Wednesday, January 23, 2008

MIRLN - Misc. IT Related Legal News [30 December - 19 January 2008; v11.01]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (vpolley@REMOVETHISSTRINGvip-law.com) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/.

**************End of Introductory Note***************

**** ALI-ABA PRIVACY LAW CLE ****
Join the Editor, and a terrific faculty, in Washington D.C. on March 13-14 for ALI-ABA’s premier CLE program on Privacy Law: Developments, Planning, and Litigation. Attorneys for modern companies now face a growing list of vexing privacy issues:
• How should clients operate in an environment with conflicting rules? 

• What are the risks of non-compliance? 

• What steps should clients take to monitor properly their service providers? 

• Can clients comply with litigation discovery orders without running afoul of 
 European privacy laws? 

• What best practices apply to internal investigations and responses to government requests for personal information, when the relevant information may be located outside the US? Information at www.ali-aba.org/CN090

**** MIRLN NEWS ****

WHY ‘ANONYMOUS’ DATA SOMETIMES ISN’T (Wired, Article by Bruce Schneier, December 2007) - Last year, Netflix published 10 million movie rankings by 500,000 customers, as part of a challenge for people to come up with better recommendation systems than the one the company was using. The data was anonymized by removing personal details and replacing names with random numbers, to protect the privacy of the recommenders. Arvind Narayanan and Vitaly Shmatikov, researchers at the University of Texas at Austin, de-anonymized some of the Netflix data by comparing rankings and timestamps with public information in the Internet Movie Database, or IMDb. Their research (.pdf) illustrates some inherent security problems with anonymous data, but first it’s important to explain what they did and did not do. [Editor: Quite interesting.] http://www.wired.com/politics/security/commentary/securitymatters/2007/12/securitymatters_1213

EGYPT ‘TO COPYRIGHT ANTIQUITIES’ (BBC, 25 Dec 2007) - Egypt’s MPs are expected to pass a law requiring royalties be paid whenever copies are made of museum pieces or ancient monuments such as the pyramids. Zahi Hawass, who chairs Egypt’s Supreme Council of Antiquities, told the BBC the law would apply in all countries. The money was needed to maintain thousands of pharaonic sites, he said. Correspondents say the law will deal a blow to themed resorts across the world where large-scale copies of Egyptian artefacts are a crowd-puller. Mr Hawass said the law would apply to full-scale replicas of any object in any museum in Egypt. “Commercial use” of ancient monuments like the pyramids or the sphinx would also be controlled, he said. “Even if it is for private use, they must have permission from the Egyptian government,” he added. But he said the law would not stop local and international artists reproducing monuments as long as they were not exact replicas. http://news.bbc.co.uk/2/hi/middle_east/7160057.stm

STUDY: YOUNG ADULTS HEAVY LIBRARY USERS (AP, 30 Dec 2007) - Young adults are the heaviest users of public libraries despite the ease with which they can access a wealth of information over the Internet from the comforts of their homes, according to a new study. That’s especially true for those who had questions related to health conditions, job training, government benefits and other problems. Twenty-one percent of Americans age 18-30 with such questions have turned to public libraries, compared with about 12 percent among the general adult population with problems to solve. Education-related tasks — making decisions about schooling, paying for it and getting job training — are the most common problems drawing people to libraries, according to a joint study from the Pew Internet and American Life Project and the University of Illinois at Urbana-Champaign. And people are going to libraries not only for the Internet computers there but also for library reference books, newspapers and magazines. “The age of books isn’t yet over,” said Lee Rainie, Pew’s director. The study found that library usage drops gradually as people age — 62 percent among those 18-30 compared with 32 percent among those 72 and up, with a sharp decline just as Americans turn 50. “It was truly surprising in this survey to find the youngest adults are the heaviest library users,” Rainie said. “The notion has taken hold in our culture that these wired-up, heavily gadgeted young folks are swimming in a sea of information and don’t need to go to places where information is.” http://news.yahoo.com/s/ap/20071230/ap_on_hi_te/internet_libraries_1;_ylt=Aui2X8q88sER6R2WHhCI7CcE1vAI

SECURITY DOMINATES 2008 IT AGENDA (Network World, 2 Jan 2008) - Will 2008 see the first serious security exploit in corporate VoIP networks? Or will network security breakdowns cast a pall on the upcoming presidential elections and Olympic games? Will users’ Web 2.0 forays open the malware floodgates? Experts say security concerns will dominate the network landscape in 2008 whether we like it or not. But it won’t be all gloom and doom. Faster wireless LANs are on the way, enterprise-class open source applications are multiplying, and Google is continuing to muscle its way into new markets - raising the bar for competitors along the way. Two high-profile events - the 2008 Olympics in China and the U.S. presidential elections - will trigger a stream of exploits, security experts warn. Olympics-related Web sites and networks are potential places to infect people, says Dan Hubbard, vice president of security research at Websense. “The 2008 Olympics will be used as a lure for fraud, too. Massive amounts on an international scale,” Hubbard says. Also on tap for 2008 are Storm-like botnets with decentralized command-and-control structures that make them much tougher to shut down, says Craig Schmugar, researcher at McAfee. “Storm is a trend setter,” Schmugar says of the infamous botnet that traces back to a network attack launched one year ago. “A lot of the spam we see is coming across Storm-compromised machines.” McAfee also is expecting a wave of malware parasitics, which look for specific files and embed themselves. To combat infection by parasitics, “you have to isolate the parasitic code within the host code,” Schmugar notes. “If it overwrites the good code, you may never get it back.” One security threat that may not materialize in 2008 is exploits against VoIP systems. It’s not that the danger isn’t real - it is. VoIP is susceptible to the many exploits that networks in general are heir to, including denial-of-service attacks and buffer overflows. In addition, there are many voice-specific attacks and threats. For instance, two protocols widely used in VoIP - H.323 and IAX - have been shown to be vulnerable to sniffing during authentication, which can reveal passwords that can later be used to compromise a voice network. Implementations of SIP, an alternative VoIP protocol, can leave VoIP networks open to unauthorized transport of data. Continued… http://www.networkworld.com/news/2008/010208-crystal-ball-main.html

SEARS ADMITS TO JOINING SPYWARE BIZ (The Register, 3 Jan 2008) - A Harvard researcher has accused one of America’s biggest retailers of sneaking privacy-stealing spyware from ComScore onto customers’ machines. Sears Holding Corporation, owner of Sears, Roebuck and Co. and Kmart, makes the pitch in an email sent to people shortly after they provide their address at Sears.com. Clicking the “Join” button invokes a dialog that requests the person’s name, address and household size before installing ComScore spyware that monitors every site visited on the computer. Sears’ leap into the spyware business was first documented (http://community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx) by Computer Associates researcher Benjamin Googins, who determined the notice to end users was inadequate. Yesterday, Harvard researcher Ben Edelman weighed in (http://www.benedelman.org/news/010108-1.html) and came to largely the same conclusion. It’s not that Sears fails to notify users it intends to spy on them. Indeed, the email sent to users states that the application “monitors all of the internet behavior that occurs on the computer on which you install the application, including...filling a shopping basket, completing an application form, or checking your...personal financial or health information.” The rub is that this unusually frank warning comes on page 10 of a 54-page privacy statement that is 2,971 words long. Edelman, who is a frequent critic of spyware companies, said the Sears document fails to meet standards established by the Federal Trade Commission when it settled with Direct Revenue and Zango over the lack of disclosure about the extent of their snoopware. http://www.theregister.co.uk/2008/01/03/sears_snoopware_disclosure/print.html

AL-QAEDA OFFERS CELLPHONE VIDEO DOWNLOADS (USA Today, 5 Jan 2008) - Video messages of al-Qaeda leaders Osama bin Laden and Ayman al-Zawahri can now be downloaded to cellphones, the terror network announced as part of its attempts to extend its influence. The announcement was posted late Friday by al-Qaeda’s media wing, al-Sahab, on websites commonly used by Islamic militants. As of Saturday, eight previously recorded videos were made available including a recent tribute to Abu Musab al-Zarqawi, the former al-Qaeda in Iraq leader killed by U.S. forces in Iraq in June 2006. http://www.usatoday.com/tech/wireless/phones/2008-01-05-alqaeda_N.htm?csp=34

SULLIVAN & CROMWELL SUIT AGAINST VENDOR HIGHLIGHTS PROBLEMS WITH E-DISCOVERY (Law.com, 7 Jan 2008) - Sullivan & Cromwell has sued an electronic discovery company for allegedly missing deadlines and preparing the wrong documents for production in the course of a major litigation. In a complaint filed Dec. 28, 2007, in the Southern District of New York, Sullivan & Cromwell said, “untimely and inaccurate” work by Electronic Evidence Discovery Inc. (EED) hindered the law firm’s staffing arrangements and caused it to expend extra resources on discovery. The firm asked for a ruling that EED was not entitled to collect $710,000 in outstanding bills. One of the larger electronic discovery outfits, EED said it has worked on more than 1,300 cases with most of the nation’s top corporations and law firms. Founded in 1997, it has been owned since 2005 by private equity group Welsh, Carson, Anderson & Stowe. Lawyers specializing in electronic discovery said Friday they believed Sullivan & Cromwell’s suit was the first of its kind but that such a dispute had long been anticipated. These concerns have made electronic discovery services a growth industry, with dozens of companies vying for business. But, as the Sullivan & Cromwell suit suggests, vendors can become problems themselves. In its complaint, Sullivan & Cromwell said it interviewed a number of vendors before choosing EED in August 2006 to work on an unnamed litigation. Services performed by EED included loading electronic data and documents supplied by Sullivan & Cromwell’s client into an online database where the law firm’s lawyers could review them to determine which documents were responsive to discovery requests. EED was also tasked with preparing media, including CDs, DVDs and hard drives, containing documents for production to opposing counsel. According to Sullivan & Cromwell, EED consistently failed to meet deadlines for either loading documents into the database or preparing them for production, often telling the lawyers only at the last minute that documents would be delayed. The firm claims EED consistently failed to provide updates about these delays and about server failures that prevented any documents from being loaded a week before a discovery deadline. Sullivan & Cromwell further claims the media EED prepared for production were rife with errors, often including documents that lawyers had specifically flagged as nonresponsive or requiring an extra level of review. The firm claims it requested corrected replacement media from EED, only to find the mistakes repeated. EED also allegedly failed to provide an accurate list of the Bates numbers used to identify discovery documents. Sullivan & Cromwell claims it was forced to divert resources from other projects to generate an accurate list. The complaint does not state whether EED’s alleged mistakes had any impact on the underlying litigation. Sullivan & Cromwell partner Stephanie G. Wheeler, who is handling the case against EED with David B. Tulchin, declined to comment Friday. http://www.law.com/jsp/article.jsp?id=1199441137204&rss=newswire

NLRB RULES ON EMPLOYEE USE OF COMPANY EMAIL FOR UNION PURPOSES (Faegre & Benson’s John Polley [yes, he’s my brother], 8 Jan 2008) - Ever since the advent of email in the workplace, employers have sought guidance about whether they may lawfully prohibit employees from using company email systems to solicit other employees to support a union. However, since most employers permit employees to use company email for at least some personal communications, the concern has been that prohibiting employee use of email for union solicitations would run afoul of nondiscrimination rules under the National Labor Relations Act. In Guard Publishing Company, 351 NLRB No. 70 (December 16, 2007), the National Labor Relations Board finally addressed these issues. In Guard Publishing Company, the NLRB held that an employer may prohibit employees from using a company-owned email system to solicit for “non-job-related reasons,” even if the employer had allowed employees to use the email system for various personal reasons such as giving away tickets or announcing the birth of a child. However, Guard Publishing, a 3-2 decision, was sharply divided along party lines, and the terms of office of two of the Board members in the majority (and one in the dissent) expired within days of the decision. Therefore, there is some real doubt about whether this decision will remain law when a new, full Board is constituted. There is also some doubt about whether portions of this decision will survive on appeal. http://www.faegre.com/articles/article_2391.aspx

OPEN SOURCE CODE CONTAINS SECURITY HOLES (Information Week, 8 Jan 2008) - Open source code, much like its commercial counterpart, tends to contain one security exposure for every 1,000 lines of code, according to a program launched by the Department of Homeland Security to review and tighten up open source code’s security. Popular open source projects, such as Samba, the PHP, Perl, and Tcl dynamic languages used to bind together elements of Web sites, and Amanda, the popular open source backup and recovery software running on half a million servers, were all found to have dozens or hundreds of security exposures and quality defects. A total of 7,826 open source project defects have been fixed through the Homeland Security review, or one every two hours since it was launched in 2006, according to David Maxwell, open source strategist for Coverity, maker of the source code checking system, the Prevent Software Quality System, that’s being used in the review. At the same time, projects like Samba have been adept at correcting the vulnerabilities, once they were identified. Samba was found to have a total of 236 defects, a far lower rate than average for 450,000 lines of code. Of the 236 defects, 228 have been corrected, said Maxwell in an interview. Linux came in with far fewer defects than average as did a number of other open source projects. The version 2.6 of the Linux kernel had a security bug rate of .127 per thousand lines of code. The kernel scan covered 3,639,322 lines of code. As exposures were identified by repeated scans, 452 defects have been fixed by kernel developers; 48 have been verified but not yet fixed; another 413 remain to be verified and fixed, according to code scanning results posted on the Coverity Web site. FreeBSD, sometimes posed as an alternative to Linux, has been slower to respond to the Coverity scans. In 1,582,166 lines of code, it has fixed zero defects, verified six and has another 605 to go. The Apache Web server includes 135,916 lines of code, which yielded a security defect rate of .14 bugs per thousand lines of code. Three have been fixed; seven have been verified but not fixed; 12 remain to be verified and fixed. http://www.informationweek.com/story/showArticle.jhtml?articleID=205600229&cid=RSSfeed_IWK_News

CT SAYS SEARCHING COMPUTER IN P2P INVESTIGATION NOT TRESPASS (BNA’s Internet Law News, 10 Jan 2008) - BNA’s Electronic Commerce & Law Report reports that a federal court in California has ruled that an online investigation company that obtained peer-to-peer file sharing data allegedly showing that an individual infringed a record company’s copyrights by sharing copyrighted music did not commit trespass to chattels. The court said that trespass to chattels occurs when an intentional interference with the possession of personal property has proximately caused injury, but that it does not apply to electronic communications that neither damage a recipient’s computer nor impair its functioning. Case name is Atl. Recording Corp. v. Serrano.

ELEVENTH CIRCUIT FINDS NO REASONABLE EXPECTATION OF PRIVACY IN PERSONAL COMPUTER CONNECTED TO WORKPLACE NETWORK (Steptoe & Johnson’s E-Commerce Law Week, 10 Jan 2008) - A bungled attempt to keep files on a personal computer connected to a workplace network private cannot protect the files from government snooping. This is the upshot of United States v. King, in which the Eleventh Circuit held that civilian contractor Michael King’s attempt to configure his laptop computer to bar access by co-workers did not create a reasonable expectation of privacy in the contents of the computer, since his settings allowed access by all individuals on the air base where he was working. The court therefore refused to suppress evidence of child pornography gathered during a search of these files. This ruling suggests that where employees have made files on their own computers available to a large number of their co-workers - even if unintentionally - they may not have a reasonable expectation of privacy against the government. http://www.steptoe.com/publications-5083.html

ICANN FINALLY REALIZES DOMAIN TASTING IS A PROBLEM, MIGHT FIX IT SOMETIME THIS DECADE (TechDirt, 10 Jan 2008) - The practice of “domain tasting” (or “domain kiting” as it used to be called) has been a well-known problem for at least two years now. Since domain name registrars offer a five day grace period whereby you can buy a domain and return it saying you made a “mistake,” scammers have been buying up every domain name imaginable, throwing ads up on the site for five days, seeing what kind of return it gets, and then tossing it back (without ever paying for it). In some cases, scammers have set up multiple shell corporations to keep renewing those names for 5 days at a time indefinitely, without ever having to pay a dime. When we first wrote about it in May of 2006, the estimate was that over 90% of new domain registrations were of this nature (though, some question that number). Either way, it’s clearly a big issue. Yet, it’s taken nearly two years just to get ICANN to acknowledge it’s a problem. On top of that, they’re merely discussing the problem, and may not take any action towards dealing with it for some time. As per usual with ICANN, expect lots of talk and little useful action. In related scammy domain name news, apparently the very first domain name registrar, Network Solutions, has joined the ranks of scammy registrar sites that reveal the names you’re searching to scammers who register them quickly. http://techdirt.com/articles/20080109/153405.shtml Related story here: http://online.wsj.com/article/SB120035979165090009.html

GERMAN COMPANIES ARE MISUSING CUSTOMER DATA FOR TEST PURPOSES (Heise Online, 10 Jan 2008) - Research by the Ponemon Institute has revealed that more than three quarters of German companies are using confidential customer data in their software development or application testing. They view these files as an easy and cheap source of data for their software tests. Germany thus brings up the rear in the Institute’s international comparison. Live data is used much less frequently in other countries: USA (69 percent), United Kingdom (58 percent) and France (43 percent). Many companies clearly assume that there are no security risks involved in using the test data, since it is not being used in a live scenario. However, even when it is only being used for test purposes, there is still a risk of unauthorized persons gaining access to the data. The study views as a cause of concern the fact that 60 percent of companies who outsource their application testing share confidential data with their outsourcing partners. Examples of live data used include customer information, credit card numbers, social security details, payment information and employee and supplier data. Many companies have no clear policy on who is accountable for the security of confidential test data. The report found that 20 percent of companies do not even know who is responsible. 2,368 IT professionals from Germany (502 respondents), the USA, the United Kingdom and France took part in the study entitled “Test data insecurity: the unseen crisis”. The study was commissioned by Compuware, who will be making it available to the public from 31 January. http://www.heise.de/english/newsticker/news/101593

STEAL THIS WI-FI (Wired, Article by Bruce Schneier, 10 Jan 2008) - Whenever I talk or write about my own security setup, the one thing that surprises people - and attracts the most criticism - is the fact that I run an open wireless network at home. There’s no password. There’s no encryption. Anyone with wireless capability who can see my network can use it to access the internet. To me, it’s basic politeness. Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea. But to some observers, it’s both wrong and dangerous. [Editor: There’s more and it’s interesting.] http://www.wired.com/politics/security/commentary/securitymatters/2008/01/securitymatters_0110

WHITE HOUSE TO RELEASE FIRST E-BUDGET (New York Times, 11 Jan 2008) - Forget all the red ink in the federal budget. The White House is going green on this year’s budget. In a move that the White House Office of Management and Budget (OMB) says will save roughly 20 tons of paper, or about 480 trees, the Bush administration will release the government’s first-ever paperless budget on Feb. 4. The plan to issue a so-called e-budget means that the White House won’t order any hard-copy versions of the budget for the government’s 2009 fiscal year, which starts in October. Instead, the OMB will post a fully downloadable and searchable electronic copy on its Web site and make the document accessible to anyone who wants to read it, according to a statement by OMB Director Jim Nussle that was released Wednesday. http://www.nytimes.com/idg/IDG_002570DE00740E18002573CC0081D533.html?ex=1357794000&en=bd62c893020f4ba8&ei=5089&partner=rssyahoo&emc=rss [Editor: in the context of government transparency, see the “Noted Podcast” below.]

WHITE HOUSE SAYS IT ROUTINELY OVERWROTE E-MAIL TAPES FROM 2001 TO 2003 (Washington Post, 17 Jan 2008) - E-mail messages sent and received by White House personnel during the first three years of the Bush administration were routinely recorded on tapes that were “recycled,” the White House’s chief information officer said in a court filing this week. During the period in question, the Bush presidency faced some of its biggest controversies, including the Iraq war, the leak of former CIA officer Valerie Plame Wilson’s name and the CIA’s destruction of interrogation videotapes. White House spokesman Tony Fratto said he has no reason to believe any e-mails were deliberately destroyed. From 2001 to October 2003, the White House’s practice was to use the same backup tape each day to copy new as well as old e-mails, he said, making it possible that some of those e-mails could still be recovered even from a tape that was repeatedly overwritten. “We are continuing to analyze our systems,” Fratto said last night. The court filing said tapes were recycled before October 2003, and at that point, the White House “began preserving and storing all backup tapes.” Two federal statutes require presidential communications, including e-mails involving senior White House aides, to be preserved for the nation’s historical record, and some historians responded to the court disclosure yesterday by urging that the White House’s actions be thoroughly probed. http://www.washingtonpost.com/wp-dyn/content/article/2008/01/16/AR2008011602202.html?wpisrc=rss_technology

IP ADDRESSES ARE PERSONAL DATA, E.U. REGULATOR SAYS (Washington Post, 22 Jan 2008) - IP addresses, strings of numbers that identify computers on the Internet, should generally be regarded as personal information, the head of the European Union’s group of data privacy regulators said Monday. Germany’s data-protection commissioner, Peter Scharr, leads the E.U. group, which is preparing a report on how well the privacy policies of Internet search engines operated by Google, Yahoo, Microsoft and others comply with E.U. privacy law. Scharr told a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address, “then it has to be regarded as personal data.” His view differs from that of Google, which insists an IP address merely identifies the location of a computer, not who the individual user is. That is true but does not take into consideration that many people regularly use the same computer and IP address. Scharr acknowledged that IP addresses for a computer may not always be personal or linked to an individual. For example, some computers in Internet cafes or offices are used by several people. These exceptions have not stopped the emergence of a host of “whois” Internet sites, which allow users to type in an IP address and will then generate a name for the person or company linked to it. Treating IP addresses as personal information would have implications for how search engines record data. Google was the first last year to cut the time it stored search information to 18 months. It also reduced the time limit on the cookies that collect information on how people use the Internet from a default of 30 years to an automatic expiration in two years. A privacy advocate at the nonprofit Electronic Privacy Information Center said it was “absurd” for Google to claim that stripping out the last two figures from the stored IP address made the address impossible to identify by making it one of 256 possible configurations. “It’s one of the things that make computer people giggle,” the center’s executive director, Marc Rotenberg, said. “The more the companies know about you, the more commercial value is obtained.” Google’s global privacy counsel, Peter Fleischer, said Google collects IP addresses to give customers a more accurate service because it knows what part of the world a search result comes from and what language is used - and that was not enough to identify an individual user. http://www.washingtonpost.com/wp-dyn/content/article/2008/01/21/AR2008012101340_pf.html

CYBER ESPIONAGE: A GROWING THREAT TO BUSINESS (PC World, 21 Jan 2008) - Cyber espionage is getting renewed attention as fresh evidence emerges of online break-ins at U.S. research labs and targeted phishing against corporations and government agencies here and abroad. It’s no wonder that research firm SANS Institute has ranked cyber espionage No. 3 on its “Top Ten Cyber Menaces for 2008,” just behind Web site attacks exploiting browser vulnerabilities and botnets such as the infamous Storm. Alan Paller, director of research at SANS Institute, adds that people should be aware that an “extraordinary treasure chest of information has been stolen,” and “the same people doing the military espionage are engaged in economic espionage using the same or very similar techniques to steal information from organizations that are working on business ventures in the attackers’ country.” He offered no estimate as to how much cyber espionage is costing organizations. Separately, the U.S. Department of Energy’s Oak Ridge National Laboratory (ORNL) last month acknowledged that about a dozen staff members fell for phony e-mail urging them to go to phishing sites or open attachments with malware. Hackers not only infiltrated the ORNL network, accessing some nonclassified databases, but director Thom Mason told employees (via an e-mail message, ironically enough) it was all part of a “sophisticated cyber attack that now appears to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country.” In Great Britain, too, the threat of cyber espionage is being raised by the British Security Service MI5, which has warned hundreds of banks and legal firms there that they are under electronic espionage attack by Chinese state organizations - a claim angrily refuted by China, which says it’s under attack itself by hackers. The possibility that online espionage might occur is a concern for those who outsource IT functions as well. Tim Mather, chief security strategist for the RSA Conference Advisory Board, says worries over online espionage may be overblown. But he does believe that open source intelligence gathering is big, with companies as diverse as Aegis Defence Services and Concentric Solutions International available for hire to scour every nook and cranny of the online world for desired information. http://www.pcworld.com/businesscenter/article/141474/cyber_espionage_a_growing_threat_to_business.html

LEGAL OUTSOURCING TO INDIA IS GROWING, BUT STILL CONFRONTS FUNDAMENTAL ISSUES (Law.com, 23 Jan 2008) - Outsourcing legal work to India is no longer a novelty. It’s a reality. At least that is the message of legal process outsourcing (LPO) companies participating in their first major industry summit, held last week in New York. Buoyed by Forrester Research projections that $4 billion in legal work may head to India by 2015, a growing number of companies are angling for a piece of the action. But despite the hoopla, industry leaders acknowledge legal outsourcing remains very much in its infancy, with fundamental choices still being made about how to market the services of Indian lawyers. Is it just about cost? Or can Indian lawyers actually do many things better than their American counterparts? Should outsourcing firms seek to wholly supplant other service providers or cooperate with them? Cost certainly first sparks customers’ interest in the Indian option, said David Perla, co-founder of New York-based Pangea3, probably the largest LPO company with 240 lawyers in three Mumbai offices. Perla, the former general counsel of job search Web site Monster, noted that legal departments in companies already outsourcing other functions to India face particular pressure to look at similar cost-saving measures. The good experiences that some clients have had with legal outsourcing has led to many other companies being receptive to the idea, said Perla. He declined to name any clients but said they included some of the 10 largest companies in the Fortune 500. “The resistance level has gone way down,” he said. http://www.law.com/jsp/article.jsp?id=1200996336809&rss=newswire

**** NOTED PODCASTS ****
“The Politics of Telecom, Media, and Technology” (9 Oct 2007, by Drew Clark of the Center for Public Integrity; given at Harvard’s Berkman Center). This is an discussion of the Well-Connected Project, a web-based tool for aggregating and analyzing lobbying activity in the telecom arena. Beginning with a fascinating demonstration of the Media Tracker tool, the discussion implicates the coming web-enabled transparency in US telecom policy-making, and also illustrates grassroots engagement (e.g., through broadband speed testing). There’s interesting discussion of state initiatives (e.g., Connect Kentucky) and international possibilities (e.g., re IP policy-making in Geneva and telecom policy-making in Africa). Rated: 4-out-of-5 stars. Podcast at: http://blogs.law.harvard.edu/mediaberkman/2007/10/09/drew-clark-on-the-politics-of-telecom-media-and-technology/; Media-Tracker tool at: http://www.publicintegrity.org/telecom/

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. Internet Law & Policy Forum, http://www.ilpf.org.
6. BNA’s Internet Law News, http://ecommercecenter.bna.com.
7. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
8. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
9. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.