Saturday, December 29, 2007

MIRLN - Misc. IT Related Legal News [9-29 December 2007; v10.17]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (vpolley@REMOVETHISSTRINGvip-law.com) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/.

**************End of Introductory Note***************

**** ABA CYBERSPACE MEETING ****
The Cyberspace Law Committee will hold its Winter Working Meeting in a real winter venue this time: Minneapolis, 25-26 January 2008. Come and bask with old and new friends in the Twin Cities for the most concentrated and productive cyberlaw discussions anywhere. Information at http://www.abanet.org/buslaw/committees/CL320000pub/meetings.shtml

TECH SMART TEEN MEANS PERJURY RAP FOR COP (ABC News, 7 Dec 2007) - A teen suspect’s snap decision to secretly record his interrogation with an MP3 player has resulted in a perjury case against a veteran detective and a plea deal for the teen. Unaware of the recording, Detective Christopher Perino insisted under oath at a trial in April that suspect Erik Crespo wasn’t questioned about a shooting in the Bronx. But the defense confronted the detective with a transcript it said proved he had spent more than an hour unsuccessfully trying to persuade Crespo to confess. Perino was arraigned today on 12 counts of first-degree perjury and freed on bail. http://abcnews.go.com/TheLaw/wireStory?id=3968795

BLOG NAMES YEAR’S TOP 10 (MAKE THAT 11) LEGAL ETHICS STORIES (ABA Journal, 10 Dec 2007) - The blog Legal Ethics Forum picked its top 10 ethics stories of the year, then made it the top 11 ethics stories at the suggestion from a reader. (The addition is No. 11 below.)The top stories named by the blog: 1. The case against former Durham County, N.C., District Attorney Michael Nifong, who was disbarred after admitting there was no credible evidence that three former Duke lacrosse players had committed rape. 2. Judges and lawyers in Pakistan who protested after President Pervez Musharraf suspended the country’s constitution and removed numerous appellate judges from office. 3. Maj. Michael Mori’s aggressive representation of Guantanamo detainee David Hicks, which may have hurt the lawyer’s military career. 4. Former Milberg Weiss lawyer William Lerach’s guilty plea, which acknowledges he paid kickbacks to lead plaintiffs. 5. The resignation of Pentagon official Cully Stimson after he tried to shame law firms into stopping pro bono representation of Guantanamo detainees. 6. They sanctions case against Qualcomm for failing to produce more than 200,000 electronic documents in a patent infringement suit against rival chip-maker Broadcom. 7. New York’s adoption of many of the ABA model ethics rules and the state’s attempt to adopt new rules clamping down on lawyer advertising. 8. Law firms whose “guild behaviors continued to give way to market behaviors.” These include Howrey, which is abandoning lockstep compensation, and McDermott, Will & Emery, which is creating a second tier of associates. 9. Dueling ethics opinions by the ABA and the Colorado Bar Association on the propriety of collaborative law. 10. The dismissal of an indictment against 13 former employees of KPMG in a tax shelter case because the government pressured the accounting firm not to pay defense costs. http://www.abajournal.com/weekly/blog_names_years_top_10_make_that_11_legal_ethics_stories

LEGAL WEB SITES SHAKE UP CONDO MARKET (Law.com, 10 Dec 2007) - South Florida lawyers are increasingly tapping into the cyber world to capture a share of the growing business of helping buyers recover deposits from pre-construction and condo conversion projects. Web sites such as recovermydeposit.com and depositrecoveryservices.com are popping up across the Web. The lawyer-run sites inform buyers of their rights under Florida law and possible remedies and offer them help. But to be able to offer this service, lawyers said, they have had to relearn specific state and federal laws that were little used in the past. Attorneys are digging deep but barely finding case law to shed light on possible remedies for their clients, Miami Beach real estate attorney Aaron Resnick said. Resnick launched recovermydeposit.com last month in response to the poor information on the subject, he said. “This is so new,” said Resnick, who left Gunster Yoakley & Stewart in 2005 to start his own firm. “People don’t know where to go for help. I saw a lot of people asking family members and friends for advice and referrals.” http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1197021873156&rss=newswire

FERC SEEKS INDUSTRY CYBER-SECURITY PLANS (Washington Post, 10 Dec 2007) - Federal energy regulators said Monday they have asked the White House to approve a rule that requires the electric industry to submit detailed reports about its progress in addressing potential cyber-security vulnerabilities. In its order asking the Office of Management and Budget to approve the new requirement, the Federal Energy Regulatory Commission cited the ability of government scientists earlier this year to hack into a simulated power-plant control system and cause an electric generator to destroy itself. ‘The commission intends to immediately issue a directive that requires all generator owners, generator operators, transmission owners and transmission operators that are registered by the North American Electric Reliability Corp. and located in the United States to provide to NERC certain information related to actions they have taken or intend to take to protect against’ similar cyber vulnerabilities, according to the notice. The commission will require NERC, which oversees North America’s electricity grid, to make the information available for review, and expects about 1,150 responses at a total cost of more than $1.2 million to the industry. The power grid, generating plants and refineries face increasing threats from hackers who could cause major disruptions and economic chaos in the U.S., according to congressional investigators. The Government Accountability Office in October said control systems at those critical facilities ‘are more vulnerable (today) to cyberattacks than in the past.’ Greg Garcia, assistant secretary for cybersecurity at the Department of Homeland Security, told lawmakers his agency was working with others on standards and guidance to protect critical control systems, but that it was the Federal Energy Regulatory Commission’s responsibility to get more stringent standards to industry. http://money.cnn.com/news/newsfeeds/articles/newstex/AFX-0013-21569682.htm

RIAA: THOSE CD RIPS OF YOURS ARE STILL “UNAUTHORIZED” (ArsTechnica, 11 Dec 2007) - Those MP3 and AAC files that you’ve ripped from your CD collection are still “unauthorized copies” in the eyes of the recording industry. In a brief filed late last week, the RIAA said that the MP3 files on a PC owned by a file-sharing defendant who had admitted to ripping them himself were “unauthorized copies.” Atlantic v. Howell is a bit unusual because the defendants, husband and wife Jeffrey and Pamela Howell, are defending themselves against the recording industry’s lawsuit without the benefit of a lawyer. They were sued by the RIAA in August 2006 after an investigator from SafeNet discovered evidence of file-sharing over the KaZaA network. The Howells have denied any copyright infringement on their part. In their response to the RIAA’s lawsuit, they said that the MP3 files on their PC are and “always have been” for private use. “The files in question are for transfer to portable devices, that is legal for ‘fair use,’” reads their response. After several years of litigation and nearly 30,000 lawsuits, making a copy of a CD you bought for your own personal usage is still a concept that the recording industry is apparently uncomfortable with. During the Jammie Thomas trial this fall, the head of litigation from Sony BMG testified that she believed that ripping your own CDs is stealing. http://arstechnica.com/news.ars/post/20071211-riaa-those-cd-rips-of-yours-are-still-unauthorized.html

CHAT BOTS LATEST RUSSIAN MALWARE THREAT (CNET, 12 Dec 2007) - A program that can mimic online flirtation and then extract personal information from its unsuspecting conversation partners is making the rounds in Russian chat forums, according to security software firm PC Tools. The artificial intelligence of CyberLover’s automated chats is good enough that victims have a tough time distinguishing the “bot” from a real potential suitor, PC Tools said. The software can work quickly too, establishing up to 10 relationships in 30 minutes, the company revealed. It compiles a report on every person it meets complete with name, contact information, and photographs. Among CyberLover’s creepy features is its ability to offer a range of different profiles from “romantic lover” to “sexual predator”. It can also lead victims to a “personal” Web site, which could be used to deliver malware, PC Tools said. Although the program is currently targeting Russian Web sites, PC Tools is urging people in chat rooms and social networks elsewhere to be on the alert for such attacks. Their recommendations amount to just good sense in general, such as avoiding giving out personal information and using an alias when chatting online. The software company believes that CyberLover’s creators plan to make it available worldwide in February. Robot chatters are just one type of social-engineering attack that uses trickery rather than a software flaw to access victim’s valuable information. Such attacks have been on the rise and are predicted to continue to grow. http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62035388-39000005c

SYMANTEC, ADOBE SUE LAW FIRM OVER SOFTWARE COPYING CLAIM SOFTWARE (SiliconValley.com, 12 Dec 2007) - Symantec has sued Philadelphia law firm Fox Rothschild for allegedly copying its Norton anti-virus products without a license. Cupertino-base Symantec was joined in the suit by software makers Adobe Systems and Corel Sonic Solutions. They accuse the law firm of copying 19 software products over the past six years. The suit was filed Dec. 5 in San Francisco federal court. San Jose-based Adobe claims its Acrobat product was infringed by the firm. Ottawa, Canada-based Corel and Novato-based Sonic also claim their products were infringed. Fox Rothschild has yet to comment on the suit. http://www.siliconvalley.com/news/ci_7698986

JUDGE: MAN CAN’T BE FORCED TO DIVULGE ENCRYPTION PASSPHRASE (Wired, 14 Dec 2007) - A federal judge in Vermont has ruled that prosecutors can’t force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase. U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with transporting child pornography on his laptop across the Canadian border has a Fifth Amendment right not to turn over the passphrase to prosecutors. The Fifth Amendment protects the right to avoid self-incrimination. Niedermeier tossed out a grand jury’s subpoena that directed Sebastien Boucher to provide “any passwords” used with his Alienware laptop. “Compelling Boucher to enter the password forces him to produce evidence that could be used to incriminate him,” the judge wrote in an order dated November 29 that went unnoticed until this week. “Producing the password, as if it were a key to a locked container, forces Boucher to produce the contents of his laptop.” Especially if this ruling is appealed, U.S. v. Boucher could become a landmark case. The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for the last decade arguing the merits of either approach. (A U.S. Justice Department attorney wrote an article in 1996, for instance, titled “Compelled Production of Plaintext and Keys.”) This debate has been one of analogy and metaphor. Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key. Other examples include the U.S. Supreme Court saying that defendants can be forced to provide fingerprints, blood samples, or voice recordings. Orin Kerr, a former Justice Department prosecutor who’s now a law professor at George Washington University, shares this view. Kerr acknowledges that it’s a tough call, but says, “I tend to think Judge Niedermeier was wrong given the specific facts of this case.” http://www.news.com/8301-13578_3-9834495-38.html?tag=recentPosts Ruling at http://www.volokh.com/files/Boucher.pdf More at http://www.news.com/8300-13578_3-38-0.html?categoryId=9750513 See also “Commanding Decryption and the Privilege Against Self-Incrimination” (Bert-Jaap Koops, 2000) at http://arno.uvt.nl/show.cgi?fid=5724

FOUNDATION TESTING POTENTIAL OF PHILANTHROPY VIA INTERNET (New York Times, 13 Dec 2007) - The Case Foundation is embarking on an effort to test the potential of citizen-led philanthropy via the Internet. Starting at 3 p.m. on Thursday, readers of Parade magazine and members of the Causes section of the Facebook Web site can enter a contest to win a total of $500,000 and $250,000, for their favorite charities, provided by Case. The prizes will go to the charities and causes that attract the greatest numbers of unique donors, rather than the one that raises the most money. “Philanthropy shouldn’t be defined as a bunch of rich people writing big checks,” said Jean Case, who founded the Case Foundation with her husband, Steve, founder of America Online. “Small amounts of money given by large numbers of individuals can be combined to do great things.” Randy Siegel, publisher of Parade, said he saw the program as “a wonderful way to give our 70 million readers a firsthand look at how the Internet and technology have revolutionized charitable giving.” The contest is one of a string of efforts by Case to determine what role online technologies can have in the charity field. The amounts raised through new technologies and online networks have been modest. The top “cause” listed on Causes, support for breast cancer research, has attracted 2.8 million members, raising an average of 2 cents a member, or a total of $52,240, for Brigham and Women’s Hospital. Proponents say the Internet has been useful in attracting people to sign petitions and attend rallies and demonstrations, if not in generating big donations. “The tools and technologies are still evolving, and we’re still trying to figure out how it works,” said Beth Kanter, an expert on nonprofits and technology. http://www.nytimes.com/2007/12/13/us/13foundation.html?ex=1355202000&en=4e79cf13264a4f7f&ei=5090&partner=rssuserland&emc=rss

THE TOP 10 DATA BREACHES OF 2007 (CSO Online, 14 Dec 2007) - If there’s only one thing you’ll remember from 2007, it will be Britney Spears’ meltdown. But if there are two things you remember, it will be Britney and the thousands of data breaches that were reported in 2007, right? Right? Well, it’s what we’ll remember, and since we don’t necessarily do celeb gossip (unless you’ve got a good security angle…) we decided to offer up a review of the best and worst of Disclosure ‘07. Each breach gets rated on our nifty, unscientific “Class-Action Outrage Scale,” judging the likelihood that ambulance-chasing lawyers could have a field day. Look out Monster.com: We estimate nine of 10 lawyers are outraged on behalf of your 1.3 million victims. Our “D’oh! Factor” (thank you, Homer Simpson) reflects just how egregious and goofy the breach was. Take a look at how Swedish Urology Group earned itself five out of five Homers. Ick. Some breaches on our list are serious. Some are funny. And some are just plain sad. But all of them were probably preventable. http://www2.csoonline.com/exclusives/column.html?CID=33366

INSURER GETS RECORD FINE FOR ID THEFT DISASTER (Computer World, 17 Dec 2007) - A U.K. insurance house has been slapped with a record fine by the Financial Services Authority (FSA) watchdog for incompetent customer account security. The latest offender is Norwich Union, which allowed fraudsters to impersonate customers when phoning its call centers, cashing in policies on an astonishing 74 occasions out of a total of recorded 632 attempts. The social engineers - 11 suspects have now been arrested - were able to steal a total of $6.6 million during the scam, which took place in 2006. The FSA has hit the company with a $2.5 million fine, a record for the U.K., and even larger than that levied on The Nationwide Building Society earlier this year for losing a laptop full of unspecified customer data in August 2006. The Norwich Union only avoided an even larger fine of $3.6 million by promptly settling the charges with the industry regulator, and agreeing to tighten up its procedures. One of the most serious charges was that the company failed to react to the pattern of fraud, allegedly initially only informing customers who had been or were current directors of the company. In other words, the company realized fraud was happening but was unable to put in place extra security to stop further occurrences of fraud from happening. “Norwich Union Life let down its customers by not taking reasonable steps to keep their personal and financial information safe and secure,” said the FSA’s Margaret Cole. “It is vital that firms have robust systems and controls in place to make sure that customers’ details do not fall into the wrong hands. Firms must also frequently review their controls to tackle the growing threat of identity theft.”This fine is a clear message that the FSA takes information security seriously and requires that firms do so too,” she added. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9053298&source=NLT_PM&nlid=8

BELGIUM ADOPTS RULES ALLOWING ELECTRONIC EMPLOYMENT CONTRACTS (Bird & Bird, 17 Dec 2007) - Belgium has adopted new rules permitting the conclusion of employment contracts electronically, provided secure electronic signature and archiving systems are used. This highlights both the growing comfort with digital contracting and the increased role that trusted third parties, providing electronic signature systems and archiving, play in this expanding digital environment. One of the objectives of the E-commerce Directive 2003/31/EC was to remove obstacles to the use of electronic contracts. Member States were to amend their legislation to remove any requirements which were likely to curb the use of contracts by electronic means or which would deprive electronic contracts of legal effectiveness and validity. The Directive provided four explicit exceptions to this principle where Member States may provide that contracts cannot be entered into by electronic means. These exceptions covered contracts related to real estate (except for rental rights), contracts requiring the involvement of courts or public authorities, certain contracts of suretyship and collateral securities, and contracts governed by family law or the law of succession. The four exceptions listed by the Directive were incorporated into Belgian law by Article 17 of the E-commerce Act of 11 March 2003. Employment contracts were not included in the list of exceptions but the Directive provides that the contractual relationships between employees and employers is not an information society service and are therefore outside the scope of the Directive. Legal writers have therefore regarded employment contracts as an implicit exception. The E-commerce Act remains silent on employment contracts. On 3 June 2007, a new Article 3bis was inserted into the Employment Contracts Act of 3 July 1978. The new Article provides that an employment contract which is signed by means of the electronic signature created by the Belgian electronic identity card (eID), or by any other electronic signature which meets the same security standards as the eID signature, has the same force as a signed hardcopy contract. A further Royal Decree will establish the security standards for the creation of electronic signatures (other than the eID). Providers of electronic signature systems will be able to register with the Crossroads Bank for Social Security who will draw up a list of accepted systems. This list will be approved by the Minister of Employment Affairs and published on the website of the Crossroads Bank for Social Security. The new law explicitly provides that neither the employer nor the employee can be forced to conclude an employment contract electronically. This reiterates the principle in the Electronic Signatures Act of 9 July 2001 which stipulates that, unless provided otherwise by law, no person can be obliged to commit a legal act by electronic means. http://www.twobirds.com/english/publications/articles/Belgium_rules_electronic_employment_contracts.cfm

CUTTING OUT PRIVACY IN THE OFFICE (Law.com, 19 Dec 2007) - Private communications at work may be a thing of the past, even if the communications are personal matters conveyed via a personal e-mail account. Kelly Talcott examines recent court decisions that weighed whether an employee has a reasonable expectation of privacy regarding electronic communications. Story at: http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1198010085253&rss=newswire

MORE TEENS MOVE THEIR SOCIAL LIVES ONLINE (SiliconValley.com, 19 Dec 2007) - The Internet is becoming ever more central to the social life of America’s teenagers, especially girls, with greater numbers communicating with friends and creating content on sites like Facebook, MySpace and YouTube, a new survey shows. And when not online, they are gabbing more on cellphones and exchanging text messages. Pew’s “Teens an Social Media” study, released Wednesday, showed marked increase in Internet use between 2004 and 2006. The findings may already be considered a year out of date - a very long time considering the rapid acceleration of Web culture. All considered, Pew’s findings should comfort Silicon Valley’s bustling Web enterprises that are relying on the medium as a source of revenue, through advertising and sales. “The use of social media - from blogging to online social networking to creation of all kinds of digital material - is central to many teenagers lives,” Pew declared. The report may add to the worry of parents who think their teens may be spending too much time socializing via the Advertisement Web. Among the more striking trends:
• Nearly two-thirds of teens - 63 percent - have a cell phone. Among teens with cell phones, 55 percent say they use them to talk with friends every day. - More girls than boys said they wrote blogs and kept up with friends via MySpace and Facebook, sites that came into existence only a few years ago. This conformed to one of Pew’s findings: “Girls continue to lead the charge as the teen blogosphere grows.” Pew found that 35 percent of all online teen girls blog, compared with 20 percent of online teen boys. “Virtually all of the growth in teen blogging between 2004 and 2006 is due to the increased activity of girls,” the study found. “Older teen girls are still far more likely to blog when compared with older boys, but younger girl bloggers have grown at such a fast clip that they are now outpacing even the older boys.” The survey found that 32 percent of girls ages 12 to 14 blog, compared to 18 percent of boys age 15 to 17.
• But YouTube and other video sharing sites tend to be the domain of boys. Online teen boys are “twice as likely” as girls to post video files online, by a 19 percent to 10 percent margin. “Not even older girls - a highly-wired and active segment of the teen population - can compete with boys in this instance; 21 percent of older boys post videos, while just 10 percent of older girls do so,” PEW said.
http://www.siliconvalley.com/news/ci_7761620 Pew Study here: http://www.bayareanewsgroup.com/multimedia/mn/biz/pipteens.pdf

CLINTON-OBAMA FEUD MOVES TO DOMAIN NAMES (Wired, 20 Dec 2007) - It’s come to this: a Democratic primary race so close and heated that a fierce battle of rhetoric has begun playing out in domain-name registrations. Hillary Clinton’s campaign quietly registered VotingPresent.com and VotingPresent.org in early December. Though no websites have gone up on the domains (which were first reported by ABC News), it’s a fair bet the sites won’t be promoting election-themed Christmas gifts: “Voting present” refers to a parliamentary maneuver in the Illinois Legislature that allows a lawmaker to abstain from voting on a particular measure. The obscure procedural move became national election news Thursday, when The New York Times ran a front-page story reporting that Clinton rival and former Illinois state senator Barack Obama voted “present” nearly 130 times in his eight years in the post, sometimes on key issues like abortion. The Times story marks the zenith of a rhetorical arc Clinton launched Dec. 3, when she first slammed Obama’s non-votes in a speech in Iowa. We now know her campaign registered and squirreled away the domain names the next day - a move that signals candidates’ growing use of highly focused microsites to buff their own images and to throw mud at opponents, from a safe distance. “When you go to VotingPresent.com, you’d be immersed in the information, but you’re also distanced from HillaryClinton.com,” said Peter Leyden, director of the New Politics Institute. “It’s where you’re going to see things go.” Obama’s campaign started the trend when he responded to Clinton attacks on his voting record by launching a “Hillary Attacks” website. And candidate John Edwards briefly ran a sarcastic “Plants for Hillary” website, referring to a Clinton staffer’s planting of a question for the candidate at a local Iowa forum. The site has since been dismantled. http://www.wired.com/politics/law/news/2007/12/clinton_domains

CHINA COURT REJECTS YAHOO CHINA’S ‘DEEP LINKING’ APPEAL (Billboard.biz, 20 Dec 2007) - The Beijing No. 2 Intermediate People’s Court on Dec. 20 rejected an appeal by Yahoo China against an April ruling that found it guilty of copyright violation due to its practice of providing “deep links” to Web sites offering unauthorized content such as mp3 downloads, lyrics and ringtones. “The ruling against Yahoo China is extremely significant in clarifying copyright rules for Internet music services in China,” said IFPI chairman/CEO John Kennedy in a statement. “By confirming that Yahoo China’s service violates copyright under new Chinese laws, the court has effectively set the standard for Internet companies throughout the country.” http://www.billboard.biz/bbbiz/content_display/industry/e3i3ed206b8d3c0733b23120a461b4581f2

LEGAL BLOG PICKS TOP ODD-BUT-TRUE STORIES (ABA Journal, 20 Dec 2007) - A legal blog called Blogonaut—with the tagline “We don’t make this stuff up—really”—has listed its top stories of the year. The posts tend to be wacky rather than weighty. Here’s a sampling of some of the headlines:
—Brawling TN Lawyer Entangled in Hilarious McDonald’s Dustup—But Fast Food Imbroglio is ‘Tip of the Iceberg’ for Court Room Pugilist
—Slain Attorney’s First Wife Also Tried to Shoot Him
—Lawyer’s Defense to Meth Charge—’I Did it for My Dog’—Wins Acquittal
Blogonaut readers are being invited to vote for the top story or to nominate their own. In early voting, a post about controversial Las Vegas Judge Elizabeth Halverson was garnering some support. More on Halverson in the ABA Journal’s “You’re NOT the Boss of Me,” August 2007. http://www.abajournal.com/weekly/legal_blog_picks_top_odd_but_true_stories Top-10 at http://blogonaut-blogonaut.blogspot.com/2007/12/blogonauts-top-posts-for-2007.html

10-RATED LAWYER WINS DISMISSAL OF SUIT AGAINST LAWYER-RANKING WEBSITE (ABA Journal, 20 Dec 2007) - A federal judge in Seattle has dismissed a lawsuit against a website that rates lawyers, saying the posted opinions are protected by the First Amendment. This site is called Avvo after avvocato, the Italian word for lawyer. It permits lawyers who want to improve their ratings to add information and allows consumers to post critiques. Two Seattle lawyers had contended in their suit that the website engaged in unfair and deceptive practices by falsely claiming to be objective, reliable and factual, the Seattle Times reports. One of the lawyers, John Henry Browne, also claimed damage to his reputation when the site rated him only a 5.7 out of 10. The plaintiffs had contended the ratings were easily manipulated and seriously flawed, asserting that one lawyer in prison for conspiracy got a higher rating than Justices Ruth Bader Ginsburg and Samuel A. Alito Jr., the Seattle Post-Intelligencer reports. But U.S. District Judge Robert Lasnik agreed with Avvo that opinions expressed in attorney ratings “are absolutely protected by the First Amendment and cannot serve as the basis for liability under state law.” Avvo was represented by lawyer Bruce E.H. Johnson of Davis Wright Tremaine, who has a rating of 10 out of 10 on the Avvo site. “To the extent that [the plaintiffs’] lawsuit has focused a spotlight on how ludicrous the rating of attorneys (and judges) has become, more power to them,” the opinion said (PDF posted by the Seattle Post-Intelligencer). “To the extent that they seek to prevent the dissemination of opinions regarding attorneys and judges, however, the First Amendment precludes their cause of action.” http://www.abajournal.com/weekly/10_rated_lawyer_wins_dismissal_of_suit_against_lawyer_ranking_website

FTC ISSUES ONLINE AD PRIVACY GUIDELINES (Business Week, 20 Dec 2007) - On the same day they cleared Google Inc.’s purchase of online advertiser DoubleClick, federal regulators said industry needs to be more transparent about how consumers’ Web-surfing habits are tracked. The Federal Trade Commission on Thursday proposed guidelines by which advertisers would voluntarily fess up to Web surfers about whether their online behaviors are monitored and used to personalize ads. Privacy experts said the guidelines could be helpful, but only if industry enforces them. Consumers are largely in the dark about companies tracking them through these ads, the agency said, adding that companies should give people a realistic choice in whether they want to be tracked or not. “You shouldn’t have to be a computer geek to protect your privacy,” said Peter Swire, an Ohio State University law professor and senior fellow at the Center for American Progress, a liberal think tank. http://www.businessweek.com/ap/financialnews/D8TLCGVO2.htm FTC release at http://ftc.gov/opa/2007/12/principles.shtm

COURTS PONDER THE SCOPE OF JURISDICTION IN INTERNET DEFAMATION CASES (Steptoe & Johnson’s E-Commerce Law Week, 20 Dec 2007) - In two recent cases involving online defamation, federal courts reached different conclusions about when purportedly libelous statements posted to a website may support personal jurisdiction. In McVea v. Crisp, a federal court in Texas found that it could assert jurisdiction over James Crisp, a non-resident defendant who had posted an allegedly defamatory statement to a message board dedicated to amateur discussion of Texas history. Since Texas was the “focus” of the website’s content and McVea had indicated in a prior posting that she lived in Texas and had also had a “prior working relationship” with Crisp, the court found it likely that Crisp “knew the brunt of the injury, if any, would be felt in Texas.” On the other hand, in Oxford Round Table, Inc. v. Mahone, a federal court in Kentucky found no jurisdiction over Sloan Mahone, a resident of England who called the business operations of plaintiff Oxford Round Table (ORT) “a fraud and misrepresentation” in postings to the Chronicle of Higher Education’s website, emails to an individual at Oxford University in England, and an email to an ORT seminar participant in Illinois. Noting that none of Mahone’s allegedly libelous statements directly affected Kentucky or took place within the state, the court found that Mahone did not “purposefully avail” herself of the forum. http://www.steptoe.com/publications-5053.html

THE DEEMED EXPORT RULE IN THE ERA OF GLOBALIZATION (US DoC, 20 Dec 2007) - Secretary of Commerce Carlos M. Gutierrez today welcomed the final report of the Deemed Export Advisory Committee, a distinguished group of Americans commissioned by the Secretary in September 2006 to examine the complex issue of deemed exports. Deemed exports are the transfer of sensitive dual-use technology to foreign nationals working or studying in the United States. “I appreciate the Committee’s efforts to address how to effectively protect U.S. national security interests and preserve U.S. leadership in scientific and commercial technology innovation,” said Secretary Gutierrez. “We intend to carefully review the Committee’s findings as we move forward to strike the right balance of protecting national security while continuing to attract the world’s best and brightest.” Advisory Committee Chairman Norman Augustine, retired Chairman & CEO of Lockheed Martin Corporation, delivered the report, entitled The Deemed Export Rule in the Era of Globalization. The Secretary has asked the Bureau of Industry and Security (BIS), the Commerce agency with jurisdiction over global dual-use policy to review the Committee’s recommendations. The full text of the report can be found at: http://tac.bis.doc.gov/2007/deacreport.pdf http://www.commerce.gov/NewsRoom/PressReleases_FactSheets/PROD01_004964

MICROSOFT OKS OPEN-SOURCE LICENSE (MercuryNews.com, 21 Dec 2007) - Microsoft, whose software powers about 95 percent of the world’s personal computers, reached an agreement on licensing terms that will allow open-source products to connect to the Windows operating system. Microsoft will license proprietary information on how Windows shares files and printers with the non-profit Protocol Freedom Information Foundation, which will make the data available to open-source developers working on a file and printing system called Samba. The agreement will “allow Samba to create, use and distribute implementations of all the protocols” to allow so- called workgroup servers to connect with Windows, Redmond, Wash.-based Microsoft said in a statement Thursday. The accord furthers Microsoft’s bid to resolve legal disputes worldwide that have been weighing on its shares. The company in October gave in to European Union demands to license the protocol data. In the past, Microsoft refused to license its technology to open-source software makers. Programs such as the free operating system Linux and the Samba system are distributed under terms requiring access to the source code, or underlying operating instructions. Samba said in a statement that the agreement involves a one-time fee of 10,000 euros ($14,350). The protocol data will be held “in confidence” by Samba. The agreement allows source code to be published “without further restrictions,” Samba said. http://www.mercurynews.com/business/ci_7776956?nclick_check=1

NCAA TO BLOGGERS: DON’T POST TOO OFTEN (CNET, 21 Dec 2007) - The NCAA this week announced a formal program limiting how often bloggers with media credentials can update their blog while attending championship college events. The sports governing body set blogging limits for each sport. For example, those at football games can update their blogs three times per quarter and once at halftime. For basketball, bloggers can post five times per half, once at halftime and twice per overtime period. The policy even sets rules for water polo (three per quarter, once at halftime), bowling (10 blog posts per session) and fencing (10 per session). The move is already garnering the predicted outrage. It reminds me of the music industry trying to hold on desperately to old business models in a fundamentally new era. This isn’t the first time the NCAA has butted heads with the blogosphere. In June, a sportswriter from the Louisville, Ky. Courier-Journal was ejected from a college baseball game for, you guessed it, blogging. Indeed, I’m sure there are folks at the NCAA that see its latest efforts as a reasoned compromise, but I think it just shows how out of touch they are. http://www.news.com/beyond-binary/8301-13860_3-9837182-56.html?tag=nefd.top NCAA rules at http://www2.ncaa.org/portal/media_and_events/press_room/media_kit/credentials/2008_blogging_policy.pdf

IN TRADE RULING, ANTIGUA WINS A RIGHT TO PIRACY (New York Times, 22 Dec 2007) - In an unusual ruling on Friday at the World Trade Organization, the Caribbean nation of Antigua won the right to violate copyright protections on goods like films and music from the United States — an award worth up to $21 million — as part of a dispute between the countries over online gambling. The award follows a W.T.O. ruling that Washington had wrongly blocked online gambling operators on the island from the American market at the same time it allowed online wagering on horse racing. Antigua and Barbuda had claimed damages of $3.44 billion a year. That makes the relatively small amount awarded Friday, $21 million, something of a setback for Antigua, which had been struggling to preserve its gambling industry. The United States argued that its behavior had caused $500,000 damage. Yet the ruling is significant in that it grants a rare form of compensation: the right of one country, in this case Antigua, to violate intellectual property laws of another — the United States — by allowing it to distribute copies of American music, movie and software products. http://www.nytimes.com/2007/12/22/business/worldbusiness/22gambling.html?_r=1&ref=business&oref=slogin

FBI PREPARES VAST DATABASE OF BIOMETRICS (Washington Post, 22 Dec 2007) - The FBI is embarking on a $1 billion effort to build the world’s largest computer database of peoples’ physical characteristics, a project that would give the government unprecedented abilities to identify individuals in the United States and abroad. Digital images of faces, fingerprints and palm patterns are already flowing into FBI systems in a climate-controlled, secure basement here. Next month, the FBI intends to award a 10-year contract that would significantly expand the amount and kinds of biometric information it receives. And in the coming years, law enforcement authorities around the world will be able to rely on iris patterns, face-shape data, scars and perhaps even the unique ways people walk and talk, to solve crimes and identify criminals and terrorists. The FBI will also retain, upon request by employers, the fingerprints of employees who have undergone criminal background checks so the employers can be notified if employees have brushes with the law. http://www.washingtonpost.com/wp-dyn/content/article/2007/12/21/AR2007122102544_pf.html

LABOR BOARD RESTRICTS UNION USE OF E-MAIL (New York Times, 23 Dec 2007) - The National Labor Relations Board has ruled that employers have the right to prohibit workers from using the company’s e-mail system to send out union-related messages, a decision that could hamper communications between labor unions and their membership. In a 3-to-2 ruling released on Friday, the board held that it was legal for employers to prohibit union-related e-mail so long as employers had a policy barring employees from sending e-mail for “non-job-related solicitations” for outside organizations. The ruling is a significant setback to the nation’s labor unions, which argued that e-mail systems have become a modern-day gathering place where employees should be able to communicate freely with co-workers to discuss work-related matters of mutual concern. The ruling involved The Register-Guard, a newspaper in Eugene, Ore., and e-mail messages sent in 2000 by Suzi Prozanski, a newspaper employee who was president of the Newspaper Guild’s unit there. She sent three e-mail messages about marching in a town parade and urging employees to wear green to show support for the union in contract negotiations. “An employer has a ‘basic property right’ to regulate and restrict employee use of company property,” the board’s majority wrote. “The respondent’s communications system, including its e-mail system, is the respondent’s property.” The board overturned several decisions it had made in ruling that an employer does not illegally discriminate against pro-union speech if it lets employees use e-mail for personal communications but bars them from using e-mail for solicitations for outside organizations. Adopting the reasoning of the United States Court of Appeals for the Seventh Circuit, involving two cases concerning the use of employer bulletin boards, the labor board distinguished between personal non-work-related postings like for-sale notices and wedding announcements, on the one hand, and group or organizational postings like union materials on the other. In its new ruling, the board’s majority wrote that employers can allow workers to use e-mail for personal communications while barring them from organizational-related communications. The majority redefined the meaning of discrimination and wrote that the Seventh Circuit’s approach “better reflects the principle that discrimination means the unequal treatment of equals.” Adopting another new policy, the board appeared to allow employers to bar e-mail for certain organizational activities, like promoting a union or Avon products, but not organizational activities related to charities. The dissenters said the majority’s decision, in allowing employers to bar solicitation with regard to some activities and not others, “would allow employees to solicit on behalf of virtually anything except a union.” http://www.nytimes.com/2007/12/23/us/23labor.html?ex=1356066000&en=27bcf28aa626f3f7&ei=5090&partner=rssuserland&emc=rss

NIST RELEASES FINAL DRAFT OF FISMA GUIDANCE (GCN, 27 Dec 2007) - The National Institute of Standards and Technology has released the final public draft of a framework that will assist agencies create the security assessments mandated by the Federal Information Security Management Act (FISMA). Copies of Draft Special Publication 800-53A, “Guide for Assessing the Security Controls in Federal Information Systems,” can be downloaded from the NIST site. NIST expects to publish the final edition in March. SP 800-53A is an addendum to NIST SP 800-53, “Recommended Security Controls for Federal Information Systems.” This addendum establishes a framework for assessing security controls. Both publications are extensions of Federal Information Processing Standard 200, the core document NIST produced to help agencies with FISMA. This draft incorporates comments from the previous public drafts. Changes include updated assessment procedures, clarification of some chapters and a new set of assessment cases. The agency is seeking comments until January 31, 2008. http://www.gcn.com/online/vol1_no1/45593-1.html?topic=security&CMP=OTC-RSS NIST draft at http://csrc.nist.gov/publications/drafts/800-53A/draft-SP800-53A-fpd-sz.pdf

**** RESOURCES ****

THE IT LAW WIKI (launched December 2007) -- This wiki is an encyclopedia of the legal issues, cases, statutes, events, people, organizations and publications that make up the global field of information technology law (often referred to as “computer law”). To learn more about this wiki, click on the "About this Wiki" link. To find an article, simply type the name in the "Search The IT Law Wiki" box in the upper right hand corner of [the referenced] page, click the "Content (A-Z)" button to the right or click the "Random page" button above or to the right. To write a new The IT Law Wiki article, enter the page title in the box. http://itlaw.wikia.com/wiki/The_IT_Law_Wiki [Editor: see also the EFF’s similar wiki: http://ilt.eff.org/index.php/Table_of_Contents]

THE DIGITAL ECONOMY FACT BOOK (Progress & Freedom Foundation, 14 Dec 2007) - The digital revolution has changed the way we make goods and provide services, transforming virtually every industry and creating whole new categories of products and businesses—all at breathtaking speed. Simply keeping track of what is happening, let alone comprehending it, often seems an overwhelming task. The Ninth Edition of The Digital Economy Fact Book provides a factual basis from which analysis of the digital economy can begin. In seven key sections, it presents the best available information on: • The Growth of the Internet • The Hardware Sector • The Communications Sector • Digital Media • Electronic Commerce • Threats to the Digital Economy • The Worldwide Digital Economy http://www.pff.org/issues-pubs/books/factbook_2007.pdf

SECURITY BREACH NOTIFICATION LAWS: VIEWS FROM CHIEF SECURITY OFFICERS (UC Berkeley, Dec 2007) - This pilot study compliments work by Professors Deirdre K. Mulligan and Kenneth A. Bamberger of UC-Berkeley Law, who are studying the factors that contribute to decision-making by chief privacy officers. It was supervised by Chris Jay Hoofnagle of the Samuelson Law, Technology & Public Policy Clinic. It is part of a comprehensive research initiative regarding Chief Security Officers now underway at the Samuelson Clinic led by Aaron J. Burstein and Professor Mulligan. This study surveys the literature on changes in the information security world and significantly expands upon it with qualitative data from seven in-depth discussions with information security officers. These interviews focused on the most important factors driving security investment at their organizations and how security breach notification laws fit into that list. Often missing from the debate is that, regardless of the risk of identity theft and alleged consumer apathy towards notices, the simple fact of having to publicly notify causes organizations to implement stronger security standards that protect personal information. The interviews showed that security breaches drive information exchange among security professionals, causing them to engage in discussions about information security issues that may arise at their and others’ organizations. For example, we found that some CSOs summarize news reports from breaches at other organizations and circulate them to staff with “lessons learned” from each incident. In some cases, organizations have a “that could have been us” moment, and patch systems with similar vulnerabilities to the entity that had a breach. Breach notification laws have significantly contributed to heightened awareness of the importance of information security throughout all levels of a business organization and to development of a level of cooperation among different departments within an organization that resulted from the need to monitor data access for the purposes of detecting, investigating, and reporting breaches. CSOs reported that breach notification duties empowered them to implement new access controls, auditing measures, and encryption. Aside from the organization’s own efforts at complying with notification laws, reports of breaches at other organizations help information officers maintain that sense of awareness. Though security breach notification laws rarely top the list of security professionals’ priorities, organizations keenly understand that reputational harm may result from a breach. http://www.law.berkeley.edu/clinics/samuelson/cso_study.pdf EPIC writes: “The findings of the report are that breach notification laws raise awareness of the importance of information security; facilitate better cooperation among departments within organizations; and that as a result companies are requiring better security practices of their own suppliers or contractors. The study recommends the establishment of uniform standards for: public notice of security breaches; notification to a centralized organization in addition to customers; clarification and broadening technology safe harbor provisions; create a safe harbor period for notifications; and collection of more information on the type of notification trigger language that should be used. The Federal government has failed to enact legislation related to breach notification.”

TRESPASS, NUISANCE, AND SPAM: 11TH CENTURY COMMON LAW MEETS THE INTERNET (Communications of the ACM, 2007; by Robert J. Aalberts, Percy Poon, and Paul Thistle) - The English common law legal system has succeeded and thrived for over 900 years due to its functional and adaptive nature. This article will explore how the common law’s old but still practicable doctrines are being applied to problems on the Internet and where it will likely evolve. In particular, we will examine the viability of two common law actions— trespass to chattels and nuisance. http://www.brendablake.ca/arleigh/spamandcommonlaw.html

**** RECOMMENDED PODCASTS ****
TECH NATION INTERVIEW WITH JEFF TOOBIN (17 Oct 2007) - Dr. Moira Gunn speaks with Jeffrey Toobin about the Supreme Court Justices and how tech-savvy they are... or aren’t, as the case might be. http://itc.conversationsnetwork.org/shows/detail3393.html Please send along your own recommendations and I’ll include them in future MIRLN issues.

**** ART? ****
BIC PENS IN EBAY - CUSTOMERS’ REVIEWS - This is excellent - read ALL of the reviews. I’d guess that this is a collective, coordinated effort. It rises, I think, to art. http://www.amazon.co.uk/Bic-Crystal-ballpoint-medium-point/dp/customer-reviews/B000JTOYLS/ref=cm_cr_dp_all_recent/202-7085760-3565410?ie=UTF8&customer-reviews.sort%5Fby=-SubmissionDate&coliid=&showViewpoints=1&customer-reviews.start=1&colid=#customerReviews

Happy New Year!

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

Saturday, December 08, 2007

MIRLN - Misc. IT Related Legal News [18 November - 8 December 2007; v10.16]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (vpolley@REMOVETHISSTRINGvip-law.com) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/.

**************End of Introductory Note***************

**** ABA CYBERSPACE MEETING ****
The Cyberspace Law Committee will hold its Winter Working Meeting in a real winter venue this time: Minneapolis, 25-26 January 2008. Come and bask with old and new friends in the Twin Cities for the most concentrated and productive cyberlaw discussions anywhere. Information at http://www.abanet.org/buslaw/committees/CL320000pub/meetings.shtml

GERMANY ENACTS DATA RETENTION LAW (Steptoe & Johnson’s E-Commerce Law Week, 21 Nov 2007) - On November 9, the German Bundestag approved a law implementing the EU Data Retention Directive (2006/24/EC) that will require that communication providers in Germany retain connection data for at least six months, beginning January 1, 2009. Telecommunications providers are required to retain data relating to the date, time, sender, recipient, and duration of communications - but not their content. VoIP providers will also be required to store the IP addresses of all parties to a communication. Mobile providers must also retain the location of the phone at the time of the call. If a provider does not itself generate or process connection data, it must make sure that the data is retained by another provider, and identify that entity upon request. Internet Service Providers must retain a subscriber’s IP address and user ID, along with the date, time and length of the subscriber’s connection . Email providers must store email addresses of all senders and addressees, the IP addresses of senders and sending communication systems, and the header of each email. The law also puts in place several other controversial measures, including a prohibition on the use of fictitious online identities. Although retention is not mandatory until January 1, 2009, communications providers may begin retaining data on January 1, 2008. http://www.steptoe.com/publications-4999.html

USERS DECRY FACEBOOK TRACKING (SiliconValley.com, 22 Nov 2007) - Some users of the online hangout Facebook are complaining that its 2-week-old marketing program is publicizing their purchases for friends to see. Those users say they never noticed a small box that appears on a corner of their Web browsers following transactions at Fandango, Overstock and other online retailers. The box alerts users that information is about to be shared with Facebook unless they click on “No Thanks.” It disappears after about 20 seconds, after which consent is assumed. Users are given a second notice the next time they log on to Facebook, but they can easily miss it if they quickly click away to visit a friend’s page or check e-mail. “People should be given much more of a notice, much more of an alert,” said Matthew Helfgott, 20, a college student who discovered his girlfriend just bought him black leather gloves from Overstock for Hanukkah. “She said she had no idea (information would be shared). She said it invaded her privacy.” http://www.siliconvalley.com/news/ci_7531593?nclick_check=1 and http://www.siliconvalley.com/news/ci_7578056 and http://www.nytimes.com/2007/11/30/technology/30face.html?_r=1&oref=slogin and (finally, on 5 December) … ZUCKERBERG APOLOGIZES, ALLOWS FACEBOOK USERS TO EVADE BEACON (New York Times, 5 Dec 2007) - Mark Zuckerberg has produced a symphony of contrition in a blog post today about Facebook’s Beacon feature, which initially sent information on users’ Web purchases to their friends unless they specifically blocked the disclosure of each purchase. He explained the most controversial aspect of the system — the fact that it was opt-out, not opt-in — as an attempt to make it easy. “At first we tried to make it very lightweight so people wouldn’t have to touch it for it to work.” He acknowledged that this was a mistake. Last week, Facebook changed Beacon to make it an opt-in system on a per-site basis. And today, it allowed users to turn it off entirely, something that even last week it said it wouldn’t do. http://bits.blogs.nytimes.com/2007/12/05/zuckerberg-apologizes-allows-facebook-users-to-evade-beacon/index.html?ex=1354510800&en=f59bf5e5785a1d3d&ei=5089&partner=rssyahoo&emc=rss Facebook’s description of “Beacon”: http://www.facebook.com/business/?beacon

DATA LEAK IN BRITAIN AFFECTS 25 MILLION (New York Times, 22 Nov 2007) - The British government struggled Wednesday to explain its loss of computer disks containing detailed personal information on 25 million Britons, including an unknown number of bank account identifiers, in what analysts described as potentially the most significant privacy breach of the digital era. It has defended its decision not to disclose the loss until Tuesday, 10 days after it had been informed, saying banks had asked for time to put heightened security measures in place first. The data went astray in October, after two computer disks that contained information on families that receive government financial benefits for children were sent out from a government tax agency unregistered, via a private delivery service. The episode is one of three this year in which the agency improperly handled its vast archive of personal data, according to an account by the chancellor of the Exchequer — including the sending of a second set of disks when the first set did not arrive. In sheer numbers, the breach was smaller than several in the United States over the last few years. But the disks lost in Britain contained detailed personal information on 40 percent of the population: in addition to the bank account numbers, there were names, addresses and national insurance numbers, the British equivalent of Social Security numbers. They also held data on almost every child under 16. “This particular breach would dwarf anything we’ve seen in the United States in terms of percentage of the population impacted,” said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, a nonprofit consumer advocacy group based in California. Bank officials said they had scrutinized their records back to Oct. 18, when the disks were mailed, but had discerned no unusual account activity, and the government pledged that no individuals would be responsible for any losses related to the security breach. British families are eligible for a weekly payment of $36.30 for their first child, and $25 per additional child. Those who choose to have the money deposited directly into bank accounts must provide this information to the government. The disks were protected by a password, the government said, but were not encrypted. They were sent by Her Majesty’s Revenue and Customs, the country’s tax collection agency, to the National Audit Office, which monitors government spending, via a parcel delivery company, TNT. http://www.nytimes.com/2007/11/22/world/europe/22data.html?ex=1353387600&en=e29f00c028b12e6b&ei=5090&partner=rssuserland&emc=rss Gartner estimates associated costs at $500 million: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9048998&source=NLT_AM&nlid=1

- and -

2007 IDENTITY THEFT RESOURCE CENTER BREACH LIST (BeSpacific, 24 Nov 2007) - “...the Identity Theft Resource Center (ITRC) has been tracking security breaches for the past three years, looking for patterns, new trends and any information that may help us better protect data and assist companies in their activities...In 2006, there were in excess of 315 publicized breaches affecting nearly 20 million individuals. Based on ITRC’s categorization, the breaches break down as follows: 29% government/military agencies; 28% from educational institutions; 22% from general businesses; 13% from health care facilities / companies; and 8% from banking / credit / financial services entities. In 2005, there were 158 incidents affecting more than 64.8 million people.” http://www.bespacific.com/mt/archives/016624.html ; list is at http://idtheftmostwanted.org/ITRC%20Breach%20Report%202007.pdf

-- and --

EUROPEAN COMMISSION PLANS SECURITY BREACH NOTIFICATION LAW (Out-law.com, 5 Dec 2007) - The European Commission wants laws to be passed across Europe that would force telecoms companies to tell customers when personal data security has been breached. Security breach laws are common in the US but are still controversial. Even in the wake of the loss of 25 million UK residents’ personal details last month the Information Commissioner’s Office (ICO) cautioned that a poorly-drafted general security breach notification law would be counter-productive because a large number of notifications could make citizens complacent. The Commission has published a proposal to amend the Privacy and Electronic Communications Directive, which is designed to ensure that EU citizens’ privacy is not violated in telecoms networks. A major proposal is that telecoms companies would be subject to a security breach notification law which would force them to tell customers when a privacy breach had occurred. http://www.out-law.com/page-8741

MPAA UNIVERSITY ‘TOOLKIT’ RAISES PRIVACY CONCERNS (Washington Post, 23 Nov 2007) - The Motion Picture Association of America is urging some of the nation’s largest universities to deploy custom software designed to pinpoint students who may be using the schools’ networks to illegally download pirated movies. A closer look at the MPAA’s software, however, raises some serious privacy and security concerns for both the entertainment industry and the schools that choose to deploy the technology. On Oct. 24, MPAA sent a letter to the presidents of 25 universities that the association has identified as top locations for the downloading of pirated movies over online file-sharing networks. In the letter, the group said it “has developed the University Toolkit, an application which can produce a report that is strictly internal and therefore confidential to illustrate the level of file sharing on [your school’s] network. In addition, we will send a hard copy in the near future to your university’s Chief Information Officer.” Security Fix downloaded the University Toolkit and studied it, with the help of David Taylor, a senior information security specialist with the University of Pennsylvania in Philadelphia. (Taylor’s school was not among those that received the letter.) What we found was that depending on how a university’s network is set up, installing and using the MPAA tool in its default configuration could expose to the entire Internet all of the traffic flowing across the school’s network. http://blog.washingtonpost.com/securityfix/2007/11/mpaa_university_toolkit_opens_1.html?nav=rss_blog and http://techdirt.com/articles/20071126/031729.shtml

- and, in a twist -

MPAA CAUGHT INFRINGING COPYRIGHT (Bit-Tech.net, 4 Dec 2007) - The MPAA will act in seconds when you violate its copyright but won’t act at all when it violates your copyright. Last month, the MPAA began sending out a “university toolkit” to several universities across the US. These toolkits monitor network traffic and created graphs and charts showing the prevalence of file sharing across the school networks. The whole aim was to bring more attention to copyright infringement happening in these networks but the toolkit itself is chock full of irony - it’s violating the GPL agreement. The toolkits were built upon open source software that is licensed under the GPL. As we all know, when you use any GPL’d code in your software and distribute it, you’re required to provide the modified code to all. Well, that’s the part that the MPAA apparently does not understand. After being contacted by Matthew Garrett, one of the coders of the GPL’d software, several times in an attempt to have the source code distributed, Garrett took matters into his own hands. The fine gentleman contacted the MPAA’s ISP and had the content removed from the servers. http://www.bit-tech.net/news/2007/12/04/mpaa_caught_infringing_copyright/1

FRANCE SET TO CUT WEB ACCESS FOR MUSIC, FILM PIRATES (CNET 23 Nov 2007) - Internet users in France who frequently download music or films illegally risk losing Web access under a new antipiracy system unveiled Friday. The three-way pact among Internet service providers, the government, and owners of film and music rights is a boon to the music industry, which has been calling for such measures to stop illicit downloads eating into its sales. Under the agreement-drawn up by a commission headed by the chief executive of FNAC, one of France’s biggest music and film retailers-service providers will issue warning messages to customers downloading files illegally. If users ignore those messages, their accounts could be suspended or closed altogether. http://www.news.com/2100-1030_3-6219944.html

VISA FINES OHIO BANK IN TJX DATA BREACH (Boston.com, 24 Nov 2007) - Fifth Third Bancorp, the Ohio bank that was fined $880,000 by Visa for its role in the customer data security breach at TJX Cos., the largest ever, also paid fines and compensation totaling $1.4 million following the loss of data from BJ’s Wholesale Club Inc. several years ago, a court filing shows. Fifth Third operates more than 1,150 bank branches in the Midwest and Florida and is one of the nation’s leading processors of transactions for merchants. Banks, retailers, and credit-card firms such as Visa and MasterCard Inc. have locked horns in recent years over the issue of data security. All parties agree that in the wake of major breaches such as TJX’s, in which the data of nearly 100 million customers was compromised through the end of last year, consumer information needs better protection. Visa, the largest payment system, had threatened to levy fines when merchants didn’t meet a Sept. 30 deadline to upgrade their systems to current security standards that spell out requirements like keeping data behind firewalls and using robust encryption systems for their wireless networks. By Visa’s most recent count in October more than a third of the largest US stores didn’t meet the requirements. In the BJ’s case, hackers apparently broke into the Natick company’s database and stole the credit-card information of some of its 8 million customers. The information was then used to make fraudulent purchases. BJ’s settled charges with the Federal Trade Commission in 2005 that it failed to take appropriate security measures. The fines in the cases of TJX Cos. and BJ’s underscore these issues. Technically, Visa and MasterCard can’t fine merchants directly but rather levy penalties on banks the merchants pay to process transactions when customers pay with plastic. The arrangement creates tensions because it means card networks aren’t directly responsible for security, said Michael Gavin, a strategist for Security Innovation in Wilmington who audits companies to be sure they comply with the standards. That Fifth Third was previously fined suggests the bank should have known better than to tolerate the issues at TJX, Gavin said. “Fifth Third is definitely guilty of not requiring its merchants” to meet current security standards, he said, “and it has no excuse other than it was willing to accept the risk that any of them might suffer a data breach.” http://www.boston.com/business/globe/articles/2007/11/24/visa_fines_ohio_bank_in_tjx_data_breach/?page=full

-- and --

TJX AGREES TO REIMBURSE BANKS (Boston.com, 1 Dec 2007) - Framingham retailer TJX Cos. agreed to reimburse banks up to $40.9 million as a result of the largest data breach in history, which compromised as many as 100 million credit and debit card accounts before it was discovered at the end of last year. TJX, the parent of discount chains including TJ Maxx and Marshalls, reached a deal with credit card network Visa Inc. to pay some of the costs of reissuing cards and covering fraud losses at banks that issue Visa products, the two companies said yesterday. TJX also said it would help promote new security standards that Visa, MasterCard Inc., and banks have struggled to persuade merchants to accept. In return, the banks would agree not to sue TJX or its partners, and Visa would suspend some fines it levied after the breach, the companies said. The unprecedented terms demonstrate that retailers, banks, and card companies realize they must stop blaming one another for security lapses in an industry that handled $3.5 trillion worth of transactions last year, said Mary Monahan, partner at Javelin Strategy & Research in California. “We have a merchant and a card company saying, let’s end the finger-pointing here,” Monahan said. http://www.boston.com/business/globe/articles/2007/12/01/tjx_agrees_to_reimburse_banks/

US GOVERNMENT RELEASES INFORMATION SHARING PRIVACY PRINCIPLES (EPIC, 25 Nov 2007) - The US government has released its “National Strategy for Information Sharing.” The strategy describes information sharing between state and local governments, the private sector and foreign governments, and includes the administration’s “core privacy principles” for protecting privacy. Privacy guidelines, developed by the Attorney General and Director of National Intelligence, are built on these core principles. Privacy is described as a “core facet” of information sharing efforts. The privacy principles limit information sharing to the broad and undefined “terrorism, homeland security or law enforcement information related to terrorism.” Participation in information sharing is not conditioned on successful implementation of the principles. For implementation, the President directed the creation of the Privacy Guidelines Committee, consisting of the Attorney General, Director of National Intelligence and agency privacy officers. No citizen advocates sit on the committee. The National strategy summarizes some of the completed information sharing tasks. The strategy touts the creation of an “Information Sharing Environment”; significant grant funding to stated and local “information fusion centers”; the consolidation of watchlists in a “terrorist screening center”; and the creation of the “Homeland Security Information Network” for two-way information sharing between federal and stated and local officials. http://www.whitehouse.gov/nsc/infosharing/index.html EPIC’s page on Fusion Centers: http://www.epic.org/privacy/fusion/

SOFTWARE PIRACY FIGHT MAKES ENEMIES (Washington Post, 25 Nov 2007) - Michael Gaertner worried he could lose his company. A group called the Business Software Alliance had written him to claim that his 10-person architectural firm in Galveston, Texas, was using unlicensed software. The letter demanded $67,000 _ most of one year’s profit _ or else the BSA would seek more in court. An analysis by The Associated Press reveals that targeting small businesses is a lucrative strategy for the Business Software Alliance, the main global copyright-enforcement watchdog for such companies as Microsoft Corp., Adobe Systems Inc. and Symantec Corp. Of the $13 million that the BSA reaped in software violation settlements with North American companies last year, almost 90 percent came from small businesses, the AP found. The BSA is well within its rights to wring expensive punishments aimed at stopping the willful, blatant software copying that undoubtedly happens in many businesses. And its leaders say they concentrate on small businesses because that’s where illegitimate use of software is rampant. But technology managers and software consultants say the picture has more shades of gray than the BSA acknowledges. Companies of all sizes say they inadvertently run afoul of licensing rules because of problems the software industry itself has created. Unable or unwilling to create technological blocks against copying, the industry has saddled its customers with complex licensing agreements that are hard to master. In that view, the BSA amasses most of its bounties from small businesses because they have fewer technological, organizational and legal resources to avoid a run-in. http://www.washingtonpost.com/wp-dyn/content/article/2007/11/25/AR2007112500791.html and http://techdirt.com/articles/20071126/024312.shtml&upsid=142667804538

UNIVERSITY OF MICHIGAN LIBRARIAN DEFENDS GOOGLE SCANNING DEAL (Ars Technica, 26 Nov 2007) - The University of Michigan’s head librarian, Paul Courant, started a blog this November to talk about large-scale digitization projects. Sounds noncontroversial, right? It was, for all of one post, and then Courant defended his library’s relationship with Google, saying that “the University of Michigan (and the other partner libraries) and Google are changing the world for the better.” Not everyone agrees. Google Book Search adds libraries, books from University of Lausanne Courant’s basic argument is that Google will scan seven million Michigan books in less than six years, and it won’t cost the university a dime. In addition, Michigan retains the books and also gets a complete copy of Google’s scans, including the text that’s spit out by optical character recognition software. Left to its own devices, the university would have no chance of duplicating this feat on its own. It could also partner with other projects like the Open Content Alliance, which won’t display any snippets from copyrighted works unless the publisher opts in to the program. But Courant argues that time is crucial, and Google is the company who can get the most done in the least amount of time. “We have a generation of students who will not find valuable scholarly works unless they can find them electronically,” wrote Courant. “At the rate that OCA is digitizing things (and I say the more the merrier and the faster the better) that generation will be dandling great-grandchildren on its knees before these great collections can be found electronically.” Courant has previously served as an economics professor at the university (and was later Provost), and he says that his economic work on public goods has convinced him just how bad it would be for society if one company ended up with sole control over large swathes of cultural knowledge. But he doesn’t believe that Michigan’s partnership with Google Book Search will create such problems. “Google has no such control,” he writes. “After Google scans a book, they return the book to the library (like any other user), and they give us a copy of the digital file. Google is not the only entity controlling access to the collection—the University of Michigan and other partner libraries control access as well. Except we don’t think of it as controlling access so much as providing it.” Siva Vaidhyanathan, a professor at the University of Virginia, is working on a critical book about Google, and he argues that the current book-scanning program is riddled with problems. Public institutions, he argued in a response to Courant, should not be making these sorts of deals with private companies, especially when those companies are as dominant in their fields as Google is. http://arstechnica.com/news.ars/post/20071126-university-of-michigan-librarian-defends-google-scanning-deal.html

FEDS ROUTINELY SEEK CELL PHONE TRACKING DATA (Newsfactor.com, 26 Nov 2007) - Most people are oblivious to the fact that they carry a real-time tracking device with them throughout the day: their cell phone. Now the Washington Post is reporting that federal agents are routinely requesting court orders to compel cell phone companies to release the information to them. In many cases, Post reporter Ellen Nakashima said, the court orders the release of the information without the legal safeguards typically required for a search warrant. But now some courts are taking a closer look at the requests for tracking information. In a brief telephone interview, Justice Department spokesperson Dean Boyd stressed that federal agents are not illicitly obtaining cell phone data. “Federal agents can only obtain data when it’s authorized by a judge,” Boyd said. “It’s the courts that make the determination as to whether the requested data should be released.” Following the publication of the Washington Post article, Boyd issued a lengthy statement defending the actions of federal agents. “Law enforcement has absolutely no interest in tracking the locations of law-abiding citizens,” Boyd said in the statement. “What we’re doing is going through the courts to lawfully obtain data that will help us locate criminal suspects, sometimes in cases where lives are literally hanging in the balance, such as a child abduction case or a serial murderer on the loose.” Under the U.S. Constitution, governmental agents are typically required to show that their warrant request is based on “probable cause” that a crime is taking place, or that the requested information will help produce evidence of a crime. But in some instances, federal prosecutors and agents have filed their requests under two federal laws, the Stored Communications Act and the Pen Register Statute, which provide a lower standard than “probable cause.” Under those statutes, a subpoena for electronic information can be granted if there are “reasonable grounds” that the information will lead to data “relevant to an ongoing criminal investigation.” The issue was highlighted recently by the publication of an unusually stern denial of a data request by Magistrate Brian L. Owsley in the Southern District of the U.S. District Court in Texas. Among other things, Magistrate Owsley said that the affidavit submitted by a Drug Enforcement Agent for cell phone tracking data lacked the kind of specific information generally required to establish probable cause. http://news.yahoo.com/s/nf/20071126/tc_nf/56893;_ylt=Aofp9kFeCBVeiU_kpglDgDAE1vAI

WHEN E-MAIL IS OUTSOURCED (InsideHigherEd, 27 Nov 2007) - In 1998, Dartmouth College was considered at the forefront of campus e-mail. Its homegrown system, BlitzMail, continued to reflect the college’s reputation for being ahead of the curve on technology. Dartmouth students still rely on BlitzMail today, downloading their messages with a traditional Windows- or Mac-based client. But nearly 10 years later, even David L. Bucciero, the director of technical services, calls the service “archaic.” It lacks some of the “bells and whistles,” he said, that most students take for granted with the personal Web-based e-mail accounts they take with them to college. Such features might include the ability to view and compose messages in HTML, which allows the customization of fonts and colors, or virtually unlimited storage space. Those inadequacies — combined with occasional downtime — explain why Dartmouth might go back to the drawing board. And in rethinking its e-mail strategy, officials there will confront similar issues as many other colleges and universities in a time of rapid shifts in messaging habits and in the economics of Internet applications. Bucciero and a planned study group will soon consider whether it’s worthwhile to continue maintaining BlitzMail, or whether Dartmouth should consider for e-mail what colleges routinely do for many other basic operational functions: outsource it. In the world of e-mail, outsourcing means two things: Google or Microsoft. Both have been marketing Web-based messaging services to small businesses, nonprofits and other groups, and they’ve focused more intensely on the higher education market over the past year. Besides services that are completely free and interfaces that are familiar to students, they offer a wide array of features, tools that let people collaborate in real time — and of course, the cool factor. At Dartmouth, Bucciero and his colleagues will weigh the possibility of taking “BlitzMail to the next level,” switching to another system entirely or enlisting a third party. It’s the last option that would raise the most concerns — about security and privacy, if data were migrated offsite; about accessing messages through clients offline, if they’re readable primarily through the Web; about support services, if the current IT help desk can no longer administer the system; and about the ability to send mass e-mail blasts. Jeff Keltner, Google’s enterprise specialist for collaboration products, said institutions at six of the seven continents use its education services, with several hundred thousand active users logging in at a regular basis from several thousand campuses around the world. The senior product manager for Microsoft’s Live @ edu program, Bruce Gabrielle, said the company has some 450 higher education clients, which ballooned from 300 since the end of June. “A lot of awareness is spreading virally,” he said. While many colleges universities have yet to make the switch to Google or Microsoft, several (like Dartmouth, Cornell University, the University of Connecticut and Ohio State University) are in the process of exploring their options or issuing requests for proposals. Both companies offer integrated e-mail, chat, calendar and publishing tools without advertisements and without any cost to colleges or universities — no exclusivity required. The standard Google contract is one year, with three one-year auto-renewals; for Microsoft, the typical length is two years. Both preserve universities’ “.edu” e-mail domains while offering the functionality of a typical Gmail or Live address. http://insidehighered.com/news/2007/11/27/email

U.S. WITHDRAWS SUBPOENA SEEKING IDENTITY OF 24,000 AMAZON CUSTOMERS (SiliconValley.com, 27 Nov 2007) - Federal prosecutors have withdrawn a subpoena seeking the identities of thousands of people who bought used books through online retailer Amazon.com Inc., newly unsealed court records show. The withdrawal came after a judge ruled the customers have a First Amendment right to keep their reading habits from the government. “The (subpoena’s) chilling effect on expressive e-commerce would frost keyboards across America,” U.S. Magistrate Judge Stephen Crocker wrote in a June ruling. “Well-founded or not, rumors of an Orwellian federal criminal investigation into the reading habits of Amazon’s customers could frighten countless potential customers into canceling planned online book purchases,” the judge wrote in a ruling he unsealed last week. Seattle-based Amazon said in court documents it hopes Crocker’s decision will make it more difficult for prosecutors to obtain records involving book purchases. Assistant U.S. Attorney John Vaudreuil said Tuesday he doubted the ruling would hamper legitimate investigations. Crocker - who unsealed documents detailing the showdown against prosecutors’ wishes - said he believed prosecutors were seeking the information for a legitimate purpose. But he said First Amendment concerns were justified and outweighed the subpoena’s law enforcement purpose. http://www.siliconvalley.com/news/ci_7571498 and http://www.physorg.com/news115394162.html

8.3 MILLION AMERICANS VICTIMS OF ID THEFT (Washington Post, 27 Nov 2007) - Nearly 4 percent of American adults were victims of identity theft in 2005, but half of them did not incur any out-of-pocket expenses, the U.S. Federal Trade Commission said on Tuesday. An agency survey found identity information was stolen from 8.3 million U.S. adults and most commonly used to access or open accounts for credit cards, bank checking, telephone service, e-mail, and medical insurance. “In more than half of the incidents, victims incurred no out-of-pocket expenses,” the FTC said in a statement. However, 10 percent of the victims reported out-of-pocket expenses of $1,200 or more, it said. The FTC survey also looked at the value of goods or services that thieves obtained using the victims’ personal information. In half of all incidents, thieves obtained items or services worth $500 or less while in 10 percent of cases, thieves got at least $6,000. ome 37 percent of victims reported problems beyond their out-of-pocket expenses, the FTC said. They included being harassed by debt collectors, denied new credit or loans, unable to use existing credit cards, having utilities cut off, or having difficulty obtaining or accessing bank accounts. http://www.washingtonpost.com/wp-dyn/content/article/2007/11/27/AR2007112701657.html and http://www.siliconvalley.com/news/ci_7609284

- and -

THE COST OF DATA LOSS RISES (Information Week, 28 Nov 2007) - Losing customer data cost companies more this year than last. According to a study conducted by the Ponemon Institute, an independent information practices research group, data breaches cost businesses an average of $197 per customer record in 2007, up from $182 in 2006. The average total cost for a data breach in 2007 was $6.3 million, up from $4.8 million in 2006. The study suggests that lost data translates to lost business opportunity. This mainly comes in the form of customer churn and customer acquisition costs, which rose from $98 per record in 2006 to $128 in 2007 - a 30% increase. Other costs include reputation management and customer support costs such as information hotlines and credit monitoring subscription for victims. http://www.informationweek.com/story/showArticle.jhtml?articleID=204204152&cid=RSSfeed_IWK_News Study at http://www.pgp.com/downloads/research_reports/ponemon_reg_direct.html [registration required] [Editor: The 2006 Ponemon study is broadly influential, and I expect this new study to be similar. Here’s a SANS NewsBites 7 December 2007 summary of the Ponemon study: “A survey of nearly 900 IT security professionals conducted by the Ponemon Institute found that many workers do not abide by established security policies, either because they are unaware of the policies or because they find them inconvenient. More than half of respondents admitted to having copied confidential company data onto USB drives although 87 percent said they knew the practice violated company policy. Nearly half of respondents said they share passwords with colleagues; two-thirds said sharing passwords violates policy at their organizations. One-third of respondents said they had sent work documents as attachments; almost half of respondents were unsure whether doing so violated their companies’ policies. Sixty percent of respondents said their companies had no formal policy that prohibits installation of personal software on work machines. Almost half said they had downloaded software, including P2P programs, onto company computers.”]

NEW SOFTWARE DETECTS WEB INTERFERENCE (Washington Post, 28 Nov 2007) - Increasingly worried over Internet providers’ behavior, a nonprofit has released software that helps determine whether online glitches are innocent hiccups or evidence of deliberate traffic tampering. The San Francisco-based digital rights group Electronic Frontier Foundation hopes the program, released Wednesday, will help uncover “data discrimination” _ efforts by Internet providers to disrupt some uses of their services _ in addition to the cases reported separately by EFF, The Associated Press and other sources. “People have all sorts of problems, and they don’t know whether to attribute that to some sort of misconfiguration, or deliberate behavior by the ISP,” said Seth Schoen, a staff technologist with EFF. The new software compares lists of data packets sent and received by two different computers and looks for discrepancies between what one sent and the other actually received. Previously, the process had to be done manually. Schoen compared the software to a spelling checker. “If you really had no idea what you were looking for, this could save dozens of hours,” he said. Increasingly people are contacting the EFF worried that their online activity has been disrupted by their Internet service provider, he said. The goal of the EFF’s program is to “help consumers get more clarity about what the ISPs are doing.” http://www.washingtonpost.com/wp-dyn/content/article/2007/11/28/AR2007112802077.html

ARIZ. JUDGES FAVOR SOME PRIVACY FOR NAMELESS E-MAILS (Arizona Star, 28 Nov 2007) - The state Court of Appeals on Tuesday spelled out new privacy protections for those who use the Internet to send anonymous messages. In the first ruling of its kind in Arizona, the judges said those who believe they have been harmed by anonymous Internet postings or e-mail cannot use Arizona courts to discover the identity of the senders unless they can prove their interests outweigh the privacy of those who originated the messages. The divided court set up a three-step test for judges to use when confronted with lawsuits by individuals or companies that contend someone whose identity they don’t know damaged them. The process includes what Judge Ann Scott Timmer called “a balancing of the parties’ competing interests,” which she said “provides an additional safeguard that comports with Arizona’s broad protection given to free speech and individual privacy.” “This is actually a great ruling for privacy,” said Corynne McSherry, an attorney with the Electronic Frontier Foundation, which lobbies and intervenes in cases involving Internet privacy. The 2-1 ruling requires evidence that the person whose identity is being sought “has been given adequate notice and a reasonable opportunity to respond.” That notice, usually provided through the Internet service provider, gives the person a chance to hire an attorney and fight the request. Potentially more important, the person filing suit has to show a judge there is a real case. http://www.azstarnet.com/dailystar/213731

JUDGES FEEL LEGAL BLOGS’ GLARE (Law.com, 28 Nov 2007) - In May, Dale Ross, chief judge for the Florida circuit court in Broward County for 16 years, stepped down following a year of embarrassing scandals, gaffes and bad behavior by his judges. Although pressure was building for Ross to resign for years, many legal observers say it would not have happened if not for the new Broward courthouse blog, JAA Blog. That blog hammered Ross on a daily basis and reported on such incidents as a judge arrested for smoking pot in a park, another judge making an off-color sexual remark and another judge allegedly taking a loan from a defense lawyer appearing before him. The JAA Blog was started in August 2006 by a group of criminal defense lawyers fed up with the way things were being run in the Broward courthouse. They believed that it operated like a “good ol’ boys network” rather than the second-largest county court in Florida. The blog’s founders include criminal defense attorney Bill Gelin of Tribune Legal Services in Fort Lauderdale and assistant public defenders Brian Reidy and Vivian Gariboldi. “I have strong feelings about what is going on in Broward,” Gelin said. “People are upset about the ways things are being done in the criminal justice system. So we formed a group and then thought, ‘Why not have a blog?’” The Broward blog is one of a handful of legal blogs that have started in South Florida in the past two years that have shone a spotlight on the justice system. Supporters credit the blogs with providing valuable information about the inner workings of the court system, and bringing change. Critics counter that the blogs can be venues for inaccurate information and unsubstantiated personal attacks. “The [JAA] blog absolutely effectuated change,” said Broward County public defender Howard Finkelstein. “There is no question in my mind that it had a great deal to do with the toppling of the past judicial administration.” Russell Adler, a partner at Rothstein Rosenfeldt Adler in Fort Lauderdale, noted that “[s]ince a lot of it is posted anonymously, it gives people the ability to fabricate things and state things that are not true. “It’s like being shot by a sniper - you don’t know where the shot is coming from and you don’t know what the motivation is,” Adler said. http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1196181558370&rss=newswire

PRO BONO EFFORTS FOLLOW TARGETS TO THE WEB (New York Times, 28 Nov 2007) - A nonprofit organization founded when “The Pride of the Yankees” meant a movie about Lou Gehrig, rather than the feelings of a departing manager, is taking a more contemporary tack in selecting the media in which its campaigns appear. The idea is to better reflect the changing media-consumption patterns of the audience the council tries to reach with ads that discourage drunken driving, fight childhood obesity, help veterans of the armed forces readjust to civilian life and promote causes like recycling and preventing forest fires. “Just like there has been a revolution in how marketers communicate, the same thing has happened to the Ad Council and how we work,” said Susan M. Gianinno, the vice chairwoman of the council. She is also the president and chief executive of the North American operations of the Publicis Worldwide agency, part of the Publicis Groupe. Not surprisingly, the changes in media choices have put more of the council’s ads online, in forms that include banner ads, sponsored links in search results, so-called buddy icons on AOL and commercials on video-sharing Web sites like YouTube. The council even has its own YouTube channel (youtube.com/adcouncil). “Organizations have recognized the power of the Web to get the message out,” said Steve Grove, head of news and politics for YouTube, which is owned by Google. The leaders of the council “recognized it was important to be online,” he said. One benefit for nonprofit organizations of being on YouTube — apart from the obvious one (it’s free) — is the serendipity factor. “You can stumble on this content without necessarily wanting to find it,” Mr. Grove said. That can help publicize a cause that a YouTube user may not have known about. It may also help people solve problems by giving viewers easily accessible information. According to data from the council, the value of the ad space and commercial time donated by the interactive media for its public-service campaigns climbed 176 percent, from $52.3 million in fiscal 2004 (July 1, 2003-June 30, 2004) to $144.4 million in fiscal 2007. “Every one of our 50 current campaigns has an interactive component,” said Peggy Conlon, president and chief executive at the council, based in New York. To encourage that trend, Ms. Conlon and the other leaders of the council have started asking agencies that specialize in interactive advertising to take the lead in creating campaigns, rather than turning first to agencies known for television and print campaigns. For instance, the task of creating a campaign to discourage violence among teenagers — being undertaken on behalf of the Family Violence Prevention Fund and the Robert Wood Johnson Foundation — has been awarded to R/GA in New York, an agency devoted to online work. “We have a great opportunity to do something here that we hope will break new ground,” said Robert Greenberg, chairman, chief executive and chief creative officer of R/GA, part of the Interpublic Group of Companies. The campaign will aim at a generation that “acts very differently from previous generations of young people,” Mr. Greenberg said, particularly in its media choices. “We’d like to look at coming up with an idea based in mobile communications,” he added, because teenagers often say that they would give up their TV sets and computers before their cellphones or other mobile devices. Among the campaigns that reflect the changing media strategies is an effort to encourage high school students not to drop out before graduating, called “Boost up,” which features a Web site (boostup.org); pages on two popular social networking Web sites, Facebook and MySpace; text messaging, allowing cellphone users to send uplifting “boost” notes to friends; a presence on YouTube; and e-mail messages. Another campaign is intended to develop financial literacy among people 25 to 34, and it includes a Web site (feedthepig.org), an e-mail newsletter, text messaging and podcasts. http://www.nytimes.com/2007/11/28/business/media/28adco.html?_r=1&ex=1353992400&en=c725a3c3811870fa&ei=5089&partner=rssyahoo&emc=rss&oref=slogin

GOOGLE’S STORAGE PLANS RAISE PLENTY OF CONCERNS (Newsfactor.com, 28 Nov 2007) - In the wake of this week’s buzz about Google’s plans for a new online service for file storage, Internet privacy specialists are raising concerns about the potential vulnerability of such data to government investigations. Such fears have been heightened by a variety of high-profile attempts by federal investigators to retrieve user information from online companies, including Amazon, Yahoo, MSN, and Google itself. The buzz this week seems to have started from a report in yesterday’s Wall Street Journal, saying that Google is developing an integrated service that would allow users to store and organize their own information on Google’s servers. According to the WSJ story, users of the service could store any and all of their files - from business letters to family photos - on Google’s servers, and then access or share those from any computer or mobile device. Although Google has declined to comment on the report, privacy watchdogs as well as competitors in the data storage industry have some concerns. “Whenever information is in the hands of third-parties, it changes the protections available for that information in a qualitative way,” said Lauren Weinstein, an Internet privacy expert and co-founder of the People for Internet Responsibility. “E-mail, for instance, that is in the hands of an ISP typically has less protection than the same e-mail on your home computer.” When consumers store data on devices in their home, Weinstein noted, law enforcement is generally required to obtain a search warrant, which requires presenting sufficient facts to a judge or magistrate to demonstrate probable cause for the issuance of the warrant. But data in the hands of a third party can be disclosed under a variety of other theories, some of them with lower standards of protection. “Remotely stored information might be subject to a national security letter, for instance,” he argued. “NSLs are a mechanism to extract information from third parties who have acess to information that the government is interested in. Not only can government officials get the information more easily,” he said but they can also “often get access to data without the knowledge of the target of investigation, which is obviously harder to do with a search warrant.” Weinstein said that a critical feature in making remote storage secure is for the hosting company to encrypt it in such a way that only the owner of the data can get access to it. http://news.yahoo.com/s/nf/20071128/tc_nf/56956;_ylt=AtTL2hup5GCwXkvg79dmHN4E1vAI

NEWS WEB SITES SEEK MORE SEARCH CONTROL (Washington Post, 29 Nov 2007) - Leading news organizations and other publishers have proposed changing the rules that tell search engines what they can and can’t collect when scouring the Web, saying the revisions would give site owners greater control over their content. Google Inc., Yahoo Inc. and other top search companies now voluntarily respect a Web site’s wishes as stated in a document known as “robots.txt,” which a search engine’s indexing software, called a crawler, knows to look for on a site. Under the existing 13-year-old technology, a site can block indexing of individual Web pages, specific directories or the entire site. Some search engines have added their own commands to the rules, but they’re not universally observed. The Automated Content Access Protocol proposal, unveiled Thursday by a consortium of publishers at the global headquarters of The Associated Press, seeks to have those extra commands _ and more _ apply across the board. With the ACAP commands, sites could try to limit how long search engines retain copies in their indexes, for instance, or tell the crawler not to follow any of the links that appear within a Web page. If accepted by search engines, publishers say they would be willing to make more of their copyright-protected materials available online. But Web surfers also could find sites disappear from search engines more quickly, or find smaller versions of images called thumbnails missing if sites ban such presentations. “Robots.txt was created for a different age,” said Gavin O’Reilly, president of the World Association of Newspapers, one of the organizations behind the proposal. “It works well for search engines but doesn’t work for content creators.” As with the current robots.txt, ACAP’s use would be voluntary, so search engines ultimately would have to agree to recognize the new commands. So far, none of the leading ones have. Search engines also could ignore the new commands and leave it to courts to resolve any disputes. http://www.washingtonpost.com/wp-dyn/content/article/2007/11/29/AR2007112900735.html

WORLD FACES “CYBER COLD WAR” THREAT (Reuters, 29 Nov 2007) - A “cyber cold war” waged over the world’s computers threatens to become one of the biggest threats to security in the next decade, according to a report published on Thursday. About 120 countries are developing ways to use the Internet as a weapon to target financial markets, government computer systems and utilities, Internet security company McAfee said in an annual report. Intelligence agencies already routinely test other states’ networks looking for weaknesses and their techniques are growing more sophisticated every year, it said. Governments must urgently shore up their defenses against industrial espionage and attacks on infrastructure. The report said China is at the forefront of the cyber war. It said China has been blamed for attacks in the United States, India and Germany. China has repeatedly denied such claims. The report was compiled with input from academics and officials from Britain’s Serious Organised Crime Agency, the U.S. Federal Bureau of Investigation and NATO. Cyber-attacks on private and government Web sites in Estonia in April and May this year were “just the tip of the iceberg,” the report warned. Estonia said thousands of sites were affected in attacks aimed at crippling infrastructure in a country heavily dependent on the Internet. The attacks appeared to have stemmed initially from Russia although the Kremlin denied any wrongdoing. “The complexity and coordination seen was new,” the report quoted an unnamed NATO source as saying. “There were a series of attacks with careful timing using different techniques and specific targets.” EU Information Society commissioner Viviane Reding said in June that what happened in Estonia was a wake-up call. NATO said “urgent work” was needed to improve defenses. The McAfee report predicted that future attacks would be even more sophisticated. “Attacks have progressed from initial curiosity probes to well-funded and well-organised operations for political, military, economic and technical espionage,” it said. http://news.yahoo.com/s/nm/20071129/wr_nm/britain_internet_dc_3;_ylt=AumJKqj6VT4xq9eWlwmndToE1vAI Report at www.mcafee.com/us/research/criminology_report/default.html

-- and --

SHELL, ROLLS ROYCE REPORTEDLY HACKED BY CHINESE SPIES (InfoWorld, 3 Dec 2007) - Britain’s domestic intelligence agency is warning that cybercrime perpetrated by China is on the rise following hacking attacks against Rolls-Royce and Royal Dutch Shell. The agency, known as MI5, recently sent letters to some 300 banks, accounting and legal firms warning that “state organizations” of China were plying their networks for information, according to the Times of London on Monday. The U.K. government refused on Monday to confirm the letters. However, the reported correspondence comes just a month after the U.K.’s top domestic intelligence officer warned of “high levels” of covert activity by at least 20 foreign intelligence agencies, with Russia and China as the most active. “A number of countries continue to devote considerable time and energy trying to steal our sensitive technology on civilian and military projects, and trying to obtain political and economic intelligence at our expense,” said Jonathan Evans, director general of MI5, in Manchester, U.K., on Nov. 5. “They do not only use traditional methods to collect intelligence but increasingly deploy sophisticated technical attacks, using the Internet to penetrate computer networks,” he said. The Times, quoting an unnamed source, reported that Rolls-Royce’s network was infected with a Trojan horse program by Chinese hackers that sent information back to a remote server. Dutch Shell uncovered a Chinese spying ring in Houston, aimed at pilfering confidential pricing information for the oil giant’s operations in Africa, the paper said, citing “security sources.” http://www.infoworld.com/article/07/12/03/Shell-Rolls-Royce-reportedly-hacked-by-Chinese-spies_1.html?source=rss&url=http://www.infoworld.com/article/07/12/03/Shell-Rolls-Royce-reportedly-hacked-by-Chinese-spies_1.html

OREGON ‘GROUND ZERO’ IN RIAA BATTLE AGAINST FILE-SHARING (ABA Journal, 30 Nov 2007) - Oregon’s attorney general is going to bat, yet again, for university students being targeted by the U.S. recording industry. In filings this week, Attorney General Hardy Myers’ office said the Recording Industry Association of America’s litigation tactics may violate his state’s data-mining laws, Bloomberg News reports. And his office called for an investigation of the recording industry’s tactics. ComputerWorld dubbed Oregon “Ground Zero” in the battle between the RIAA and music pirates. The RIAA has issued subpoenas to the University of Oregon to reveal the identities of 17 students who are alleged to have violated copyright laws. They are among more than 20,000 individuals, mainly in academic circles, who have been targeted by the RIAA for copyright infringement since 2003. “The larger issue may not be whether students are sharing copyrighted music, but whether plaintiffs’ investigative techniques and litigation techniques are appropriate,” the AG’s filing in federal court in Eugene, Ore., said. The University of Oregon is the first school to file a motion to block the RIAA’s subpoena, according to Bloomberg. And this is the second time in a month that Myers has fought RIAA attempts to turn over the names of students. Bloomberg reports that the IP addresses of the Oregon students were obtained by investigators from MediaSentry, which is not licensed to engage in data-mining activities under Oregon law. http://www.abajournal.com/weekly/oregon_ag_fights_riaa_subpoena

PROTECTION FOR “PERSONALLY IDENTIFIABLE INFORMATION” IN BANKRUPTCY SALES (Wiley Rein “Privacy in Focus”, December 2007) - The nature of online commerce requires the collection of information from individuals to identify the parties to individual transactions, transfer funds for payment, and ensure the delivery of the goods or services being acquired. Public concern about the potential for abuse of such information by online merchants gave rise to the development of so-called “privacy policies” that provide a measure of reassurance that information collected will be protected from unauthorized use and disclosure. Such concerns come to a head when a merchant that sells online files for bankruptcy protection and then determines to sell off assets that include personally identifiable information. [More, with analysis.] http://www.wileyrein.com/publication_newsletters.cfm?ID=10&year=2007&publication_ID=13376&keyword=

ANALYSIS OF PRIVILEGE IN CORPORATE CONTEXT, WHERE LAWYERS AND NON-LAWYERS SHARE COMMUNICATIONS, ARE COPIED, ETC. (Freivogel on Conflicts, 1 Dec 2007) - In re Vioxx Prods. Liab. Litig., 501 F.Supp.2d 789 (E.D. La. 2007) (August 14, 2007). The opinion is an exhaustive review of corporate privilege involving the distribution of E-mails, E-mail attachments, and other documents among in-house lawyers where non-lawyers are involved, copied, etc. Rather than summarize the opinion, we will refer readers to the excellent summary prepared by Hogan & Hartson LLP in their November 2007 “Litigation Alert.” Anyone who cannot retrieve it from their Web site, www.hhlaw.com, and who wants a copy, should send an E-mail to wfreivogel@yahoo.com, and we will send a PDF. http://www.freivogelonconflicts.com/new_page_1.htm Hogan & Hartson article at http://www.hhlaw.com/files/Publication/92224370-f9d6-4580-acd6-11bcd3b7ecbf/Presentation/PublicationAttachment/b81169e2-af7e-44e5-8b6a-16d269191c76/LitigationAlert.pdf

WORLD ECONOMIC FORUM ANNOUNCES TECHNOLOGY PIONEERS 2008 (WEF, 2 Dec 2007) - World Economic Forum today announced 39 visionary companies selected as Technology Pioneers 2008. The companies’ products and services include identity management on the Internet, understanding of individuals’ genetic information, robotic radiosurgery, pollution control materials, low-cost remote diagnosis solutions, virtual interface technologies, wiki-based projects and next generation business intelligence solutions. Twenty-three of the Technology Pioneers 2008 are US-based companies. Israel and the United Kingdom each boast three; Sweden and Switzerland two each; Canada, France, Germany, India, the Netherlands and Russia, one each. Technology Pioneers are nominated in three main categories: Energy/Environment, Biotechnology/Health and Information Technology. http://www.weforum.org/en/media/Latest%20Press%20Releases/TechPioneers08PR List at http://www.weforum.org/en/about/Technology%20Pioneers/SelectedTechPioneers/index.htm

MORE STATE WEB SITES WILL SHOW UP IN SEARCHES WITH HELP FROM GOOGLE SOFTWARE (SiliconValley.com, 3 Dec 2007) - Googling something or someone? If the state of Florida has public records about your subject, they might show up in your search results. Many state agencies make numerous public records available online, but the information hasn’t been indexed by the search engines at Google Inc., Yahoo Inc. and Microsoft Corp., the three most popular. And that has made the data hard to find. If you want to know a school’s test scores, for example, you have often have know your state Department of Education’s Web address and then know how the agency stores and retrieves information. Under a new partnership announced Monday by Gov. Charlie Crist, Google Inc. is providing free consulting and software that help make more files recognizable to most search engines. Florida joins five other states - Arizona, California, Utah, Virginia and Michigan - already participating in Google’s effort. Google hopes to get local governments involved in the effort. http://www.siliconvalley.com/news/ci_7625140?nclick_check=1

POLICE BLOTTER: VERIZON FORCED TO TURN OVER TEXT MESSAGES (CNET, 5 Dec 2007) - What: U.S. Department of Justice seeks archived SMS text messages from Verizon Wireless without obtaining a warrant first. When: District judge rules on October 30; magistrate judge completes review of archived text messages on Friday. Outcome: Prosecutors receive the complete contents of defendant’s text messages. What happened, according to court documents: It may not be that well known outside of police and telecommunications circles, but odds are excellent that your mobile phone provider saves copies of your SMS text messages. In a case that Police Blotter wrote about last year, federal police obtained logs of archived text messages from two unnamed wireless providers. In addition, a judge in the Kobe Bryant sex case ordered the phone provider to turn over archived messages. Text messages were also part of the trial involving the attempted murder of rapper 50 Cent. http://www.news.com/Police-Blotter-Verizon-forced-to-turn-over-text-messages/2100-1030_3-6221503.html?part=rss&tag=2547-1_3-0-5&subj=news

NINTH CIRCUIT GIVES NEW HOPE TO PLAINTIFFS IN DATA BREACH CASES (Steptoe & Johnson’s E-Commerce Law Week, 6 Dec 2007) - Late last month, the Ninth Circuit ruled that circumstantial evidence of a causal connection between a data breach and subsequent identity theft can support a negligence claim against the organization that suffered the breach. The court’s unpublished opinion in Stollenwerk v. Tri-West Health Care Alliance overturned a lower court’s ruling that plaintiff Mark Brandt could not recover on a negligence claim stemming from six cases of identity theft that he allegedly suffered after his data was compromised by a theft of computer equipment from defendant Tri-West. The Ninth Circuit held that it is a “matter of common knowledge” that “the type of information contained on the … [stolen] hard drives [was] the same kind needed to open credit accounts at the firms where [the identity theft] took place.” The court also noted that the identity theft had begun just six weeks after the breach and that Brandt had allegedly handled his personal information with care and had never suffered identity fraud before the breach. On these facts, the court found that a reasonable jury could find a “causal relationship” between the breach and the identity theft, and so reversed the district court’s order of summary judgment for Tri-West. This ruling suggests that, even without evidence directly tying a data breach to subsequent incidents of identity theft, plaintiffs may be able to get to a jury in a suit against the organization that lost their data. http://www.steptoe.com/publications-5024.html Opinion at:
http://www.steptoe.com/attachment.html/3256/484a.pdf

**** RESOURCES ****
INDEX OF DOJ LEGAL OPINIONS 1998-2007 POSTED ONLINE (BeSpacific, 2 Dec 2007) - The website GovernmentAttic.org has posted a complete index of DOJ Legal Counsel Opinions from 1998 through the present here: http://www.governmentattic.org/docs/DOJ_LegalCounselOpinions_1998-2007.pdf

**** RECOMMENDED PODCASTS ****
“Amory Lovins - Energy Efficiency and Implementation.mp3” is the best podcast I’ve heard. There’s something here for everybody: engineers, policy makers, CEOs, parents, KM planners, internet-enabled business managers. Inter alia, every CEO/CFO of publicly traded companies will be well served by listening. I yearn for a simple, URL-like way to point people to podcasts; this one can be found on iTunes in “IT Conversations”, published by the Conversations Network. I’ve also uploaded a copy to my public folder at http://idisk.mac.com/vpolley-Public?view=web, where I’ll keep it for a few weeks. Please send along your own recommendations and I’ll include them in future MIRLN issues.

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.