Saturday, December 08, 2007

MIRLN - Misc. IT Related Legal News [18 November - 8 December 2007; v10.16]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley ( with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at and blogged at

**************End of Introductory Note***************

The Cyberspace Law Committee will hold its Winter Working Meeting in a real winter venue this time: Minneapolis, 25-26 January 2008. Come and bask with old and new friends in the Twin Cities for the most concentrated and productive cyberlaw discussions anywhere. Information at

GERMANY ENACTS DATA RETENTION LAW (Steptoe & Johnson’s E-Commerce Law Week, 21 Nov 2007) - On November 9, the German Bundestag approved a law implementing the EU Data Retention Directive (2006/24/EC) that will require that communication providers in Germany retain connection data for at least six months, beginning January 1, 2009. Telecommunications providers are required to retain data relating to the date, time, sender, recipient, and duration of communications - but not their content. VoIP providers will also be required to store the IP addresses of all parties to a communication. Mobile providers must also retain the location of the phone at the time of the call. If a provider does not itself generate or process connection data, it must make sure that the data is retained by another provider, and identify that entity upon request. Internet Service Providers must retain a subscriber’s IP address and user ID, along with the date, time and length of the subscriber’s connection . Email providers must store email addresses of all senders and addressees, the IP addresses of senders and sending communication systems, and the header of each email. The law also puts in place several other controversial measures, including a prohibition on the use of fictitious online identities. Although retention is not mandatory until January 1, 2009, communications providers may begin retaining data on January 1, 2008.

USERS DECRY FACEBOOK TRACKING (, 22 Nov 2007) - Some users of the online hangout Facebook are complaining that its 2-week-old marketing program is publicizing their purchases for friends to see. Those users say they never noticed a small box that appears on a corner of their Web browsers following transactions at Fandango, Overstock and other online retailers. The box alerts users that information is about to be shared with Facebook unless they click on “No Thanks.” It disappears after about 20 seconds, after which consent is assumed. Users are given a second notice the next time they log on to Facebook, but they can easily miss it if they quickly click away to visit a friend’s page or check e-mail. “People should be given much more of a notice, much more of an alert,” said Matthew Helfgott, 20, a college student who discovered his girlfriend just bought him black leather gloves from Overstock for Hanukkah. “She said she had no idea (information would be shared). She said it invaded her privacy.” and and and (finally, on 5 December) … ZUCKERBERG APOLOGIZES, ALLOWS FACEBOOK USERS TO EVADE BEACON (New York Times, 5 Dec 2007) - Mark Zuckerberg has produced a symphony of contrition in a blog post today about Facebook’s Beacon feature, which initially sent information on users’ Web purchases to their friends unless they specifically blocked the disclosure of each purchase. He explained the most controversial aspect of the system — the fact that it was opt-out, not opt-in — as an attempt to make it easy. “At first we tried to make it very lightweight so people wouldn’t have to touch it for it to work.” He acknowledged that this was a mistake. Last week, Facebook changed Beacon to make it an opt-in system on a per-site basis. And today, it allowed users to turn it off entirely, something that even last week it said it wouldn’t do. Facebook’s description of “Beacon”:

DATA LEAK IN BRITAIN AFFECTS 25 MILLION (New York Times, 22 Nov 2007) - The British government struggled Wednesday to explain its loss of computer disks containing detailed personal information on 25 million Britons, including an unknown number of bank account identifiers, in what analysts described as potentially the most significant privacy breach of the digital era. It has defended its decision not to disclose the loss until Tuesday, 10 days after it had been informed, saying banks had asked for time to put heightened security measures in place first. The data went astray in October, after two computer disks that contained information on families that receive government financial benefits for children were sent out from a government tax agency unregistered, via a private delivery service. The episode is one of three this year in which the agency improperly handled its vast archive of personal data, according to an account by the chancellor of the Exchequer — including the sending of a second set of disks when the first set did not arrive. In sheer numbers, the breach was smaller than several in the United States over the last few years. But the disks lost in Britain contained detailed personal information on 40 percent of the population: in addition to the bank account numbers, there were names, addresses and national insurance numbers, the British equivalent of Social Security numbers. They also held data on almost every child under 16. “This particular breach would dwarf anything we’ve seen in the United States in terms of percentage of the population impacted,” said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, a nonprofit consumer advocacy group based in California. Bank officials said they had scrutinized their records back to Oct. 18, when the disks were mailed, but had discerned no unusual account activity, and the government pledged that no individuals would be responsible for any losses related to the security breach. British families are eligible for a weekly payment of $36.30 for their first child, and $25 per additional child. Those who choose to have the money deposited directly into bank accounts must provide this information to the government. The disks were protected by a password, the government said, but were not encrypted. They were sent by Her Majesty’s Revenue and Customs, the country’s tax collection agency, to the National Audit Office, which monitors government spending, via a parcel delivery company, TNT. Gartner estimates associated costs at $500 million:

- and -

2007 IDENTITY THEFT RESOURCE CENTER BREACH LIST (BeSpacific, 24 Nov 2007) - “...the Identity Theft Resource Center (ITRC) has been tracking security breaches for the past three years, looking for patterns, new trends and any information that may help us better protect data and assist companies in their activities...In 2006, there were in excess of 315 publicized breaches affecting nearly 20 million individuals. Based on ITRC’s categorization, the breaches break down as follows: 29% government/military agencies; 28% from educational institutions; 22% from general businesses; 13% from health care facilities / companies; and 8% from banking / credit / financial services entities. In 2005, there were 158 incidents affecting more than 64.8 million people.” ; list is at

-- and --

EUROPEAN COMMISSION PLANS SECURITY BREACH NOTIFICATION LAW (, 5 Dec 2007) - The European Commission wants laws to be passed across Europe that would force telecoms companies to tell customers when personal data security has been breached. Security breach laws are common in the US but are still controversial. Even in the wake of the loss of 25 million UK residents’ personal details last month the Information Commissioner’s Office (ICO) cautioned that a poorly-drafted general security breach notification law would be counter-productive because a large number of notifications could make citizens complacent. The Commission has published a proposal to amend the Privacy and Electronic Communications Directive, which is designed to ensure that EU citizens’ privacy is not violated in telecoms networks. A major proposal is that telecoms companies would be subject to a security breach notification law which would force them to tell customers when a privacy breach had occurred.

MPAA UNIVERSITY ‘TOOLKIT’ RAISES PRIVACY CONCERNS (Washington Post, 23 Nov 2007) - The Motion Picture Association of America is urging some of the nation’s largest universities to deploy custom software designed to pinpoint students who may be using the schools’ networks to illegally download pirated movies. A closer look at the MPAA’s software, however, raises some serious privacy and security concerns for both the entertainment industry and the schools that choose to deploy the technology. On Oct. 24, MPAA sent a letter to the presidents of 25 universities that the association has identified as top locations for the downloading of pirated movies over online file-sharing networks. In the letter, the group said it “has developed the University Toolkit, an application which can produce a report that is strictly internal and therefore confidential to illustrate the level of file sharing on [your school’s] network. In addition, we will send a hard copy in the near future to your university’s Chief Information Officer.” Security Fix downloaded the University Toolkit and studied it, with the help of David Taylor, a senior information security specialist with the University of Pennsylvania in Philadelphia. (Taylor’s school was not among those that received the letter.) What we found was that depending on how a university’s network is set up, installing and using the MPAA tool in its default configuration could expose to the entire Internet all of the traffic flowing across the school’s network. and

- and, in a twist -

MPAA CAUGHT INFRINGING COPYRIGHT (, 4 Dec 2007) - The MPAA will act in seconds when you violate its copyright but won’t act at all when it violates your copyright. Last month, the MPAA began sending out a “university toolkit” to several universities across the US. These toolkits monitor network traffic and created graphs and charts showing the prevalence of file sharing across the school networks. The whole aim was to bring more attention to copyright infringement happening in these networks but the toolkit itself is chock full of irony - it’s violating the GPL agreement. The toolkits were built upon open source software that is licensed under the GPL. As we all know, when you use any GPL’d code in your software and distribute it, you’re required to provide the modified code to all. Well, that’s the part that the MPAA apparently does not understand. After being contacted by Matthew Garrett, one of the coders of the GPL’d software, several times in an attempt to have the source code distributed, Garrett took matters into his own hands. The fine gentleman contacted the MPAA’s ISP and had the content removed from the servers.

FRANCE SET TO CUT WEB ACCESS FOR MUSIC, FILM PIRATES (CNET 23 Nov 2007) - Internet users in France who frequently download music or films illegally risk losing Web access under a new antipiracy system unveiled Friday. The three-way pact among Internet service providers, the government, and owners of film and music rights is a boon to the music industry, which has been calling for such measures to stop illicit downloads eating into its sales. Under the agreement-drawn up by a commission headed by the chief executive of FNAC, one of France’s biggest music and film retailers-service providers will issue warning messages to customers downloading files illegally. If users ignore those messages, their accounts could be suspended or closed altogether.

VISA FINES OHIO BANK IN TJX DATA BREACH (, 24 Nov 2007) - Fifth Third Bancorp, the Ohio bank that was fined $880,000 by Visa for its role in the customer data security breach at TJX Cos., the largest ever, also paid fines and compensation totaling $1.4 million following the loss of data from BJ’s Wholesale Club Inc. several years ago, a court filing shows. Fifth Third operates more than 1,150 bank branches in the Midwest and Florida and is one of the nation’s leading processors of transactions for merchants. Banks, retailers, and credit-card firms such as Visa and MasterCard Inc. have locked horns in recent years over the issue of data security. All parties agree that in the wake of major breaches such as TJX’s, in which the data of nearly 100 million customers was compromised through the end of last year, consumer information needs better protection. Visa, the largest payment system, had threatened to levy fines when merchants didn’t meet a Sept. 30 deadline to upgrade their systems to current security standards that spell out requirements like keeping data behind firewalls and using robust encryption systems for their wireless networks. By Visa’s most recent count in October more than a third of the largest US stores didn’t meet the requirements. In the BJ’s case, hackers apparently broke into the Natick company’s database and stole the credit-card information of some of its 8 million customers. The information was then used to make fraudulent purchases. BJ’s settled charges with the Federal Trade Commission in 2005 that it failed to take appropriate security measures. The fines in the cases of TJX Cos. and BJ’s underscore these issues. Technically, Visa and MasterCard can’t fine merchants directly but rather levy penalties on banks the merchants pay to process transactions when customers pay with plastic. The arrangement creates tensions because it means card networks aren’t directly responsible for security, said Michael Gavin, a strategist for Security Innovation in Wilmington who audits companies to be sure they comply with the standards. That Fifth Third was previously fined suggests the bank should have known better than to tolerate the issues at TJX, Gavin said. “Fifth Third is definitely guilty of not requiring its merchants” to meet current security standards, he said, “and it has no excuse other than it was willing to accept the risk that any of them might suffer a data breach.”

-- and --

TJX AGREES TO REIMBURSE BANKS (, 1 Dec 2007) - Framingham retailer TJX Cos. agreed to reimburse banks up to $40.9 million as a result of the largest data breach in history, which compromised as many as 100 million credit and debit card accounts before it was discovered at the end of last year. TJX, the parent of discount chains including TJ Maxx and Marshalls, reached a deal with credit card network Visa Inc. to pay some of the costs of reissuing cards and covering fraud losses at banks that issue Visa products, the two companies said yesterday. TJX also said it would help promote new security standards that Visa, MasterCard Inc., and banks have struggled to persuade merchants to accept. In return, the banks would agree not to sue TJX or its partners, and Visa would suspend some fines it levied after the breach, the companies said. The unprecedented terms demonstrate that retailers, banks, and card companies realize they must stop blaming one another for security lapses in an industry that handled $3.5 trillion worth of transactions last year, said Mary Monahan, partner at Javelin Strategy & Research in California. “We have a merchant and a card company saying, let’s end the finger-pointing here,” Monahan said.

US GOVERNMENT RELEASES INFORMATION SHARING PRIVACY PRINCIPLES (EPIC, 25 Nov 2007) - The US government has released its “National Strategy for Information Sharing.” The strategy describes information sharing between state and local governments, the private sector and foreign governments, and includes the administration’s “core privacy principles” for protecting privacy. Privacy guidelines, developed by the Attorney General and Director of National Intelligence, are built on these core principles. Privacy is described as a “core facet” of information sharing efforts. The privacy principles limit information sharing to the broad and undefined “terrorism, homeland security or law enforcement information related to terrorism.” Participation in information sharing is not conditioned on successful implementation of the principles. For implementation, the President directed the creation of the Privacy Guidelines Committee, consisting of the Attorney General, Director of National Intelligence and agency privacy officers. No citizen advocates sit on the committee. The National strategy summarizes some of the completed information sharing tasks. The strategy touts the creation of an “Information Sharing Environment”; significant grant funding to stated and local “information fusion centers”; the consolidation of watchlists in a “terrorist screening center”; and the creation of the “Homeland Security Information Network” for two-way information sharing between federal and stated and local officials. EPIC’s page on Fusion Centers:

SOFTWARE PIRACY FIGHT MAKES ENEMIES (Washington Post, 25 Nov 2007) - Michael Gaertner worried he could lose his company. A group called the Business Software Alliance had written him to claim that his 10-person architectural firm in Galveston, Texas, was using unlicensed software. The letter demanded $67,000 _ most of one year’s profit _ or else the BSA would seek more in court. An analysis by The Associated Press reveals that targeting small businesses is a lucrative strategy for the Business Software Alliance, the main global copyright-enforcement watchdog for such companies as Microsoft Corp., Adobe Systems Inc. and Symantec Corp. Of the $13 million that the BSA reaped in software violation settlements with North American companies last year, almost 90 percent came from small businesses, the AP found. The BSA is well within its rights to wring expensive punishments aimed at stopping the willful, blatant software copying that undoubtedly happens in many businesses. And its leaders say they concentrate on small businesses because that’s where illegitimate use of software is rampant. But technology managers and software consultants say the picture has more shades of gray than the BSA acknowledges. Companies of all sizes say they inadvertently run afoul of licensing rules because of problems the software industry itself has created. Unable or unwilling to create technological blocks against copying, the industry has saddled its customers with complex licensing agreements that are hard to master. In that view, the BSA amasses most of its bounties from small businesses because they have fewer technological, organizational and legal resources to avoid a run-in. and

UNIVERSITY OF MICHIGAN LIBRARIAN DEFENDS GOOGLE SCANNING DEAL (Ars Technica, 26 Nov 2007) - The University of Michigan’s head librarian, Paul Courant, started a blog this November to talk about large-scale digitization projects. Sounds noncontroversial, right? It was, for all of one post, and then Courant defended his library’s relationship with Google, saying that “the University of Michigan (and the other partner libraries) and Google are changing the world for the better.” Not everyone agrees. Google Book Search adds libraries, books from University of Lausanne Courant’s basic argument is that Google will scan seven million Michigan books in less than six years, and it won’t cost the university a dime. In addition, Michigan retains the books and also gets a complete copy of Google’s scans, including the text that’s spit out by optical character recognition software. Left to its own devices, the university would have no chance of duplicating this feat on its own. It could also partner with other projects like the Open Content Alliance, which won’t display any snippets from copyrighted works unless the publisher opts in to the program. But Courant argues that time is crucial, and Google is the company who can get the most done in the least amount of time. “We have a generation of students who will not find valuable scholarly works unless they can find them electronically,” wrote Courant. “At the rate that OCA is digitizing things (and I say the more the merrier and the faster the better) that generation will be dandling great-grandchildren on its knees before these great collections can be found electronically.” Courant has previously served as an economics professor at the university (and was later Provost), and he says that his economic work on public goods has convinced him just how bad it would be for society if one company ended up with sole control over large swathes of cultural knowledge. But he doesn’t believe that Michigan’s partnership with Google Book Search will create such problems. “Google has no such control,” he writes. “After Google scans a book, they return the book to the library (like any other user), and they give us a copy of the digital file. Google is not the only entity controlling access to the collection—the University of Michigan and other partner libraries control access as well. Except we don’t think of it as controlling access so much as providing it.” Siva Vaidhyanathan, a professor at the University of Virginia, is working on a critical book about Google, and he argues that the current book-scanning program is riddled with problems. Public institutions, he argued in a response to Courant, should not be making these sorts of deals with private companies, especially when those companies are as dominant in their fields as Google is.

FEDS ROUTINELY SEEK CELL PHONE TRACKING DATA (, 26 Nov 2007) - Most people are oblivious to the fact that they carry a real-time tracking device with them throughout the day: their cell phone. Now the Washington Post is reporting that federal agents are routinely requesting court orders to compel cell phone companies to release the information to them. In many cases, Post reporter Ellen Nakashima said, the court orders the release of the information without the legal safeguards typically required for a search warrant. But now some courts are taking a closer look at the requests for tracking information. In a brief telephone interview, Justice Department spokesperson Dean Boyd stressed that federal agents are not illicitly obtaining cell phone data. “Federal agents can only obtain data when it’s authorized by a judge,” Boyd said. “It’s the courts that make the determination as to whether the requested data should be released.” Following the publication of the Washington Post article, Boyd issued a lengthy statement defending the actions of federal agents. “Law enforcement has absolutely no interest in tracking the locations of law-abiding citizens,” Boyd said in the statement. “What we’re doing is going through the courts to lawfully obtain data that will help us locate criminal suspects, sometimes in cases where lives are literally hanging in the balance, such as a child abduction case or a serial murderer on the loose.” Under the U.S. Constitution, governmental agents are typically required to show that their warrant request is based on “probable cause” that a crime is taking place, or that the requested information will help produce evidence of a crime. But in some instances, federal prosecutors and agents have filed their requests under two federal laws, the Stored Communications Act and the Pen Register Statute, which provide a lower standard than “probable cause.” Under those statutes, a subpoena for electronic information can be granted if there are “reasonable grounds” that the information will lead to data “relevant to an ongoing criminal investigation.” The issue was highlighted recently by the publication of an unusually stern denial of a data request by Magistrate Brian L. Owsley in the Southern District of the U.S. District Court in Texas. Among other things, Magistrate Owsley said that the affidavit submitted by a Drug Enforcement Agent for cell phone tracking data lacked the kind of specific information generally required to establish probable cause.;_ylt=Aofp9kFeCBVeiU_kpglDgDAE1vAI

WHEN E-MAIL IS OUTSOURCED (InsideHigherEd, 27 Nov 2007) - In 1998, Dartmouth College was considered at the forefront of campus e-mail. Its homegrown system, BlitzMail, continued to reflect the college’s reputation for being ahead of the curve on technology. Dartmouth students still rely on BlitzMail today, downloading their messages with a traditional Windows- or Mac-based client. But nearly 10 years later, even David L. Bucciero, the director of technical services, calls the service “archaic.” It lacks some of the “bells and whistles,” he said, that most students take for granted with the personal Web-based e-mail accounts they take with them to college. Such features might include the ability to view and compose messages in HTML, which allows the customization of fonts and colors, or virtually unlimited storage space. Those inadequacies — combined with occasional downtime — explain why Dartmouth might go back to the drawing board. And in rethinking its e-mail strategy, officials there will confront similar issues as many other colleges and universities in a time of rapid shifts in messaging habits and in the economics of Internet applications. Bucciero and a planned study group will soon consider whether it’s worthwhile to continue maintaining BlitzMail, or whether Dartmouth should consider for e-mail what colleges routinely do for many other basic operational functions: outsource it. In the world of e-mail, outsourcing means two things: Google or Microsoft. Both have been marketing Web-based messaging services to small businesses, nonprofits and other groups, and they’ve focused more intensely on the higher education market over the past year. Besides services that are completely free and interfaces that are familiar to students, they offer a wide array of features, tools that let people collaborate in real time — and of course, the cool factor. At Dartmouth, Bucciero and his colleagues will weigh the possibility of taking “BlitzMail to the next level,” switching to another system entirely or enlisting a third party. It’s the last option that would raise the most concerns — about security and privacy, if data were migrated offsite; about accessing messages through clients offline, if they’re readable primarily through the Web; about support services, if the current IT help desk can no longer administer the system; and about the ability to send mass e-mail blasts. Jeff Keltner, Google’s enterprise specialist for collaboration products, said institutions at six of the seven continents use its education services, with several hundred thousand active users logging in at a regular basis from several thousand campuses around the world. The senior product manager for Microsoft’s Live @ edu program, Bruce Gabrielle, said the company has some 450 higher education clients, which ballooned from 300 since the end of June. “A lot of awareness is spreading virally,” he said. While many colleges universities have yet to make the switch to Google or Microsoft, several (like Dartmouth, Cornell University, the University of Connecticut and Ohio State University) are in the process of exploring their options or issuing requests for proposals. Both companies offer integrated e-mail, chat, calendar and publishing tools without advertisements and without any cost to colleges or universities — no exclusivity required. The standard Google contract is one year, with three one-year auto-renewals; for Microsoft, the typical length is two years. Both preserve universities’ “.edu” e-mail domains while offering the functionality of a typical Gmail or Live address.

U.S. WITHDRAWS SUBPOENA SEEKING IDENTITY OF 24,000 AMAZON CUSTOMERS (, 27 Nov 2007) - Federal prosecutors have withdrawn a subpoena seeking the identities of thousands of people who bought used books through online retailer Inc., newly unsealed court records show. The withdrawal came after a judge ruled the customers have a First Amendment right to keep their reading habits from the government. “The (subpoena’s) chilling effect on expressive e-commerce would frost keyboards across America,” U.S. Magistrate Judge Stephen Crocker wrote in a June ruling. “Well-founded or not, rumors of an Orwellian federal criminal investigation into the reading habits of Amazon’s customers could frighten countless potential customers into canceling planned online book purchases,” the judge wrote in a ruling he unsealed last week. Seattle-based Amazon said in court documents it hopes Crocker’s decision will make it more difficult for prosecutors to obtain records involving book purchases. Assistant U.S. Attorney John Vaudreuil said Tuesday he doubted the ruling would hamper legitimate investigations. Crocker - who unsealed documents detailing the showdown against prosecutors’ wishes - said he believed prosecutors were seeking the information for a legitimate purpose. But he said First Amendment concerns were justified and outweighed the subpoena’s law enforcement purpose. and

8.3 MILLION AMERICANS VICTIMS OF ID THEFT (Washington Post, 27 Nov 2007) - Nearly 4 percent of American adults were victims of identity theft in 2005, but half of them did not incur any out-of-pocket expenses, the U.S. Federal Trade Commission said on Tuesday. An agency survey found identity information was stolen from 8.3 million U.S. adults and most commonly used to access or open accounts for credit cards, bank checking, telephone service, e-mail, and medical insurance. “In more than half of the incidents, victims incurred no out-of-pocket expenses,” the FTC said in a statement. However, 10 percent of the victims reported out-of-pocket expenses of $1,200 or more, it said. The FTC survey also looked at the value of goods or services that thieves obtained using the victims’ personal information. In half of all incidents, thieves obtained items or services worth $500 or less while in 10 percent of cases, thieves got at least $6,000. ome 37 percent of victims reported problems beyond their out-of-pocket expenses, the FTC said. They included being harassed by debt collectors, denied new credit or loans, unable to use existing credit cards, having utilities cut off, or having difficulty obtaining or accessing bank accounts. and

- and -

THE COST OF DATA LOSS RISES (Information Week, 28 Nov 2007) - Losing customer data cost companies more this year than last. According to a study conducted by the Ponemon Institute, an independent information practices research group, data breaches cost businesses an average of $197 per customer record in 2007, up from $182 in 2006. The average total cost for a data breach in 2007 was $6.3 million, up from $4.8 million in 2006. The study suggests that lost data translates to lost business opportunity. This mainly comes in the form of customer churn and customer acquisition costs, which rose from $98 per record in 2006 to $128 in 2007 - a 30% increase. Other costs include reputation management and customer support costs such as information hotlines and credit monitoring subscription for victims. Study at [registration required] [Editor: The 2006 Ponemon study is broadly influential, and I expect this new study to be similar. Here’s a SANS NewsBites 7 December 2007 summary of the Ponemon study: “A survey of nearly 900 IT security professionals conducted by the Ponemon Institute found that many workers do not abide by established security policies, either because they are unaware of the policies or because they find them inconvenient. More than half of respondents admitted to having copied confidential company data onto USB drives although 87 percent said they knew the practice violated company policy. Nearly half of respondents said they share passwords with colleagues; two-thirds said sharing passwords violates policy at their organizations. One-third of respondents said they had sent work documents as attachments; almost half of respondents were unsure whether doing so violated their companies’ policies. Sixty percent of respondents said their companies had no formal policy that prohibits installation of personal software on work machines. Almost half said they had downloaded software, including P2P programs, onto company computers.”]

NEW SOFTWARE DETECTS WEB INTERFERENCE (Washington Post, 28 Nov 2007) - Increasingly worried over Internet providers’ behavior, a nonprofit has released software that helps determine whether online glitches are innocent hiccups or evidence of deliberate traffic tampering. The San Francisco-based digital rights group Electronic Frontier Foundation hopes the program, released Wednesday, will help uncover “data discrimination” _ efforts by Internet providers to disrupt some uses of their services _ in addition to the cases reported separately by EFF, The Associated Press and other sources. “People have all sorts of problems, and they don’t know whether to attribute that to some sort of misconfiguration, or deliberate behavior by the ISP,” said Seth Schoen, a staff technologist with EFF. The new software compares lists of data packets sent and received by two different computers and looks for discrepancies between what one sent and the other actually received. Previously, the process had to be done manually. Schoen compared the software to a spelling checker. “If you really had no idea what you were looking for, this could save dozens of hours,” he said. Increasingly people are contacting the EFF worried that their online activity has been disrupted by their Internet service provider, he said. The goal of the EFF’s program is to “help consumers get more clarity about what the ISPs are doing.”

ARIZ. JUDGES FAVOR SOME PRIVACY FOR NAMELESS E-MAILS (Arizona Star, 28 Nov 2007) - The state Court of Appeals on Tuesday spelled out new privacy protections for those who use the Internet to send anonymous messages. In the first ruling of its kind in Arizona, the judges said those who believe they have been harmed by anonymous Internet postings or e-mail cannot use Arizona courts to discover the identity of the senders unless they can prove their interests outweigh the privacy of those who originated the messages. The divided court set up a three-step test for judges to use when confronted with lawsuits by individuals or companies that contend someone whose identity they don’t know damaged them. The process includes what Judge Ann Scott Timmer called “a balancing of the parties’ competing interests,” which she said “provides an additional safeguard that comports with Arizona’s broad protection given to free speech and individual privacy.” “This is actually a great ruling for privacy,” said Corynne McSherry, an attorney with the Electronic Frontier Foundation, which lobbies and intervenes in cases involving Internet privacy. The 2-1 ruling requires evidence that the person whose identity is being sought “has been given adequate notice and a reasonable opportunity to respond.” That notice, usually provided through the Internet service provider, gives the person a chance to hire an attorney and fight the request. Potentially more important, the person filing suit has to show a judge there is a real case.

JUDGES FEEL LEGAL BLOGS’ GLARE (, 28 Nov 2007) - In May, Dale Ross, chief judge for the Florida circuit court in Broward County for 16 years, stepped down following a year of embarrassing scandals, gaffes and bad behavior by his judges. Although pressure was building for Ross to resign for years, many legal observers say it would not have happened if not for the new Broward courthouse blog, JAA Blog. That blog hammered Ross on a daily basis and reported on such incidents as a judge arrested for smoking pot in a park, another judge making an off-color sexual remark and another judge allegedly taking a loan from a defense lawyer appearing before him. The JAA Blog was started in August 2006 by a group of criminal defense lawyers fed up with the way things were being run in the Broward courthouse. They believed that it operated like a “good ol’ boys network” rather than the second-largest county court in Florida. The blog’s founders include criminal defense attorney Bill Gelin of Tribune Legal Services in Fort Lauderdale and assistant public defenders Brian Reidy and Vivian Gariboldi. “I have strong feelings about what is going on in Broward,” Gelin said. “People are upset about the ways things are being done in the criminal justice system. So we formed a group and then thought, ‘Why not have a blog?’” The Broward blog is one of a handful of legal blogs that have started in South Florida in the past two years that have shone a spotlight on the justice system. Supporters credit the blogs with providing valuable information about the inner workings of the court system, and bringing change. Critics counter that the blogs can be venues for inaccurate information and unsubstantiated personal attacks. “The [JAA] blog absolutely effectuated change,” said Broward County public defender Howard Finkelstein. “There is no question in my mind that it had a great deal to do with the toppling of the past judicial administration.” Russell Adler, a partner at Rothstein Rosenfeldt Adler in Fort Lauderdale, noted that “[s]ince a lot of it is posted anonymously, it gives people the ability to fabricate things and state things that are not true. “It’s like being shot by a sniper - you don’t know where the shot is coming from and you don’t know what the motivation is,” Adler said.

PRO BONO EFFORTS FOLLOW TARGETS TO THE WEB (New York Times, 28 Nov 2007) - A nonprofit organization founded when “The Pride of the Yankees” meant a movie about Lou Gehrig, rather than the feelings of a departing manager, is taking a more contemporary tack in selecting the media in which its campaigns appear. The idea is to better reflect the changing media-consumption patterns of the audience the council tries to reach with ads that discourage drunken driving, fight childhood obesity, help veterans of the armed forces readjust to civilian life and promote causes like recycling and preventing forest fires. “Just like there has been a revolution in how marketers communicate, the same thing has happened to the Ad Council and how we work,” said Susan M. Gianinno, the vice chairwoman of the council. She is also the president and chief executive of the North American operations of the Publicis Worldwide agency, part of the Publicis Groupe. Not surprisingly, the changes in media choices have put more of the council’s ads online, in forms that include banner ads, sponsored links in search results, so-called buddy icons on AOL and commercials on video-sharing Web sites like YouTube. The council even has its own YouTube channel ( “Organizations have recognized the power of the Web to get the message out,” said Steve Grove, head of news and politics for YouTube, which is owned by Google. The leaders of the council “recognized it was important to be online,” he said. One benefit for nonprofit organizations of being on YouTube — apart from the obvious one (it’s free) — is the serendipity factor. “You can stumble on this content without necessarily wanting to find it,” Mr. Grove said. That can help publicize a cause that a YouTube user may not have known about. It may also help people solve problems by giving viewers easily accessible information. According to data from the council, the value of the ad space and commercial time donated by the interactive media for its public-service campaigns climbed 176 percent, from $52.3 million in fiscal 2004 (July 1, 2003-June 30, 2004) to $144.4 million in fiscal 2007. “Every one of our 50 current campaigns has an interactive component,” said Peggy Conlon, president and chief executive at the council, based in New York. To encourage that trend, Ms. Conlon and the other leaders of the council have started asking agencies that specialize in interactive advertising to take the lead in creating campaigns, rather than turning first to agencies known for television and print campaigns. For instance, the task of creating a campaign to discourage violence among teenagers — being undertaken on behalf of the Family Violence Prevention Fund and the Robert Wood Johnson Foundation — has been awarded to R/GA in New York, an agency devoted to online work. “We have a great opportunity to do something here that we hope will break new ground,” said Robert Greenberg, chairman, chief executive and chief creative officer of R/GA, part of the Interpublic Group of Companies. The campaign will aim at a generation that “acts very differently from previous generations of young people,” Mr. Greenberg said, particularly in its media choices. “We’d like to look at coming up with an idea based in mobile communications,” he added, because teenagers often say that they would give up their TV sets and computers before their cellphones or other mobile devices. Among the campaigns that reflect the changing media strategies is an effort to encourage high school students not to drop out before graduating, called “Boost up,” which features a Web site (; pages on two popular social networking Web sites, Facebook and MySpace; text messaging, allowing cellphone users to send uplifting “boost” notes to friends; a presence on YouTube; and e-mail messages. Another campaign is intended to develop financial literacy among people 25 to 34, and it includes a Web site (, an e-mail newsletter, text messaging and podcasts.

GOOGLE’S STORAGE PLANS RAISE PLENTY OF CONCERNS (, 28 Nov 2007) - In the wake of this week’s buzz about Google’s plans for a new online service for file storage, Internet privacy specialists are raising concerns about the potential vulnerability of such data to government investigations. Such fears have been heightened by a variety of high-profile attempts by federal investigators to retrieve user information from online companies, including Amazon, Yahoo, MSN, and Google itself. The buzz this week seems to have started from a report in yesterday’s Wall Street Journal, saying that Google is developing an integrated service that would allow users to store and organize their own information on Google’s servers. According to the WSJ story, users of the service could store any and all of their files - from business letters to family photos - on Google’s servers, and then access or share those from any computer or mobile device. Although Google has declined to comment on the report, privacy watchdogs as well as competitors in the data storage industry have some concerns. “Whenever information is in the hands of third-parties, it changes the protections available for that information in a qualitative way,” said Lauren Weinstein, an Internet privacy expert and co-founder of the People for Internet Responsibility. “E-mail, for instance, that is in the hands of an ISP typically has less protection than the same e-mail on your home computer.” When consumers store data on devices in their home, Weinstein noted, law enforcement is generally required to obtain a search warrant, which requires presenting sufficient facts to a judge or magistrate to demonstrate probable cause for the issuance of the warrant. But data in the hands of a third party can be disclosed under a variety of other theories, some of them with lower standards of protection. “Remotely stored information might be subject to a national security letter, for instance,” he argued. “NSLs are a mechanism to extract information from third parties who have acess to information that the government is interested in. Not only can government officials get the information more easily,” he said but they can also “often get access to data without the knowledge of the target of investigation, which is obviously harder to do with a search warrant.” Weinstein said that a critical feature in making remote storage secure is for the hosting company to encrypt it in such a way that only the owner of the data can get access to it.;_ylt=AtTL2hup5GCwXkvg79dmHN4E1vAI

NEWS WEB SITES SEEK MORE SEARCH CONTROL (Washington Post, 29 Nov 2007) - Leading news organizations and other publishers have proposed changing the rules that tell search engines what they can and can’t collect when scouring the Web, saying the revisions would give site owners greater control over their content. Google Inc., Yahoo Inc. and other top search companies now voluntarily respect a Web site’s wishes as stated in a document known as “robots.txt,” which a search engine’s indexing software, called a crawler, knows to look for on a site. Under the existing 13-year-old technology, a site can block indexing of individual Web pages, specific directories or the entire site. Some search engines have added their own commands to the rules, but they’re not universally observed. The Automated Content Access Protocol proposal, unveiled Thursday by a consortium of publishers at the global headquarters of The Associated Press, seeks to have those extra commands _ and more _ apply across the board. With the ACAP commands, sites could try to limit how long search engines retain copies in their indexes, for instance, or tell the crawler not to follow any of the links that appear within a Web page. If accepted by search engines, publishers say they would be willing to make more of their copyright-protected materials available online. But Web surfers also could find sites disappear from search engines more quickly, or find smaller versions of images called thumbnails missing if sites ban such presentations. “Robots.txt was created for a different age,” said Gavin O’Reilly, president of the World Association of Newspapers, one of the organizations behind the proposal. “It works well for search engines but doesn’t work for content creators.” As with the current robots.txt, ACAP’s use would be voluntary, so search engines ultimately would have to agree to recognize the new commands. So far, none of the leading ones have. Search engines also could ignore the new commands and leave it to courts to resolve any disputes.

WORLD FACES “CYBER COLD WAR” THREAT (Reuters, 29 Nov 2007) - A “cyber cold war” waged over the world’s computers threatens to become one of the biggest threats to security in the next decade, according to a report published on Thursday. About 120 countries are developing ways to use the Internet as a weapon to target financial markets, government computer systems and utilities, Internet security company McAfee said in an annual report. Intelligence agencies already routinely test other states’ networks looking for weaknesses and their techniques are growing more sophisticated every year, it said. Governments must urgently shore up their defenses against industrial espionage and attacks on infrastructure. The report said China is at the forefront of the cyber war. It said China has been blamed for attacks in the United States, India and Germany. China has repeatedly denied such claims. The report was compiled with input from academics and officials from Britain’s Serious Organised Crime Agency, the U.S. Federal Bureau of Investigation and NATO. Cyber-attacks on private and government Web sites in Estonia in April and May this year were “just the tip of the iceberg,” the report warned. Estonia said thousands of sites were affected in attacks aimed at crippling infrastructure in a country heavily dependent on the Internet. The attacks appeared to have stemmed initially from Russia although the Kremlin denied any wrongdoing. “The complexity and coordination seen was new,” the report quoted an unnamed NATO source as saying. “There were a series of attacks with careful timing using different techniques and specific targets.” EU Information Society commissioner Viviane Reding said in June that what happened in Estonia was a wake-up call. NATO said “urgent work” was needed to improve defenses. The McAfee report predicted that future attacks would be even more sophisticated. “Attacks have progressed from initial curiosity probes to well-funded and well-organised operations for political, military, economic and technical espionage,” it said.;_ylt=AumJKqj6VT4xq9eWlwmndToE1vAI Report at

-- and --

SHELL, ROLLS ROYCE REPORTEDLY HACKED BY CHINESE SPIES (InfoWorld, 3 Dec 2007) - Britain’s domestic intelligence agency is warning that cybercrime perpetrated by China is on the rise following hacking attacks against Rolls-Royce and Royal Dutch Shell. The agency, known as MI5, recently sent letters to some 300 banks, accounting and legal firms warning that “state organizations” of China were plying their networks for information, according to the Times of London on Monday. The U.K. government refused on Monday to confirm the letters. However, the reported correspondence comes just a month after the U.K.’s top domestic intelligence officer warned of “high levels” of covert activity by at least 20 foreign intelligence agencies, with Russia and China as the most active. “A number of countries continue to devote considerable time and energy trying to steal our sensitive technology on civilian and military projects, and trying to obtain political and economic intelligence at our expense,” said Jonathan Evans, director general of MI5, in Manchester, U.K., on Nov. 5. “They do not only use traditional methods to collect intelligence but increasingly deploy sophisticated technical attacks, using the Internet to penetrate computer networks,” he said. The Times, quoting an unnamed source, reported that Rolls-Royce’s network was infected with a Trojan horse program by Chinese hackers that sent information back to a remote server. Dutch Shell uncovered a Chinese spying ring in Houston, aimed at pilfering confidential pricing information for the oil giant’s operations in Africa, the paper said, citing “security sources.”

OREGON ‘GROUND ZERO’ IN RIAA BATTLE AGAINST FILE-SHARING (ABA Journal, 30 Nov 2007) - Oregon’s attorney general is going to bat, yet again, for university students being targeted by the U.S. recording industry. In filings this week, Attorney General Hardy Myers’ office said the Recording Industry Association of America’s litigation tactics may violate his state’s data-mining laws, Bloomberg News reports. And his office called for an investigation of the recording industry’s tactics. ComputerWorld dubbed Oregon “Ground Zero” in the battle between the RIAA and music pirates. The RIAA has issued subpoenas to the University of Oregon to reveal the identities of 17 students who are alleged to have violated copyright laws. They are among more than 20,000 individuals, mainly in academic circles, who have been targeted by the RIAA for copyright infringement since 2003. “The larger issue may not be whether students are sharing copyrighted music, but whether plaintiffs’ investigative techniques and litigation techniques are appropriate,” the AG’s filing in federal court in Eugene, Ore., said. The University of Oregon is the first school to file a motion to block the RIAA’s subpoena, according to Bloomberg. And this is the second time in a month that Myers has fought RIAA attempts to turn over the names of students. Bloomberg reports that the IP addresses of the Oregon students were obtained by investigators from MediaSentry, which is not licensed to engage in data-mining activities under Oregon law.

PROTECTION FOR “PERSONALLY IDENTIFIABLE INFORMATION” IN BANKRUPTCY SALES (Wiley Rein “Privacy in Focus”, December 2007) - The nature of online commerce requires the collection of information from individuals to identify the parties to individual transactions, transfer funds for payment, and ensure the delivery of the goods or services being acquired. Public concern about the potential for abuse of such information by online merchants gave rise to the development of so-called “privacy policies” that provide a measure of reassurance that information collected will be protected from unauthorized use and disclosure. Such concerns come to a head when a merchant that sells online files for bankruptcy protection and then determines to sell off assets that include personally identifiable information. [More, with analysis.]

ANALYSIS OF PRIVILEGE IN CORPORATE CONTEXT, WHERE LAWYERS AND NON-LAWYERS SHARE COMMUNICATIONS, ARE COPIED, ETC. (Freivogel on Conflicts, 1 Dec 2007) - In re Vioxx Prods. Liab. Litig., 501 F.Supp.2d 789 (E.D. La. 2007) (August 14, 2007). The opinion is an exhaustive review of corporate privilege involving the distribution of E-mails, E-mail attachments, and other documents among in-house lawyers where non-lawyers are involved, copied, etc. Rather than summarize the opinion, we will refer readers to the excellent summary prepared by Hogan & Hartson LLP in their November 2007 “Litigation Alert.” Anyone who cannot retrieve it from their Web site,, and who wants a copy, should send an E-mail to, and we will send a PDF. Hogan & Hartson article at

WORLD ECONOMIC FORUM ANNOUNCES TECHNOLOGY PIONEERS 2008 (WEF, 2 Dec 2007) - World Economic Forum today announced 39 visionary companies selected as Technology Pioneers 2008. The companies’ products and services include identity management on the Internet, understanding of individuals’ genetic information, robotic radiosurgery, pollution control materials, low-cost remote diagnosis solutions, virtual interface technologies, wiki-based projects and next generation business intelligence solutions. Twenty-three of the Technology Pioneers 2008 are US-based companies. Israel and the United Kingdom each boast three; Sweden and Switzerland two each; Canada, France, Germany, India, the Netherlands and Russia, one each. Technology Pioneers are nominated in three main categories: Energy/Environment, Biotechnology/Health and Information Technology. List at

MORE STATE WEB SITES WILL SHOW UP IN SEARCHES WITH HELP FROM GOOGLE SOFTWARE (, 3 Dec 2007) - Googling something or someone? If the state of Florida has public records about your subject, they might show up in your search results. Many state agencies make numerous public records available online, but the information hasn’t been indexed by the search engines at Google Inc., Yahoo Inc. and Microsoft Corp., the three most popular. And that has made the data hard to find. If you want to know a school’s test scores, for example, you have often have know your state Department of Education’s Web address and then know how the agency stores and retrieves information. Under a new partnership announced Monday by Gov. Charlie Crist, Google Inc. is providing free consulting and software that help make more files recognizable to most search engines. Florida joins five other states - Arizona, California, Utah, Virginia and Michigan - already participating in Google’s effort. Google hopes to get local governments involved in the effort.

POLICE BLOTTER: VERIZON FORCED TO TURN OVER TEXT MESSAGES (CNET, 5 Dec 2007) - What: U.S. Department of Justice seeks archived SMS text messages from Verizon Wireless without obtaining a warrant first. When: District judge rules on October 30; magistrate judge completes review of archived text messages on Friday. Outcome: Prosecutors receive the complete contents of defendant’s text messages. What happened, according to court documents: It may not be that well known outside of police and telecommunications circles, but odds are excellent that your mobile phone provider saves copies of your SMS text messages. In a case that Police Blotter wrote about last year, federal police obtained logs of archived text messages from two unnamed wireless providers. In addition, a judge in the Kobe Bryant sex case ordered the phone provider to turn over archived messages. Text messages were also part of the trial involving the attempted murder of rapper 50 Cent.

NINTH CIRCUIT GIVES NEW HOPE TO PLAINTIFFS IN DATA BREACH CASES (Steptoe & Johnson’s E-Commerce Law Week, 6 Dec 2007) - Late last month, the Ninth Circuit ruled that circumstantial evidence of a causal connection between a data breach and subsequent identity theft can support a negligence claim against the organization that suffered the breach. The court’s unpublished opinion in Stollenwerk v. Tri-West Health Care Alliance overturned a lower court’s ruling that plaintiff Mark Brandt could not recover on a negligence claim stemming from six cases of identity theft that he allegedly suffered after his data was compromised by a theft of computer equipment from defendant Tri-West. The Ninth Circuit held that it is a “matter of common knowledge” that “the type of information contained on the … [stolen] hard drives [was] the same kind needed to open credit accounts at the firms where [the identity theft] took place.” The court also noted that the identity theft had begun just six weeks after the breach and that Brandt had allegedly handled his personal information with care and had never suffered identity fraud before the breach. On these facts, the court found that a reasonable jury could find a “causal relationship” between the breach and the identity theft, and so reversed the district court’s order of summary judgment for Tri-West. This ruling suggests that, even without evidence directly tying a data breach to subsequent incidents of identity theft, plaintiffs may be able to get to a jury in a suit against the organization that lost their data. Opinion at:

**** RESOURCES ****
INDEX OF DOJ LEGAL OPINIONS 1998-2007 POSTED ONLINE (BeSpacific, 2 Dec 2007) - The website has posted a complete index of DOJ Legal Counsel Opinions from 1998 through the present here:

“Amory Lovins - Energy Efficiency and Implementation.mp3” is the best podcast I’ve heard. There’s something here for everybody: engineers, policy makers, CEOs, parents, KM planners, internet-enabled business managers. Inter alia, every CEO/CFO of publicly traded companies will be well served by listening. I yearn for a simple, URL-like way to point people to podcasts; this one can be found on iTunes in “IT Conversations”, published by the Conversations Network. I’ve also uploaded a copy to my public folder at, where I’ll keep it for a few weeks. Please send along your own recommendations and I’ll include them in future MIRLN issues.

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. Internet Law & Policy Forum,
6. BNA’s Internet Law News,
7. Crypto-Gram,
8. McGuire Wood’s Technology & Business Articles of Note,
9. Steptoe & Johnson’s E-Commerce Law Week,
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: