MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee.
Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (vpolley@REMOVETHISSTRINGvip-law.com) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/.
**************End of Introductory Note***************
**** ABA CYBERSPACE MEETING ****
The Cyberspace Law Committee will hold its Winter Working Meeting in a real winter venue this time: Minneapolis, 25-26 January 2008. Come and bask with old and new friends in the Twin Cities for the most concentrated and productive cyberlaw discussions anywhere. Information at http://www.abanet.org/buslaw/committees/CL320000pub/meetings.shtml
PATRIOTS GET TICKET SELLERS’ NAMES (MSNBC, 18 Oct 2007) - The New England Patriots have won a bid to get the names of all the fans who bought or sold or tried to buy or sell — tickets to home games through online ticket reseller StubHub Inc., a move one technology group sees as an invasion of privacy. In a lawsuit filed last year against San Francisco-based StubHub, claiming it encourages fans to break state law and violate team policies, the team said it could seek to revoke season tickets of people who use StubHub. A lawyer for the Patriots wouldn’t say what they plan to do with the 13,000 names, which StubHub released to the team last week after losing its appeal of a Massachusetts state court ruling. http://www.msnbc.msn.com/id/21367577/
SOME FILE-SHARING BEING HINDERED BY COMCAST (SiliconValley.com, 20 Oct 2007) - Comcast actively interferes with attempts by some of its high-speed Internet subscribers to share files online, a move that runs counter to the tradition of treating all types of Net traffic equally. The interference, which the Associated Press confirmed through nationwide tests, is the most drastic example yet of data discrimination by a U.S. Internet service provider. It involves company computers masquerading as those of its users. If widely applied by other ISPs, the technology Comcast is using would be a crippling blow to the BitTorrent, eDonkey and Gnutella file-sharing networks. While these are mainly known as sources of copyright music, software and movies, BitTorrent in particular is emerging as a legitimate tool for quickly disseminating legal content. The principle of equal treatment of traffic, called “Net neutrality” by proponents, is not enshrined in law but supported by some regulations. Most of the debate around the issue has centered on tentative plans, now postponed, by large Internet carriers to offer preferential treatment of traffic from certain content providers for a fee. Comcast’s interference, on the other hand, appears to be an aggressive way of managing its network to keep file-sharing traffic from swallowing too much bandwidth and affecting the Internet speeds of other subscribers. http://www.siliconvalley.com/news/ci_7233634?nclick_check=1 [Editor: There’s an excellent, 10-hour podcast from Stanford on the underlying technical, legal, and economic underpinnings of the internet, which usefully informs discussion about “net neutrality” and management techniques like Comcast’s - it’s in iTunesU and is titled “The Future of the Internet” (Prof. Ramesh Johari)]
EU BANKS STILL STRUGGLING WITH IT SECURITY (Computer World, 22 Oct 2007) - Banks are still confused about how to best manage information and measure risks, according to research from Datamonitor and RSA Security. Most banks rely too much on IT for security and are overly confident in how effective security measures can be, according to a survey of IT directors of top tier banks from UK, France, Germany, Italy, Spain, Belgium, Netherlands and Luxembourg. The survey findings, which were presented today at this year’s RSA Security Conference Europe, showed that only 19% of banks recognised that perimeter security could not be totally effective in protecting the banks’ information. Nearly half (47%) of respondents already focus on securing information over the perimeter. But only 43% see the need to extend the security management of their data to partners, consultants and contractors. And almost half of respondents admitted to be complying with regulations on a case by case basis, rather than taking a more a strategic approach. Just 32% were comfortable that IT security was not managed in silos in their organisation. Among UK banks, the majority of respondents agreed that security was more than an IT issue and there was a strong belief that information security should extend to third parties. The survey found at UK IT directors have fewer illusions than their counterparts in other countries about the comprehensiveness of their enterprise-wide data view. However, they were still over-confident about the capabilities of perimeter security, and only half focused on protecting information over securing the perimeter. And 40% disagreed with the notion that information risk management should be driven at the enterprise level. http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsid=5780&print
BLOGGING: ETHICAL CONSIDERATIONS FOR THE LAWYER, LEGAL IMPLICATIONS FOR THE CLIENT (ABA Journal, 22 Oct 2007) - Just how rampant are blogs? How and why would you use them? And – perhaps most important – why should I care? These were some of the myriad issues discussed during a recent CLE program, “Blogging: Ethical Considerations for the Lawyer, Legal Implications for the Client,” sponsored by the Law Practice Management Section; General Practice, Solo and Small Firm Division; and the ABA Center for Continuing Legal Education. Panelist Tim Stanley, CEO at Justia, Inc., in Palo Alto, Calif., tracks the rampant escalation of the creation of blogs, and says that there are now between 15,000 and 20,000 lawyer blogs. He cites the relative ease in creating and putting up blogs, as well as the low- or no- cost in building and maintaining them as reasons for the boom. Still, the popularity of blogs has surprised people, he said. Stanley shared a tip on creating a successful blog. Those that are more personal in nature – where a sense of the blogger’s personality comes through – tend to do well, advised Stanley. The impact of blogs is increasing as quickly as the blog phenomenon is growing. It’s now common to get quoted and be promoted in traditional media through one’s blog. Moderator Micah Buchdahl, vice chair of the ABA’s Law Practice Management Section, cautions that blogs can be a labor issue within your firm as well as raise ethical considerations. Buchdahl noted how some of the ABA model rules of professional conduct apply to blogging. It’s important to have policy relative to blogs in one’s workplace, just as one would have policy on use of the Internet or of electronics such as e-mail, stressed William W. Bowser, a partner in the employment law section at Young Conaway Stargatt and Taylor in Wilmington, Del., who has represented both private and public employers on a range of labor and employment matters. Blog policies should be updated and passed along periodically to employees. http://www.abanet.org/media/youraba/200710/article08.html
GOVERNMENT CONSIDERS MANDATING INTERNET SERVICE PROVIDERS TO FORWARD CUSTOMERS’ E-MAILS (SiliconValley.com, 23 Oct 2007) - The post office forwards letters when a person moves, and telephone companies likewise forward calls. Should Internet companies be required to forward e-mails to customers who switch providers? There is no mandate governing e-mail forwarding, and industry officials say imposing one would be costly and unnecessary. But federal regulators are looking at the issue more closely following a complaint from a former America Online customer who claims an abrupt termination of service devastated her business. Gail Mortenson, a Washington-based freelance editor, in July filed a six-page petition with the Federal Communications Commission, which opened a 30-day public comment period that ends Oct. 26, followed by another 30-day period for replies. Mortenson said in her complaint that she lost potential clients because they couldn’t reach her, and she requested that Internet service providers, such as Time Warner Inc.’s AOL LLC, be required to forward e-mail traffic from a closed account to a new e-mail address designated by customers for at least six months. FCC spokesman Clyde Ensslin said he wasn’t aware of previous petitions regarding e-mail address forwarding or portability. While mainstream consumer groups have not taken up the cause, it is starting to gain some attention in Congress. Mortenson said a representative from the House Oversight and Government Reform Committee, chaired by Rep. Henry Waxman, D-Calif., contacted herMonday to say they were watching to see how FCC handles her complaint. http://www.siliconvalley.com/news/ci_7258712?nclick_check=1
ABA WEB STORE A WINNING WEB SITE, SAYS WEB MARKETING ASSOCIATION (ABA Journal, 23 Oct 2007) - The ABA Web Store, http://www.ababooks.org, earned the 2007 Best Associations Website Award from the Web Marketing Association in its annual international WebAwards competition. “This award demonstrates the success of the ABA Web Store in not only improving the member buying experience, but it also reinforces the relevance, quality, and value of both ABA content and the ABA brand,” said Bryan Kay, director of ABA Publishing. Each site considered by the Web Marketing Association is judged on a 10-point scale in seven categories, including design, innovation, content, technology, interactivity, copywriting and ease of use. Nominations are submitted by interactive agencies and Web site marketing departments in more than 33 countries around the world. http://www.abanet.org/media/youraba/200710/article05.html
PRIVACY LOST: THESE PHONES CAN FIND YOU (New York Times, 23 Oct 2007) - Two new questions arise, courtesy of the latest advancement in cellphone technology: Do you want your friends, family, or colleagues to know where you are at any given time? And do you want to know where they are? Obvious benefits come to mind. Parents can take advantage of the Global Positioning System chips embedded in many cellphones to track the whereabouts of their phone-toting children. And for teenagers and 20-somethings, who are fond of sharing their comings and goings on the Internet, youth-oriented services like Loopt and Buddy Beacon are a natural next step. Sam Altman, the 22-year-old co-founder of Loopt, said he came up with the idea in early 2005 when he walked out of a lecture hall at Stanford. “Two hundred students all pulled out their cellphones, called someone and said, ‘Where are you?’ “ he said. “People want to connect.” But such services point to a new truth of modern life: If G.P.S. made it harder to get lost, new cellphone services are now making it harder to hide. “There are massive changes going on in society, particularly among young people who feel comfortable sharing information in a digital society,” said Kevin Bankston, a staff lawyer at the Electronic Frontier Foundation based in San Francisco. “We seem to be getting into a period where people are closely watching each other,” he said. “There are privacy risks we haven’t begun to grapple with.” But the practical applications outweigh the worries for some converts. Kyna Fong, a 24-year-old Stanford graduate student, uses Loopt, offered by Sprint Nextel. For $2.99 a month, she can see the location of friends who also have the service, represented by dots on a map on her phone, with labels identifying their names. They can also see where she is. One night last summer she noticed on Loopt that friends she was meeting for dinner were 40 miles away, and would be late. Instead of waiting, Ms. Fong arranged her schedule to arrive when they did. “People don’t have to ask ‘Where are you?’” she said. Ms. Fong can control whom she shares the service with, and if at any point she wants privacy, Ms. Fong can block access. Some people are not invited to join — like her mother. Some situations are not so clear-cut. What if a spouse wants some time alone and turns off the service? Why on earth, their better half may ask, are they doing that? What if a boss asks an employee to use the service? http://www.nytimes.com/2007/10/23/technology/23mobile.html?ex=1350792000&en=e35f69f5f68eeb68&ei=5090&partner=rssuserland&emc=rss
FROM OLD TO NEW MEDIA: BLOG BEGETS PUBLISHING HOUSE (Wired, 24 Oct 2007) - A small press, growing? How could it be? Against market trends, Dzanc Books is a small publisher poised to succeed, hiring staff and expanding quickly. And that may be because it sprouted from a blog rather than a traditional printing press, and it is certainly web-savvy. Since its launch in 2006, Dzanc Books has acquired other presses, signed numerous authors, launched an education program and started an award - the Dzanc Prize - to encourage writers to undertake community literacy projects. Dzanc is growing at a time when there are few independent publishers left, and the remaining ones were hit hard by the recent bankruptcy of Advanced Marketing Services, a major distributor. “We do not intend to fall into the potholes that sent the hubcaps of our predecessors flying,” says co-founder Steve Gillis. “We are not caught in the old template of how publishing has been done.” Director Dan Wickett has gone from amateur blogger to publisher, reversing the traditional flow from old to new media. Wickett, a quality-control manager and auto-parts supplier, wrote a book review in 2000 and sent it to some cousins, an uncle and a few friends. They liked it and asked for more. In 2005, Wickett started a literary blog, the Emerging Writers Network, which now counts 2,100 subscribers. He got seed money in 2006 from novelist Gillis, a former lawyer who “got freaking lucky” in the 1980s stock market. Gillis quit his day job to become the director of Dzanc, which is set up as a nonprofit with a charitable arm. (The name comes from the initials of the two founders’ five kids.) Dzanc prints traditional books - not e-books - and is a virtual operation. Wickett and Gillis both live in southeast Michigan but rarely meet face-to-face. Almost all the work they and their staff do uses e-mail. Dzanc employs internet-based strategies to get the word out. It avoids traditional advertising and relies on viral marketing. The company has hit hundreds of online journals, blogs and web writers with promotional news. “I have been as much of a pain-in-the-neck presence online as I could have been in last five years,” says Wickett. “We have developed fairly large communities of readers and writers we believe will support us. If half of our members ran out and bought a book, it would be more successful than many small-press books.” Other small and independent presses - which publish anywhere from three to three dozen titles a year - are also leveraging the web to get readers. http://www.wired.com/techbiz/startups/news/2007/10/dzancbooks
CT RULES PAY-PER-CLICKS MAKE SITE INTERACTIVE (BNA’s Internet Law News, 25 Oct 2007) - BNA’s Electronic Commerce & Law Report reports that a federal court in Illinois has ruled that hyperlinks that, when clicked, create revenue for the Web site owner, make the site “interactive” for jurisdictional purposes. The court said that jurisdictional due process requirements were satisfied when a Web site devoted to Illinois attractions made money off of Illinois-related links. Case name is Chicago Architecture Found. v. Domain Magic LLC.
TEEN’S TICKET HINGES ON GPS VS. RADAR (AP, 25 Oct 2007) - Given the option of contesting a traffic ticket, most motorists — 19 out of 20 by some estimates — would rather pay up than pit their word against a police officer’s in court. A retired sheriff’s deputy nevertheless hopes to beat the long odds of the law by setting the performance of a police officer’s radar gun against the accuracy of the GPS tracking device he installed in his teenage stepson’s car. The retired deputy, Roger Rude, readily admits his 17-year-old stepson, Shaun Malone, enjoys putting the pedal to the metal. That’s why he and Shaun’s mother insisted on putting a global positioning system that monitors the location and speed of the boy’s Toyota Celica. Shaun complained bitterly about his electronic chaperone until it became his new best friend on July 4, when he was pulled over and cited for going 62 mph in a 45 mph zone. Rude encouraged him to fight the ticket after the log he downloaded using software provided by the GPS unit’s Colorado-based supplier showed Shaun was going the speed limit within 100 feet of where a Petaluma officer clocked him speeding. “I’m not trying to get a guilty kid off,” Rude said. “I’ve always had faith in our justice system. I would like to see the truth prevail and I would like Shaun to see that the system works.” Though traffic courts do not routinely accept GPS readouts as evidence of a vehicle’s speed — and many GPS receivers aren’t capable of keeping records anyway — some tech-savvy drivers around the world slowly are starting to use the technology to challenge moving violations, according to anecdotal accounts from defense lawyers and law enforcement officials. This summer, for instance, an Australian farmer became a hero to speeders everywhere when he got a ticket dismissed after presenting police with data from his tracking device. http://news.yahoo.com/s/ap/20071025/ap_on_hi_te/gps_ticket_challenge_2;_ylt=AqQNpp8EBcOU7m1GfgBMMYoE1vAI
“LAST SUPPER” TO GO ONLINE (Reuters, 25 Oct 2007) - A high-resolution image of Da Vinci’s “Last Supper” will soon be posted on the Internet by an Italian technology firm, allowing art lovers and conspiracy theorists alike to scrutinize it from their own computers. The digital imaging firm, called HAL9000 after the killer computer in Stanley Kubrick’s film “2001: A Space Odyssey,” will post the 16-17 giga pixel image on its Web site (http://www.haltadefinizione.com) on Saturday. Located in a former monks’ dining hall adjacent to a church in Milan, the 500-year-old mural by Leonardo Da Vinci depicts Jesus Christ when he predicts that one of his apostles will betray him. Since the publication of the phenomenally successful novel, “The Da Vinci Code,” theories have abounded about the true meaning of the mural, known in Italian as “Cenacolo.” HAL9000 General Manager Vincenzo Mirarchi told Reuters on Thursday the reason behind the firm’s decision to post the image on its Web site was to provide an innovative way to appreciate art rather than encourage speculation about its meaning. So many tourists visiting Milan want to see it that they often have to make reservations at least a month in advance. The posting of the “Last Supper” on the site, a project that has received technical support from Italian publisher De Agostini, will likely bring more hits to the firm’s Web site than other images posted in the past, said Mirarchi. Among the other images is a fresco painted by Andrea Pozzo in 1685-1694 at the Sant’Ignazio di Loyola Church in Rome. http://news.yahoo.com/s/nm/20071025/wr_nm/lastsupper_dc_3;_ylt=ApehgSKPtRfwvgkARtNPBVAE1vAI
NEW LAW MEANS SIGNIFICANTLY HIGHER FINES FOR TECH TRADING SNAFUS (Steptoe & Johnson’s E-Commerce Law Week, 25 Oct 2007) - On October 16, President Bush signed the International Emergency Economic Powers Enhancement Act (IEEPA Enhancement Act), which amends the IEEPA to significantly increase the civil and criminal penalties available for violations of various U.S. export and sanctions rules. In addition to higher fines for violations of nearly all of the economic sanctions programs administered by the Treasury Department’s Office of Foreign Assets Control (OFAC), the IEEPA Enhancement Act also increases liability for breaching the anti-boycott and export control rules in the Export Administration Regulations (EAR), established by the Commerce Department’s Bureau of Industry and Security (BIS). The new penalties could have a significant impact on international trade in high-tech items, since the EAR controls the export of many types of sensitive computer software and hardware, including those that use encryption. Because fines for violations of the EAR could now reach into the millions of dollars, all companies that regularly move restricted technologies across the U.S. border should consider redoubling their efforts to ensure EAR compliance. http://www.steptoe.com/publications-4932.html
SCOPE OF TJX DATA BREACH DOUBLES: 94M CARDS NOW SAID TO BE AFFECTED (Computer World, 24 Oct 2007) - For anyone who thought that 45 million was an absurdly high number of payment cards to be compromised in a data breach, try 94 million. That’s the total number of cards actually exposed in the breach disclosed by TJX Companies Inc. earlier this year, according to court documents filed yesterday by a group of banks suing the Framingham, Mass.-based retailer over the incident. The filings, made in federal court in Boston, relate to a dispute over whether the multiple financial institutions who are plaintiffs in the case should be treated as a class or whether each bank would be required to pursue individual cases against TJ. xThe plaintiffs in the case include the Massachusetts Bankers Association, the Connecticut Bankers Association, the Maine Association of Community Banks and AmeriFirst Bank Inc. In documents arguing for class action status, the banks claim that the TJX breach affected 94 million separate card holder accounts over a 17-month period - not 45.6 million accounts, as TJX had disclosed. Quoting figures supplied by the card companies themselves, the bankers said that the breach affected approximately 65 million Visa account numbers and an additional 29 million MasterCard accounts. To date, the losses by card-issuing companies on Visa accounts alone total between $68 million and $83 million, the banks said, citing the Visa information. “Unlike other limited data breaches where ‘pastime hackers’ may have accessed data with no intention to commit fraud, in this case it is beyond doubt that there is an extremely high risk that the compromised data will be used for illegal purposes,” the bankers said in an affidavit. “Faced with overwhelming exposure to losses it created, TJX continues to downplay the seriousness of the situation.” http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9043944&source=NLT_PM&nlid=8
- and -
COURT FILING: TJX WAS WARNED ABOUT LAX SECURITY BEFORE MASSIVE BREACH (SiliconValley.com, 26 Oct 2007) - TJX Cos. was warned it had inadequate safeguards to protect credit card data the year before hackers broke into the discount retailer’s systems and unearthed information from an estimated 100 million credit cards, banks that are suing TJX allege in a court filing. Despite the 2004 warning about compliance with credit card industry standards, TJX failed to fix many of the problems before hackers first broke into the company’s systems in July 2005, according to the filing late Thursday in U.S. District Court in Boston. “This report identified numerous serious deficiencies at TJX, including specifically violations. TJX did not remedy many of these deficiencies,” the filing says. Sherry Lang, a spokeswoman for Framingham, Mass.-based TJX, declined to comment Friday. However, TJX has previously defended its security, and recently said it invested “millions” of dollars before the breach on computer security “and believes our security was comparable to many major retailers.” The court filing alleges that after the breach, a consultant found TJX had failed to comply with nine of 12 standards that credit card firms impose on merchants to protect data. Visa issued “a substantial fine” against TJX for “egregious violation” of security standards, the filing says, and MasterCard levied “additional fines.” The fine amounts weren’t specified, and officials with Visa and MasterCard declined to immediately comment Friday. The filing does not offer further detail on the 2004 report, titled “Verisign Report of CISP Compliance.” It is among a handful of documents sealed in the court case because they contain technical details about TJX’s security. http://www.siliconvalley.com/news/ci_7290184 See also http://www.eweek.com/article2/0%2C1895%2C2208615%2C00.asp and http://www.darkreading.com/document.asp?doc_id=138838
STORM WORM STRIKES BACK AT SECURITY PROS (Network World, 24 Oct 2007) - The Storm worm is fighting back against security researchers that seek to destroy it and has them running scared, Interop New York show attendees heard Tuesday. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says Josh Corman, host-protection architect for IBM/ISS, who led a session on network threats. “As you try to investigate [Storm], it knows, and it punishes,” he says. “It fights back.” As a result, researchers who have managed to glean facts about the worm are reluctant to publish their findings. “They’re afraid. I’ve never seen this before,” Corman says. “They find these things but never say anything about them.” And not without good reason, he says. Some who have managed to reverse engineer Storm in an effort to figure out how to thwart it have suffered DDoS attacks that have knocked them off the Internet for days, he says. As researchers test their versions of Storm by connecting to Storm command-and-control servers, the servers seem to recognize these attempts as threatening. Then either the worm itself or the people behind it seem to knock them off the Internet by flooding them with traffic from Storm’s botnet, Corman says. A recently discovered capability of Storm is its ability to interrupt applications as they boot up and either shut them down or allow them to appear to boot, but disable them. Users will see that, say, antivirus is turned on, but it isn’t scan for viruses, or as Corman puts it, it is brain-dead. http://www.networkworld.com/news/2007/102407-storm-worm-security.html [Editor: This is extremely sophisticated stuff, strongly suggesting something like organized, government-affiliated entities behind the scenes.]
UBC TRACKED HIS ‘THEFT OF TIME’ (The Province, 25 Oct 2007) - The University of B.C. wants the right to keep using “spyware” to monitor its employees’ Internet use. And the university - which used the software to fire a worker who surfed non-work-related websites for hours a day - has gone to court to challenge an anti-spyware order by B.C.’s privacy commission. Michel Mandono, an engineering technician in UBC’s botany department, was fired in February 2005 for “repeated theft of time” as well as failure to perform his work, excessive lateness, dishonesty and breach of trust. Have you ever checked out your Facebook profile while on the job? The University of B.C. used spyware to catch and punish an employee who visited non-work-related sites on the job. His dismissal record also showed Mandono came to work late and left early, and over a two-month period was in effect paid for nine hours he didn’t work. His union is grieving the dismissal at an arbitration hearing set for December. UBC installed the spyware over Christmas 2004 and found that, in 10 working days, Mandono had surfed sites such as canadamortgage.com, hr.ubc.ca (job postings), scubadiving.com, ebay.com, cia.gov and peacecorpsonline.org for a total of 23 hours and 39 minutes. His surfing ranged from 34 minutes to four hours a day, or a daily average of 21/2 hours. Mandono said he surfed the sites in front of his supervisor and was never told his work performance was lacking. Mandono, who did not return phone messages yesterday, filed a complaint under B.C.’s privacy laws, arguing that UBC had improperly breached his privacy to collect personal information. http://www.canada.com/theprovince/news/story.html?id=a7dc308c-65ca-42e2-b3ef-c0a7c67869a4
NIST DRAFTS GUIDANCE ON RISK MANAGEMENT (GCN, 26 Oct 2007) - The National Institute of Standards and Technology has issued a draft of a new report that may become essential reading for government managers, who all must be sure their information technology systems are compliant with the Federal Information Security Management Act. NIST’s Information Technology Laboratory developed the report, “Managing Risk from Information Systems: An Organizational Perspective” (SP-800-39-ipd.pdf). Ron Ross, the NIST FISMA implementation project leader, is an author, along with Stu Katzke, Arnold Johnson, Marianne Swanson and Gary Stoneburner. This report tackles the problem of dealing with risk. FISMA requires that agencies make their IT security decisions based on risk assessments. The report defines what risk is, as well as how to apply the NIST Risk Management Framework to government IT systems. The report is part of a larger effort NIST is undertaking with the Director of National Intelligence, the Department of Defense and the Committee on National Security Systems to establish a baseline for government IT security. http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=45302 [Editor: Little actionable here. Report at http://csrc.nist.gov/publications/drafts/800-39/SP-800-39-ipd.pdf]
COURT ADDS TO DISAGREEMENT OVER WHEN ACCESS TO COMPUTER IS “AUTHORIZED” (Steptoe & Johnson’s E-Commerce Law Week, 27 Oct 2007) - Companies that want to go after former employees who pilfered or destroyed company data on the way out the door are increasingly turning to the Computer Fraud and Abuse Act (CFAA). There are many ways to state a claim under this statute, including by showing that the former employee’s access to the information was “without authorization” (sections (a)(5)(A)(ii-iii)), or that the employee transmitted a command that “intentionally cause[d] damage without authorization” to a company computer (section (a)(5)(A)(i)). However, courts disagree over whether an employee with authorization to access a company computer can be said to act without authorization when, while still employed with the company, he or she surreptitiously steals information from, or causes damage to, such a computer. In B&B Microscopes v. Armogida, a federal court in Pennsylvania deepened this split, finding that former B&B employee Luigi Armogida did not access his company laptop without authorization when he deleted files from his computer, since he was still employed by B&B at the time of the access. But, because the damage Armogida intentionally caused was not authorized, the court still ruled that he had violated the CFAA. Given the unsettled nature of the law on unauthorized access, CFAA plaintiffs may want to follow B&B’s lead by pursuing an additional claim for unauthorized damage. http://www.steptoe.com/publications-4953.html
VIRTUAL VENDORS IN SECOND LIFE FILE REAL-WORLD LAWSUIT IN NYC (SiliconValley.com, 28 Oct 2007) - It may be a virtual world, but six merchants in the online environment Second Life have filed a real-world lawsuit over what they say are knockoffs of their digital wares. The lawsuit, filed last week in a federal court in Brooklyn, accuses Queens resident Thomas Simon of copycatting in Second Life, an Internet universe with more than 10 million registered members. Creating virtual identities known as avatars, members spend an average of more than $1 million a day in real money to buy food, clothes, shelter and other items. The vendors suing Simon say he violated copyright and trademark laws by duplicating their products. The lawsuit seeks damages equal to three times their lost profits, without specifying an amount. “This is not a joke,” said their lawyer, Frank Tanney. “This hurts them.” Simon, who goes by Rase Kenzo in Second Life, denied any wrongdoing. “It’s a video game,” said Simon, 36. “I didn’t know you could sue anyone over it.” Claims of product cloning in Second Life have already spawned at least one other lawsuit, filed in July in a federal court in Tampa, Fla. Members also have sued the online world’s creator, San Francisco-based Linden Lab, over alleged seizures of their virtual property. http://www.siliconvalley.com/news/ci_7306539
- and -
LAW FIRM PLANS REAL-LIFE PRACTICE AT VIRTUAL ‘SECOND LIFE’ OFFICE (ABA Journal, 6 Nov 2007) - Bridging the gap between a fictional 3D world on the Internet known as “Second Life” and real life, a United Kingdom law firm reportedly has opened an office there not simply to play at law practice or recruit clients but to perform real-life legal functions. “Many of our clients have injuries which can make it difficult for them to meet us at our offices. Others are too busy. Second Life is a way of ‘seeing’ your legal representative and receiving advice without coming to our office,” Craig Jones, the operations director at Birmingham’s Simpson Millar tells the Birmingham Post. A small but growing number of avant-garde law firms are establishing a presence in Second Life’s online community. However, few apparently have attempted actually to practice law there. A Canadian law firm, Davis LLP, claimed earlier this year to be the first to open a Second Life law office, as discussed in a previous ABAJournal.com post, though other lawyers reportedly have already found the virtual world a potentially lucrative game to play, as discussed in a March 2007 ABA Journal feature story. And an ABA Journal cover story this month notes that such activities can present potential ethics pitfalls for American lawyers. Nonetheless, where these law firms have already gone, others are virtually sure to follow. “The legal profession is in desperate need of change and modernization to meet the challenges of growing competition,” says Brian Allan, business development director for Simpson Millar. “Our presence in Second Life is a way of making ourselves even more accessible and approachable.” http://www.abajournal.com/weekly/law_firm_plans_real_life_practice_at_virtual_second_life_office
NEW COMMISSION WILL ADVISE NEXT PRESIDENT ON CYBERSECURITY (FCW, 30 Oct 2007) - The House Homeland Security Committee and the Center for Strategic and International Studies unveiled today a new cybersecurity commission that will provide recommendations on how to improve the state of public- and private-sector networks to the next president. Reps. Jim Langevin (D-R.I.) and Mike McCaul (R-Texas), chairman and ranking member of the committee’s Emerging Threats, Cybersecurity, and Science and Technology Subcommittee, respectively, will be co-chairmen of the commission. Scott Charney, vice president of Microsoft’s Trustworthy Computing Group, and retired Navy Adm. Bobby Inman, a professor at the University of Texas at Austin who holds the Lyndon B. Johnson Centennial Chair in national policy, will be co-chairmen representing industry. CSIS is the commission’s sponsor and asked Langevin and McCaul to be co-chairmen. “We recognized from several hearings and investigative work the staff has done and other meetings that we have had that there are some real cybersecurity concerns in the government and in the private sector,” he said. “We need to be far better protected and prepared and understand the scope of the problem to establish a blueprint for how to better protect ourselves in the future. We thought no better time than now.” The commission will hold five meetings in the next year to identify recommendations for the next administration, Langevin said. It will have about 35 members, including former federal officials, private-sector experts, and representatives from industry and government, such as Mike Assante, infrastructure protection manager at the Idaho National Laboratory. “I expect the recommendations to be very specific things as well as big-picture issues to provide a blueprint to secure our networks,” Langevin said. “We will make recommendations about when things can be left to the private sector and what incentives may be needed. We also will make recommendations to when the government should step in through legislation or regulation and require the private sector to make needed cybersecurity upgrades.” http://www.fcw.com/online/news/150647-1.html
ARE E-MAIL MESSAGES PROTECTED BY THE FOURTH AMENDMENT? (ABA’s CIPerati e-newsletter, 29 Oct 2007) - New technology inevitably throws a wrinkle into the legal industry. The advent of electronic written communication is revolutionizing several areas of the law. The ease of quick and efficient interaction with others that is inherent with electronic mail has caused the amount of potential evidence in legal matters to skyrocket. As a result, access to these potential treasure troves during Government investigations has become an important issue. It is common knowledge that the Fourth Amendment provides protection against certain searches and seizures. What protections, however, apply to electronic mail? [Editor: continues with a useful summary of the emerging law here.] http://www.abanet.org/buslaw/committees/CL320010pub/newsletter/0016/
E-MAIL TO LAWYER NOT PRIVILEGED BECAUSE OF EMPLOYER POLICY (ABA Journal, 30 Oct 2007) - A New York judge has ruled that a hospital’s e-mail policy means messages sent by a physician to his lawyers are not protected by attorney-client privilege. The policy at Beth Israel Medical Center specified that employees had no personal property right in their messages and the hospital had the right to read and disclose e-mails, the New York Law Journal reports in a story reprinted by New York Lawyer. Judge Charles Ramos of Manhattan ruled the e-mail sent from a hospital computer could be disclosed in a lawsuit by physician W. Norman Scott that claims he was fired in violation of his contract. Scott is represented by Paul Weiss Rifkind Wharton & Garrison. The law firm had argued its e-mail confidentiality notice protected the e-mail. But Ramos said the disclaimer “cannot create a right to confidentiality out of whole cloth.” http://www.abajournal.com/weekly/e_mail_to_lawyer_not_privileged_because_of_employer_policy
E-DISCOVERY REQUESTS: KNOW YOUR LIMITS (New York Law Journal, 31 Oct 2007) - Electronic discovery, even more so than traditional paper discovery, offers the opportunity to burden unduly an opposing party with overbroad discovery requests, and three recent New York State court decisions have addressed over-reaching document requests seeking electronically stored information (ESI). Responding to far-reaching requests for the production of e-mails and metadata, as well as electronic information contained on, among other things, hard drives, computer servers, backup tapes, voice mail and personal digital assistants (PDAs) can be very burdensome and extremely costly to the producing party. Thus, as electronic discovery is becoming more prevalent in New York state practice, courts are taking note of these issues and are recognizing that certain situations do not justify the sometimes over-reaching requests that seek to obtain ESI, especially when requested from nonparties. See e.g., L-3 Communications Corp. v. Kelly, Joyner v. Planned Parenthood Federation, and In the Matter of the Application of John Maura Jr. In L-3 Communications, the court found that plaintiff was seeking “unfettered access” to confidential and proprietary information of two nonparty competitors of plaintiff, as well as access to one of the defendant’s personal computers. Specifically, plaintiff sought “all documents and e-mail messages contained on [defendant’s] personal computer, as well as all passwords and access codes in order to impound, clone, and inspect such computer.” This broad request was rejected by the court because the plaintiff “failed to provide the court with a compelling reason for such broad relief” and plaintiff had “not established its entitlement to the broad disclosure of documents and e-mails stored on, as well as the broad access to, [defendant’s] personal computer that it seeks.” http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1193735030065&rss=newswire
E.U. SEEKS DATA ON AMERICAN PASSENGERS (Washington Post, 4 Nov 2007) - American travelers’ personal data would for the first time be exported to all European Union states by airline carriers flying to Europe under a proposal to be announced this week. The data, including names, telephone numbers, credit card information and travel itinerary, would be sent to E.U. member states so they could assess passenger risk for counterterrorism purposes, according to a draft copy obtained by The Washington Post. The European Commission proposal would allow the data to be kept for 13 years or longer if used in criminal investigations and intelligence operations. It would cover all passengers flying into and out of Europe, not just Americans. Airlines already share data with U.S. authorities on passengers entering the United States. A handful of countries, including Canada and Australia, have similar laws. The European proposal was apparently modeled after an agreement signed in July between the United States and Europe dealing with passenger data from European flights entering and leaving the United States. Under the proposal by Franco Frattini, European commissioner for freedom, security and justice, airlines or computerized reservation systems would send at least 19 pieces of data on each passenger to data-analysis units set up by each state. The data fields also would include e-mail addresses, names of accompanying passengers and open ones for such special requests as meals or medical service. Under the proposal, no personal data that could reveal race, ethnicity, political opinions, religion, trade union membership or health or sex-life information could be transmitted. Any such data that was shared would have to be deleted immediately by the data-analyzing units, the proposal says. http://www.washingtonpost.com/wp-dyn/content/article/2007/11/03/AR2007110300956.html
CIVIL DISCOURSE, MEET THE INTERNET (New York Times, 4 Nov 2007) - As The New York Times transforms itself into a multimedia news and information platform — the printed newspaper plus a robust nytimes.com offering breaking news, blogs, interactive graphics, video and more — it is struggling with a vexing problem. How does the august Times, which has long stood for dignified authority, come to terms with the fractious, democratic culture of the Internet, where readers expect to participate but sometimes do so in coarse, bullying and misinformed ways? The answer so far is cautiously, carefully and with uneven success. The issue is timely because last week, with very little notice, The Times took baby steps toward letting readers comment on its Web site about news articles and editorials, something scores of other newspapers have long permitted. On Tuesday, readers were invited to comment on a single article in Science Times and on the paper’s top editorial, using a link that accompanied each. Few did because there was no promotion of the change, but as the week went on and more articles were opened to comment, participation picked up. The paper is creating a comment desk, starting with the hiring of four part-time staffers, to screen all reader submissions before posting them, an investment unheard of in today’s depressed newspaper business environment. The Times has always allowed reader comments on the many blogs it publishes, with those responses screened by the newsroom staff. That experience suggests what the paper is letting itself in for. “I didn’t know how big it would become, and I didn’t know how tough it would be to manage,” said Jim Roberts, editor of the Web site. A particularly hot topic on a blog can generate more than 500 comments — 500, that is, that meet guidelines requiring that a comment be coherent, on point, not obscene or abusive, and not a personal attack. Though editors have mixed feelings about it, The Times has so far bowed to Web custom by allowing readers to use screen names, as long as they don’t claim to be Thomas Paine, Condi Rice or a famous porn star. From Arthur Sulzberger Jr., the publisher, on down, executives and editors of The Times use similar language to describe their goal: they want the newspaper’s Web site to nurture a healthy, “civil discourse” on the topics of the day. “We have two great assets,” said Jonathan Landman, the deputy managing editor who is in charge of the newsroom’s online efforts. “One is the quality of the material we produce; the other is the quality of our readers, some of the most curious, intelligent and sophisticated people on earth.” Putting the knowledge of readers together with the journalism of The Times, he said, could result in “news and information of greater power, reach and quality than even a great newsroom can produce on its own.” http://www.nytimes.com/2007/11/04/opinion/04pubed.html?ex=1351828800&en=2bb85b6db4c66f7d&ei=5090&partner=rssuserland&emc=rss
A CHALLENGE TO THE RECORDING INDUSTRY? (InsideHigherEd, 5 Nov 2007) - The way things currently stand, a motion filed in federal district court in Oregon last week could force a legal reevaluation of the recording industry’s strategy of rooting out students who illegally share copyrighted material using peer-to-peer networks. Or, it might not. The outcome hinges on which of the Oregon attorney general’s arguments, if any, will persuade the court that subpoenas served on behalf of 12 recording companies circumvent established legal procedure. On September 17, the companies issued subpoenas to 17 “Does” — who were identified only by their IP addresses — via the University of Oregon, where they are all students. Such subpoenas are commonly sent to universities, which can match the addresses to the Internet accounts assigned to individual students. Instead of complying with the subpoenas, as many colleges do, the university decided to challenge them, arguing that they were too broadly written, violate students’ privacy and ignore the Digital Millennium Copyright Act, which in 1998 set out specific procedures that content providers could use to challenge online piracy. Acting for the university, the state’s attorney general filed a motion on October 31 to quash the subpoenas, setting out on uncharted territory that has legal and industry observers watching closely. The motion represents one of the few challenges to the recording industry’s current practice of sending “pre-litigation” letters to students, offering a choice between a discounted settlement or going to court. Since students’ identities aren’t known to the companies themselves, colleges are placed in the reluctant role of de facto enforcers: Some pass the letters on to their students, but some don’t. Theoretically, the process would reach the subpoena stage only if a student chose to refuse a settlement deal or if the college decided not to pass the letter on in the first place. http://insidehighered.com/news/2007/11/05/quash
NOW ON GOOGLE EARTH: MAP WHERE CONGRESS SPENDS YOUR TAX DOLLARS (CNET, 6 Nov 2007) - Politicians are famous (infamous, some would say) for setting aside billions of federal taxpayer dollars each year to bankroll pet projects in their home districts. Now it’s possible to map precisely where at least some of those funds may be headed. The Sunlight Foundation on Tuesday released a downloadable Google Earth layer that plots what it says are some 1,500 earmarks attached to a proposed U.S. House of Representatives defense spending bill. The Washington-based group describes its mission as promoting political transparency through use of Internet technologies. Once activated, each project shows up on the layer in the form of a yellow push pin. Click it, and you’ll be taken to a Web site called EarmarkWatch.org, which keeps a database of who’s responsible for the handout, how much is being proposed, and for what purpose. This bill, not surprisingly, seems to be heavy on military tech-related projects. (We’re talking things with names like “ubiquitous RFID chem/bio detection,” “semi-autonomous robotic manipulation and sensing,” and “remote explosive analysis and detection system.”) Also unsurprising is that many of the points appear to be clustered around districts represented by influential politicians (for example, western Pennsylvania, home to Rep. John Murtha, the 37-year Marine Corps veteran and Pennsylvania Democrat who’s chairman of the House Defense Appropriations Committee). The bill’s still wending its way through Congress, so the spending plans aren’t quite final yet. According to the group Citizens Against Government Waste, which also tracks so-called pork barrel spending, the proposed bill contained nearly $8 billion worth of earmarks as of late May. http://www.news.com/8301-10784_3-9812197-7.html?part=rss&subj=news&tag=2547-1_3-0-5
WHITE HOUSE OFFICIALS ASK FOR $154 MILLION IN NEW CYBERSECURITY SPENDING (FCW, 6 Nov 2007) - White House officials today asked Congress for more than $436 million in new cybersecurity and counterterrorism programs in the Homeland Security and Justice departments’ fiscal 2008 spending bills. “These amendments are necessary to enhance Federal civilian agency cybersecurity and strengthen defenses to combat terrorism,” President George Bush wrote in a letter to House speaker Nancy Pelosi (D-Calif.). “This is an area that has been severely lacking the administration’s attention,” said Joy Fox, spokeswoman for Rep. Jim Langevin (D-R.I.), chairman of the Homeland Security Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology. “Chairman Langevin is encouraged to see any action from the administration that addresses concerns he has repeatedly raised through hearings and through announcement of the cybersecurity commission.” It has been rumored that White House officials may announce a new cybersecurity initiative, but it is unclear whether this is it or just a piece of it. In the request, the administration asked for $115 million to enhance DHS’ ability to deploy the Einstein program through the U.S. Computer Emergency Readiness Team. Einstein monitors about 13 participating agencies’ network gateways for traffic patterns that indicate the presence of computer worms or other unwanted traffic. By collecting traffic information summaries at agency gateways, Einstein gives US-CERT analysts and participating agencies a big-picture view of bad activity on federal networks. http://www.fcw.com/online/news/150721-1.html?type=pf
VISA’S SECURITY BEST PRACTICES TO BECOME PAYMENT INDUSTRY STANDARD (Computer World, 8 Nov 2007) - The PCI Security Standards Council, the body managing the Payment Card Industry data security initiative, on Wednesday announced that it will anoint a set of best practices developed by Visa Inc. as the new security standard for third-party application software in the payment industry. The new standard is called the Payment Application Data Security Standard (PA-DSS) and is based on Visa’s Payment Application Best Practices (PABP). Over the next few months, the PCI Security Standards Council, together with participating organizations, security auditors, and vulnerability scanning vendors, will offer comments and suggestions relating to the PA-DSS. The security council will then incorporate this feedback and publish a final version of the application security standards in the first quarter of 2008, said Bob Russo, general manager of the security standards council. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9046000&source=NLT_AM&nlid=1
ACTIVIST BLOCKS PURGES OF PERRY E-MAILS (Houston Chronicle, 11 Nov 2007) - After learning that Gov. Rick Perry has his staff destroy e-mail records after seven days, a political activist decided this week to do what he can to stop the practice. John Washburn, a Milwaukee-based software consultant, programmed his computer to automatically send out two requests a week for all government e-mail generated by Perry staffers. Under state law, records aren’t supposed to be destroyed once somebody has asked for them. “I’ve kind of put a stick in the spokes of the wheel,” he said. “The whole point of public records is to make those ongoing transactions and government policy decisions more transparent to the public. If they’re gone, by definition, that’s about as opaque as it gets,” he told the Fort Worth Star-Telegram. Perry spokeswoman Krista Moody told The Associated Press on Saturday that Perry didn’t initiate the e-mail policy, which was also in place under former Gov. George W. Bush. “We continued the policy when Gov. Perry took office,” she said. On Friday, Moody said the governor’s office will comply with Washburn’s request, which prompted officials to deactivate the automatic destruction of the records. http://www.chron.com/disp/story.mpl/politics/5291860.html
OLPC GIVE ONE GET ONE (OLPC, 12 Nov 2007) - Between November 12 and November 26, OLPC is offering a Give One Get One program in the United States and Canada. This is the first time the revolutionary XO laptop has been made available to the general public. For a donation of $399, one XO laptop will be sent to empower a child in a developing nation and one will be sent to the child in your life in recognition of your contribution. $200 of your donation is tax-deductible (your $399 donation minus the fair market value of the XO laptop you will be receiving). For all U.S. donors who participate in the Give One Get One program, T-Mobile is offering one year of complimentary HotSpot access. http://www.laptopgiving.org/en/give-one-get-one.php
SENSITIVE GUANTÁNAMO BAY MANUAL LEAKED THROUGH WIKI SITE (Wired, 14 Nov 2007) - A never-before-seen military manual detailing the day-to-day operations of the U.S. military’s Guantánamo Bay detention facility has been leaked to the web, affording a rare inside glimpse into the institution where the United States has imprisoned hundreds of suspected terrorists since 2002. The 238-page document, “Camp Delta Standard Operating Procedures,” is dated March 28, 2003. It is unclassified, but designated “For Official Use Only.” It hit the web last Wednesday on Wikileaks.org. The disclosure highlights the internet’s usefulness to whistle-blowers in anonymously propagating documents the government and others would rather conceal. The Pentagon has been resisting - since October 2003 - a Freedom of Information Act request from the American Civil Liberties Union seeking the very same document. Anonymous open-government activists created Wikileaks in January, hoping to turn it into a clearinghouse for such disclosures. The site uses a Wikipedia-like system to enlist the public in authenticating and analyzing the documents it publishes. The Camp Delta document includes schematics of the camp, detailed checklists of what “comfort items” such as extra toilet paper can be given to detainees as rewards, six pages of instructions on how to process new detainees, instructions on how to psychologically manipulate prisoners, and rules for dealing with hunger strikes. http://www.wired.com/politics/onlinerights/news/2007/11/gitmo
**** RECOMMENDED PODCASTS ****
Editor: I yearn for a simple, URL-like way to point people to podcasts, and a reliable compendium of good, high-value podcasts for lawyers interested in MIRLN-like information. So, I’m launching this MIRLN segment on recommended podcasts, with these two entries: 1. The Stanford podcast “The Future of the Internet”; iTunesU; professor Ramesh Johari; 2. Another Stanford series (from 2006, and so a bit out of date) - Stanford Program in Law, Science & Technology; iTunes. In the absence of easier ways to point to podcasts, you’ll have to use the Power Search capabilities in iTunes (in the right column). Please send along you own recommendations - podcasts which you recommend to your peers - and I’ll include them in future MIRLN issues, along with your name.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, email@example.com.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.