she said. http://www.nytimes.com/2007/10/15/us/15bar.html?ex=1350100800&en=2c2f1fecfed4fc6b&ei=5090&partner=rssuserland&emc=rss

LABELS SUE USENET SERVICE (Billboard.biz, 15 Oct 2007) - Major record companies have filed a copyright infringement lawsuit against Usenet.com, Billboard.biz has learned. The suit claims that the usenet.com service sells access to content that includes millions of unauthorized music files and “touts its service as a haven for those seeking pirated content.” Typically, a usenet system is made up of a large number of computer servers that communicate with each other. An individual user reads and posts messages to a company’s local computer server. Messages are stored on that server and then exchanged with other servers, often globally. The complaint, filed late Friday in the federal District Court in New York, alleges that Fargo, N.D.-based usenet.com enables and encourages its customers to reproduce and distribute millions of the labels’ recordings without permission. Specifically, the complaint alleges, usenet.com loads online bulletin boards or “newsgroups” obtained from the usenet network onto its server. It then sells access to the newsgroups that it has chosen to host on its usenet.com service. The suit claims that many of the newsgroups that usenet.com chooses to offer “are explicitly dedicated to copyright infringement.” http://www.billboard.biz/bbbiz/content_display/industry/e3i66abf6954df1d43fbdf1692e0860d269 [Editor: I’ve never heard of “usenet.com”, but they sound like a slightly-repackaged version of pure usenet protocol-derived content. I’ve been waiting for more than a decade for someone to try to shut down NNTP, and sue uploaders. See http://howto.wired.com/wiredhowtos/index.cgi?page_name=share_files_on_usenet;action=display;category=Play for related Wired article on usenet.]

TELECOMS BARRED FROM DISCLOSING SPYING (Washington Post, 15 Oct 2007) - Three telecommunications companies have declined to tell Congress whether they gave U.S. intelligence agencies access to Americans’ phone and computer records without court orders, citing White House objections and national security. Director of National Intelligence Mike McConnell “formally invoked the state secrets privilege to prevent AT&T from either confirming or denying” any details about intelligence programs, AT&T general counsel Wayne Watts wrote in a letter to the House Energy and Commerce Committee. Qwest and Verizon also declined to answer, saying the federal government has prohibited them from providing information, discussing or referring to any classified intelligence activities. “Our company essentially finds itself caught in the middle of an oversight dispute between the Congress and the executive relating to government surveillance activities,” Watts wrote. The White House declined to comment on the matter Monday. The letter from Verizon provided some detail on the kind of information the government is seeking. Verizon has been regularly asked in subpoenas and national security letters to identify a “calling circle” for certain telephone numbers and to provide related subscriber information. The company has never complied with such a request as it does not maintain calling-circle records, according to Verizon general counsel Randal Milch. http://www.washingtonpost.com/wp-dyn/content/article/2007/10/15/AR2007101501279.html

- and -

VERIZON SAYS IT TURNED OVER DATA WITHOUT COURT ORDERS (Washington Post, 16 Oct 2007) - Verizon Communications, the nation’s second-largest telecom company, told congressional investigators that it has provided customers’ telephone records to federal authorities in emergency cases without court orders hundreds of times since 2005. The company said it does not determine the requests’ legality or necessity because to do so would slow efforts to save lives in criminal investigations. In an Oct. 12 letter replying to Democratic lawmakers, Verizon offered a rare glimpse into the way telecommunications companies cooperate with government requests for information on U.S. citizens. Verizon also disclosed that the FBI, using administrative subpoenas, sought information identifying not just a person making a call, but all the people that customer called, as well as the people those people called. Verizon does not keep data on this “two-generation community of interest” for customers, but the request highlights the broad reach of the government’s quest for data. The disclosures, in a letter from Verizon to three Democrats on the House Energy and Commerce Committee investigating the carriers’ participation in government surveillance programs, demonstrated the willingness of telecom companies to comply with government requests for data, even, at times, without traditional legal supporting documents. The committee members also got letters from AT&T and Qwest Communications International, but those letters did not provide details on customer data given to the government. None of the three carriers gave details on any classified government surveillance program. http://www.washingtonpost.com/wp-dyn/content/article/2007/10/15/AR2007101501857.html

SWIFT TO STOP PROCESSING EU BANKING DATA IN THE US (The Register, 15 Oct 2007) - Payments processing body SWIFT will stop processing European banking transactions in the US in 2009. It is planning a restructuring of its network and the building of a new operations centre in Switzerland. SWIFT has been heavily criticised for allowing US authorities access to records of banking transactions involving European citizens. It was revealed by The New York Times last year that US intelligence agencies were allowed to view Europeans’ transactions. SWIFT argued that it was obliged to comply with US orders because it carried out hosting and processing of information in the US. European data protection officials have condemned the release of the information. European, Swiss, and Belgian data protection authorities all ruled that SWIFT had broken data protection laws in supplying the information without informing bank customers of the US surveillance. Europe’s advisory committee of privacy watchdogs, the Article 29 Working Party, has revealed that SWIFT is being reorganised to lessen the risk of surveillance, but not until 2009. “The Working Party has been informed of recent measures taken by SWIFT with regard to transparency, as well as its decision to restructure its network,” said a statement from the Working Party recounting the business of its meeting last week. “The new structure foresees by the end of 2009 the creation of a new operation centre in Switzerland. This means personal data in intra-European transactions will no longer be processed in the US operating centre,” said the body. http://www.theregister.co.uk/2007/10/15/swift_processing_halt/print.html

FANTASY SPORTS RULING COULD HAVE WIDE IMPACT (USA Today, 17 Oct 2007) - CBC Distribution and Marketing’s second legal victory against Major League Baseball and the Major League Baseball Players Association over use of player names and statistics Tuesday could have a far-reaching impact on the nation’s 17 million fantasy sports players — and their real-life player counterparts throughout professional sports, industry experts predict. MLB’s record in court sends a message that “statistics are in the public domain,” says Greg Ambrosius, editor of Fantasy Sports Magazine. In the closely watched decision, the U.S. Court of Appeals for the 8th Circuit in St. Louis affirmed a 2006 ruling that CBC could use player names and stats without paying a licensing fee. MLB and the union argued those numbers were the intellectual property of the league and its players. http://www.usatoday.com/sports/fantasy/2007-10-16-fantasy-ruling_N.htm

IMF’S TOP ECONOMIST BLOGS (Reuters, 18 Oct 2007) - The public can now “blog” the chief economist of the International Monetary Fund on such matters as global growth or turmoil in financial markets. The IMF’s Economic Counselor, Simon Johnson, launched the blog in conjunction with the fall meetings of the IMF and its sister organization, the World Bank, in Washington from Saturday through Monday. Johnson wants people to send in questions and comments on the IMF’s World Economic Outlook, a twice-yearly snapshot of world growth estimates. “We’re trying to use new technology to reach existing and potentially new audiences. So far, the response looks promising.” In Johnson’s first post of the day, he says the global financial turmoil in August was a surprise not only in scale but also how quickly it jumped across various markets. http://news.yahoo.com/s/nm/20071018/wr_nm/imf_blog_dc_2;_ylt=Ag3vHodwokOAYxS8jgeIUHQE1vAI

MEDIA, INTERNET COMPANIES JOIN TO ISSUE GUIDELINES ON COPYRIGHTED VIDEO (SiliconValley.com, 18 Oct 2007) - A coalition of major media and Internet companies Thursday issued a set of guidelines for handling copyright-protected videos on large user-generated sites such as MySpace. Conspicuously absent was Google Inc., whose YouTube Web site this week rolled out its own technology to filter copyrighted videos once they’ve been posted. Media companies Walt Disney Co., Viacom Inc., CBS Corp., NBC Universal and News Corp. joined Internet companies Microsoft Corp., MySpace, Veoh Networks and Dailymotion to issue the guidelines, which would require sites to use filtering technology to block copyrighted clips from being posted without permission. The incentive for the coalition’s Web sites and others to comply is the media companies’ promise not to sue if any copyrighted material sneaks past their best efforts to block it. “Today’s announcement marks a significant step in transforming the Internet from a Wild West to a popular medium that respects the rule of law,” NBC Universal president and chief executive Jeff Zucker said in a statement. “By recognizing the mutual benefits of a technology-based framework to control piracy, technology and content companies have laid the foundation for the lawful growth of video on the Internet.” Web companies that are being sued by content owners might be reluctant to join such coalitions, especially when other coalition members are seeking compensation for past violations, said Internet attorney Andrew Bridges of the San Francisco firm Winston & Strawn. http://www.siliconvalley.com/news/ci_7215686?nclick_check=1 Guidelines at
http://www.ugcprinciples.com/

**** INTERESTING ****
Very funny Star Wars-inspired YouTube video “Chad Vader” at http://www.youtube.com/watch?v=4wGR4-SeuJ0. I’m impressed that there’s apparently not yet been a misappropriation/copyright infringement suit; maybe there’s still hope for fair-use.

THE STORM WORM (Counterpane essay by Bruce Schneier, 15 Oct 2007) - http://www.schneier.com/crypto-gram-0710.html#1 [Editor: Interesting and frightening summary of the Storm Worm; a harbinger.]

**** RESOURCES ****
FIVE SECURITY RELATED NIST PUBLICATIONS (SANS NewsBites, 5 Oct 2007) - The National Institute of Standards and Technology (NIST) has released five new and revised publications related to information security. SP 800-44 version 2, “Guidelines on Securing Public Web Servers;” Draft SP 800-55 Revision 1, “Performance Measurement Guide for Information Security;” Draft SP 800-61 Revision 1, “Computer Security Incident Handling Guide;” SP 800-82, “Guide to Industrial Control Systems Security;” and Draft SP 800-110, Information System Security Reference Model.” http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf http://csrc.nist.gov/publications/drafts/800-55-rev1/Draft-SP800-55r1.pdf http://csrc.nist.gov/publications/drafts/sp800-61-rev1/Draft-SP800-61rev1.pdf

COPYRIGHT OFFICE ANNOUNCES CUSTOMIZED EMAIL SUBSCRIPTION SERVICES (US Copyright Office, 2 Oct 2007) - The Copyright Office is pleased to announce that it has implemented a new email subscription service to make it easier to receive messages on the topics that interest you. This service is an expansion and replacement of the existing NewsNet newsletter. At this time, we are offering three topics:
* “What’s New at the Copyright Office,” which alerts subscribers to general copyright-related news and additions to our website;
* “Licensing,” which provides updates on regulations and procedures for compulsory and statutory licenses; and
* “Legislative Developments,” which alerts users to copyright-related bills introduced in Congress or enacted into law. Additional topic areas may be added in the future when high-interest Copyright Office activities occur. http://www.copyright.gov/newsnet/2007/323.html

INTERNET LIBRARY OF LAW - The Internet Law Library, authored exclusively by Martin H. Samson, features extensive summaries of over 480 court decisions shaping the law of the web; providing facts, analysis and pertinent quotes from cases of interest to those who do business on the Internet and in New Media. These court decisions address a broad array of topics, including copyright and trademark infringement, dilution and other intellectual property issues, jurisdiction, linking, framing, keying, meta tags, pop-up ads, consumer complaint or gripe sites, tax, clip-art, online defamation, domain name disputes, e-mail, privacy, subpoenas, MP3s, encryption, gambling, click-wrap agreements, shrink wrap licenses, and spam, among others. Decisions applying and interpreting a number of statutes, such as the Communications Decency Act, the Digital Millennium Copyright Act, the Electronic Communications Privacy Act, and the Anticybersquatting Consumer Protection Act, are also analyzed. To paraphrase Jack Webb, “just the law ma’am, and nothing but the law.” We provide a brief synopsis of each court decision, indexed alphabetically by subject matter. If the decision is of interest, click on its case title for a more thorough analysis of the court’s decision, and, where available, its full text. http://www.internetlibrary.com/

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.