Saturday, February 16, 2008

MIRLN - Misc. IT Related Legal News [23 January - 16 February 2008; v11.02]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley ( with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at and blogged at

**************End of Introductory Note***************

Join the Editor, and a terrific faculty, in Washington D.C. on March 13-14 for ALI-ABA’s premier CLE program on Privacy Law: Developments, Planning, and Litigation. Attorneys for modern companies now face a growing list of vexing privacy issues:
• How should clients operate in an environment with conflicting rules? 

• What are the risks of non-compliance? 

• What steps should clients take to monitor properly their service providers? 

• Can clients comply with litigation discovery orders without running afoul of 
 European privacy laws? 

• What best practices apply to internal investigations and responses to government requests for personal information, when the relevant information may be located outside the US? Information at

**** MIRLN NEWS ****

THE TOP EIGHT EVENTS THAT CHANGED THE COURSE OF COMPUTER SECURITY HISTORY (AND TWO THAT DIDN’T) (CSO Online, January 2008) - Given the headlines lately, you could be forgiven for thinking that the biggest, baddest events in the history of computer security have all happened within the last few years. After all, there have been so many hacks disclosed that Stephen Northcutt of SANS recently observed, “The way we are going, there are only going to be a couple hundred people of any significant net worth in the United States that have not had their details lost in a privacy breach-and they are going to prove to be so ultra paranoid they never borrowed money or had a credit card.” In reality, the history of the most significant hacks, malware and other security bungles stretches back a lot further than the oft-cited chronology breaches compiled by the Privacy Rights Clearinghouse. That’s why we’ve put together this list of the worst, but most important, moments in computer security-a sort of cynics’ guide through the history of information security. Some of the items on the list were chosen because of their legislative impact or technical sophistication. Others were picked as a result of the media attention they received, and still others because of the focus they brought to important security issues.

SETTING BOUNDARIES AT BORDERS: RECONCILING LAPTOP SEARCHES AND PRIVACY (IEEE, January 2008) - If you’ve traveled internationally on business, the odds are that you’ve taken your laptop with you. Like most business travelers, you need these ubiquitous devices to do work, make presentations, and communicate with coworkers, family, and friends via the Internet. In a previous department, we explored the notion that laptops deserve special consideration because of the increasingly blurred line between home and office, the entrusting of intimate, private information to storage on laptops, and the resulting need to rethink the rules surrounding reasonable expectations of privacy.1 This time, we examine the nexus between laptops, a government’s search and seizure powers, and a traveler’s transit through an international border checkpoint where customs officials have enhanced powers to search travelers and their belongings. This collision of interests between a person’s right to be secure from unreasonable searches and seizures and a government’s obligation to protect its borders from the smuggling of illicit materials and other informational contraband via laptops and other storage devices has recently become ripe for decision by courts that must answer three questions: * How should the law treat a laptop when the government wants to search and seize its contents? * How should that treatment change when a traveler brings the laptop into a border checkpoint? * What deference, if any, should the courts give to privacy interests at border checkpoints? This last question is particularly vexing in light of the increasing probability that, in the absence of a well-founded, particularized suspicion, most travelers’ laptops will carry personal or commercially sensitive information, and few will be used to smuggle dangerous contraband.

- and -

SMARTPHONES, SEAT BELTS, SEARCHES, AND THE FOURTH AMENDMENT (ArsTechnica, 24 Jan 2008) - When Steve Jobs introduced the iPhone as a “revolutionary” device, he probably wasn’t thinking of its effect on the Fourth Amendment. But a new paper by Adam Gershowitz, a professor at the South Texas College of Law, argues that unless courts or legislators make significant changes to the rules governing law enforcement searches, the increasing ubiquity of devices like Apple’s ├╝bergadget will permit police to routinely gather massive amounts of citizens’ sensitive personal data without a warrant. The Fourth Amendment guarantees that Americans will not be subject to “unreasonable searches and seizures.” Normally, this means police must show a judge that there is “probable cause” to believe a search will uncover evidence of a crime before tapping our phones or digging through our papers. But the courts have always recognized a variety of special circumstances under which a search may be reasonable even without a court warrant. One important such exception is for “search incident to arrest.” This allows police to search the person and immediate vicinity of anyone being placed under arrest, to ensure that the arrestee can’t destroy evidence or pull a concealed weapon. The problem with this, argues Gershowitz, is that with the proliferation of iPhone-like devices, the officer digging through your coat pocket suddenly has access to gigabytes worth of potentially sensitive e-mail, videos, photographs, browsing histories, and other documents. If you’re in the habit of keeping your passwords saved, they may even be able to reach bank statements, file servers, and that Nerve Personals account you opened “just for fun.” Though the underlying rationale for searches incident to arrest is officer safety, courts have adopted a “bright line” rule permitting an arresting officer to search any object in a suspect’s possession, such as a cigarette pack, even if it unlikely to conceal a miniature Glock. And since the Supreme Court has ruled that police have broad authority to arrest people for even trivial infractions, such as failure to wear a seat belt, the current rule gives law enforcement officers broad discretion to transform a routine traffic stop into a highly intrusive excavation of your digital life.

- and -

CLARITY SOUGHT ON ELECTRONICS SEARCHES (Washington Post, 7 Feb 2008) - Nabila Mango, a therapist and a U.S. citizen who has lived in the country since 1965, had just flown in from Jordan last December when, she said, she was detained at customs and her cellphone was taken from her purse. Her daughter, waiting outside San Francisco International Airport, tried repeatedly to call her during the hour and a half she was questioned. But after her phone was returned, Mango saw that records of her daughter’s calls had been erased. A few months earlier in the same airport, a tech engineer returning from a business trip to London objected when a federal agent asked him to type his password into his laptop computer. “This laptop doesn’t belong to me,” he remembers protesting. “It belongs to my company.” Eventually, he agreed to log on and stood by as the officer copied the Web sites he had visited, said the engineer, a U.S. citizen who spoke on the condition of anonymity for fear of calling attention to himself. Maria Udy, a marketing executive with a global travel management firm in Bethesda, said her company laptop was seized by a federal agent as she was flying from Dulles International Airport to London in December 2006. Udy, a British citizen, said the agent told her he had “a security concern” with her. “I was basically given the option of handing over my laptop or not getting on that flight,” she said. The seizure of electronics at U.S. borders has prompted protests from travelers who say they now weigh the risk of traveling with sensitive or personal information on their laptops, cameras or cellphones. In some cases, companies have altered their policies to require employees to safeguard corporate secrets by clearing laptop hard drives before international travel. Today, the Electronic Frontier Foundation and Asian Law Caucus, two civil liberties groups in San Francisco, plan to file a lawsuit to force the government to disclose its policies on border searches, including which rules govern the seizing and copying of the contents of electronic devices. They also want to know the boundaries for asking travelers about their political views, religious practices and other activities potentially protected by the First Amendment. The question of whether border agents have a right to search electronic devices at all without suspicion of a crime is already under review in the federal courts. EFF lawsuit here: . See also Bruce Schneier’s blog at

PARTNER OFFERS $10K BOUNTY FOR BLOGGER’S IDENTITY (ABA Journal, 22 Jan 2008) - A Chicago lawyer who is being criticized, along with his law firm, in an anonymous Internet blog supposedly authored by a fellow attorney has offered a $10,000 reward to anyone who can provide him with the identity of “Troll Tracker.” The anonymous blogger, who claims to be “just a lawyer; interested in patent cases but not interested in publicity,” has criticized Raymond Niro and his 30-lawyer IP boutique, Niro Scavone Haller & Niro, for representing clients who own patents but don’t necessarily make products. Instead, the firm earns licensing fees from users of the patented technology—and potentially sues users if they don’t pay up, explains the Chicago Tribune. Although Troll Tracker claims a First Amendment right to criticize the firm anonymously on the blog, Niro says the blogger should take responsibility for his or her views. Plus, he points out, knowing the identity and affiliations of the blogger likely would affect the way that readers perceive the Troll Tracker’s critique. “I want to find out who this person is,” says Niro, who initially offered a $5,000 reward in last month’s issue of the IP Law & Business trade magazine, and has since upped the ante to $10,000. “Is he an employee with Intel or Microsoft? Does he have a connection with serial infringers? I think that would color what he has to say.”

MPAA REVISES FIGURES ON HOW MUCH COLLEGE STUDENTS COST MOVIE BUSINESS (, 22 Jan 2008) - Hollywood laid much of the blame for illegal movie downloading on college students. Now, it says its math was wrong. In a 2005 study it commissioned, the Motion Picture Association of America claimed that 44 percent of the industry’s domestic losses came from illegal downloading of movies by college students, who often have access to high-bandwidth networks on campus. The MPAA has used the study to pressure colleges to take tougher steps to prevent illegal file-sharing and to back legislation currently before the House of Representatives that would force them to do so. But now the MPAA, which represents the U.S. motion picture industry, has told education groups a “human error” in that survey caused it to get the number wrong. It now blames college students for about 15 percent of revenue loss. The MPAA says that’s still significant, and justifies a major effort by colleges and universities to crack down on illegal file-sharing. But Mark Luker, vice president of campus IT group Educause, says it doesn’t account for the fact that more than 80 percent of college students live off campus and aren’t necessarily using college networks. He says 3 percent is a more reasonable estimate for the percentage of revenue that might be at stake on campus networks.

- and -

DIGITAL MUSIC SALES UP 40 PERCENT, BUT CAN’T OFFSET CD DECLINE (, 24 Jan 2008) - Record companies’ revenue from digital music sales rose 40 percent to $2.9 billion over the past year, but the growth is still failing to cover losses from collapse of international CD sales, the music industry’s global trade body said Thursday. The International Federation of the Phonographic Industry, or IFPI, said the increase in legitimate music sales did not come close to offsetting the billions of dollars being lost to music piracy, with illegal downloads outnumbering the number of tracks sold by a factor of 20-to-1.

PROFESSOR USES BLOG TO GET PEER REVIEW OF ACADEMIC BOOK (Computerworld, 23 Jan 2008) - A professor working on a book about digital fiction and video games has launched what some are calling the first blog-based peer-review process for an academic book. Noah Wardrip-Fruin, an assistant professor of communication at the University of California San Diego, on Tuesday announced plans to post portions of his forthcoming book, Expressive Processing, on the Grand Text Auto blog for the next 10 weeks to seek peer review. The book is to be published by MIT Press. “Given that ours is a field in which major expertise is located outside the academy (like many other fields, from 1950s cinema to Civil War history), the Grand Text Auto community has been invaluable for my work,” Wardrip-Fruin wrote in a blog post. “In fact, while writing the manuscript for Expressive Processing, I found myself regularly citing blog posts and comments, both from Grand Text Auto and elsewhere. Now I’m excited to take the blog/manuscript relationship to the next level, through an open peer review of the manuscript on the blog.” Wardrip-Fruin, a regular author at Grand Text Auto, asked his blog’s readers to “please let me know if I get anything wrong. The project is very interdisciplinary, and I know some of you are experts in areas where I’m still learning. More generally, please let me know what you think of the arguments.” Wardrip-Fruin said he worked with The Institute for the Future of the Book to develop a version of its CommentPress software. CommentPress allows comments to be added to paragraphs in the margins of the text. Ben Vershbow, the editorial director of the Institute for the Future of the Book, noted in a blog post for the Institute for the Future of the Book, that the experiment represents a “bold step by a scholarly press … toward developing new procedures for vetting materials and assuring excellence, and more specifically, toward meaningful collaboration with existing online scholarly communities to develop and promote new scholarship. What’s particularly compelling about this present experiment is that it has the potential to be (perhaps now or perhaps only in retrospect, further down the line) one of these important hybrid moments — a genuine, if slightly tentative, interface between two publishing cultures.”

- and -

HARVARD OPTS IN TO ‘OPT OUT’ PLAN (, 13 Feb 2008) - Harvard University’s arts and sciences faculty approved a plan on Tuesday that will post finished academic papers online free, unless scholars specifically decide to opt out of the open-access program. While other institutions have similar repositories for their faculty’s work, Harvard’s is unique for making online publication the default option. The decision, which only affects the Faculty of Arts and Sciences, won’t necessarily disrupt exclusivity agreements with journals or upend the academic publishing industry, but it could send a signal that a standard bearer in higher education is seriously looking at alternative distribution models for its faculty’s scholarship. Already, various open-access movements are pressing for reforms (from modest to radical) to the current economic model, which depends on journals’ traditional gatekeeping function and their necessarily limited audiences but which has concerned many in the academic community worried about rising costs and the shift to digital media. It isn’t clear how or whether Harvard will ensure that professors who haven’t opted out will submit finished papers, and even what “finished” means. Can academics submit non-peer-reviewed work? Can they selectively upload articles and withhold others for prestigious journals? Either way, most publishers don’t seem overly fazed by the development; many contracts with scholars already allow authors to post their work independently of publication in a journal, and the Harvard plan both protects authors’ own copyright to their works and avoids forcing a decision on its faculty.

WHAT OUR TOP SPY DOESN’T GET: SECURITY AND PRIVACY AREN’T OPPOSITES (Wired, essay by Bruce Schneier, 24 Jan 2008) - If there’s a debate that sums up post-9/11 politics, it’s security versus privacy. Which is more important? How much privacy are you willing to give up for security? Can we even afford privacy in this age of insecurity? Security versus privacy: It’s the battle of the century, or at least its first decade. In a Jan. 21 New Yorker article, Director of National Intelligence Michael McConnell discusses a proposed plan to monitor all - that’s right, all - internet communications for security purposes, an idea so extreme that the word “Orwellian” feels too mild. The article (not online) contains this passage: “In order for cyberspace to be policed, internet activity will have to be closely monitored. Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the authority to examine the content of any e-mail, file transfer or Web search. “Google has records that could help in a cyber-investigation,” he said. Giorgio warned me, “We have a saying in this business: ‘Privacy and security are a zero-sum game.’” I’m sure they have that saying in their business. And it’s precisely why, when people in their business are in charge of government, it becomes a police state. If privacy and security really were a zero-sum game, we would have seen mass immigration into the former East Germany and modern-day China. While it’s true that police states like those have less street crime, no one argues that their citizens are fundamentally more secure.

- and -

BUSH ORDER EXPANDS NETWORK MONITORING (Washington Post, 26 Jan 2008) - President Bush signed a directive this month that expands the intelligence community’s role in monitoring Internet traffic to protect against a rising number of attacks on federal agencies’ computer systems. The directive, whose content is classified, authorizes the intelligence agencies, in particular the National Security Agency, to monitor the computer networks of all federal agencies - including ones they have not previously monitored. Until now, the government’s efforts to protect itself from cyber-attacks - which run the gamut from hackers to organized crime to foreign governments trying to steal sensitive data - have been piecemeal. Under the new initiative, a task force headed by the Office of the Director of National Intelligence (ODNI) will coordinate efforts to identify the source of cyber-attacks against government computer systems. As part of that effort, the Department of Homeland Security will work to protect the systems and the Pentagon will devise strategies for counterattacks against the intruders. The NSA has particular expertise in monitoring a vast, complex array of communications systems - traditionally overseas. The prospect of aiming that power at domestic networks is raising concerns, just as the NSA’s role in the government’s warrantless domestic-surveillance program has been controversial. “Agencies designed to gather intelligence on foreign entities should not be in charge of monitoring our computer systems here at home,” said Rep. Bennie Thompson (D-Miss.), chairman of the House Homeland Security Committee. Lawmakers with oversight of homeland security and intelligence matters say they have pressed the administration for months for details. and

- and -

ABRACADABRA! BUSH MAKES PRIVACY BOARD VANISH (Wired, 4 Feb 2008) - The Bush administration has failed to nominate any candidates to a newly empowered privacy and civil-liberties commission. This leaves the board without any members, even as Congress prepares to give the Bush administration extraordinary powers to wiretap without warrants inside the United States. The failure rankles Sens. Joe Lieberman (I-Connecticut) and Susan Collins (R-Maine), respectively chairman and ranking minority member of the Senate’s Homeland Security Committee. “I urge the president to move swiftly to nominate members to the new board to preserve the public’s faith in our promise to protect their privacy and civil liberties as we work to protect the country against terrorism,” Lieberman said in a statement. “The White House’s failure to move forward with appointing the new board is unacceptable, and I call on the administration to do so as quickly as possible to prevent a gap in this vital mission,” Collins said in a statement.

COURT RULES DATABASE THEFT WITHOUT HARM NOT COGNIZABLE UNDER CFAA (BNA’s Internet Law News, 24 Jan 2008) - BNA’s Electronic Commerce & Law Report reports that a federal court in Illinois has ruled that absent a corresponding database harm, trade secret theft and data misappropriation do not satisfy the Computer Fraud and Abuse Act’s civil action damage requirement. The court said that civil CFAA actions require a showing of both damage and loss, and read “damage” to require some actual damage to a database, not just harm to the information. The court said that breaching a database to steal information would not qualify as CFAA “damage” if the database was never impaired or shut down. Case name is Garelli Wong & Assocs. Inc. v. Nichols.

SHARPER AERIAL PICTURES SPARK PRIVACY FEARS (The Guardian, 24 Jan 2008) - If you were up to no good in the London open air last winter, start working up excuses: you might be on the web. This week, a company launches an online map of central London which includes aerial photography at four times the resolution of existing online maps: the equivalent of looking down from the 10th floor. The map, from, publishes aerial photography at a resolution of 4cm for London and 12.5cm for the rest of the UK. In the right conditions, images at this resolution are enough to identify individuals - a step that existing online mapping ventures such as Google Earth and Microsoft’s Virtual Earth have so far been careful to avoid. Alastair Crawford, 192’s chief executive, makes no apologies for the possibilities: “We’re considering holding a competition. We want to challenge people to find out how much naughty stuff is happening. If you’re having an affair in London, you’d better be careful!” The mapping venture is likely to heat up the debate about the extent to which information about individuals is available on the web - especially as, which specialises in providing data about individuals gleaned from official sources has announced plans to attach estimated ages to every person in its database of 27 million Britons.

CHOICEPOINT INVESTIGATION OVER, ANNUAL PROFIT RISES (Atlanta Business Chronicle, 24 Jan 2008) - The SEC has ended its investigation into ChoicePoint Inc., and the company has reported its profit soared 91.7 percent in 2007. The Alpharetta, Ga.-based identification and credential verification services provider said it learned Jan. 22 the U.S. Securities and Exchange Commission finished its investigation into possible identity theft, trading in ChoicePoint stock by CEO Derek Smith and Chief Operating Officer Douglas Curling and related matters, and that the SEC will not take any action. However, ChoicePoint (NYSE: CPS) will pay $10 million to settle a class-action lawsuit filed against it and some of its officers stemming from a data breach by identity thieves in February 2005. Neither the company nor any of the other defendants admitted to any liability and the agreement is subject to court approval.

MASSACHUSETTS PROPOSES STRICT DATA SECURITY MEASURES, INCLUDING THE USE OF ENCRYPTION (Steptoe & Johnson’s E-Commerce Law Week, 24 Jan 2008) - The Massachusetts Office of Consumer Affairs and Business Regulation has released proposed regulations for implementing data security requirements contained in a Massachusetts breach notification law enacted last August. As we previously reported, the Office was tasked with preparing regulations “to safeguard the personal information of [ Massachusetts] residents.” The proposed regulations interpret this mandate broadly. They would require any entity that holds personal information about a Massachusetts resident not only to develop and maintain a written information security program, but also to use a firewall, antispyware, and antivirus software, and physical access restrictions to protect the information. In addition, the regulations would require such entities to use strong encryption when transmitting personal information “across public networks,” making Massachusetts the second state (after Nevada) to specifically require encryption. The Massachusetts regulations thus continue a significant trend toward governments’ specifying the means that businesses must use to implement data security. Massachusetts regs here:

- and -

FAIL TO ENCRYPT? GO DIRECTLY TO JAIL! (Steptoe & Johnson’s E-Commerce Law Week, 7 Feb 2008) - When it comes to data security, state legislatures - like nature - abhor a vacuum. With Congress still dithering on national breach notification legislation, most states have filled the void with their own individual requirements, resulting in a mish-mash of different laws that companies have to contend with when they suffer a data breach. Now states seem poised to go down a similar path with encryption - possibly creating even greater confusion and complications for companies. Following the lead of Nevada and Massachusetts, the legislatures in Michigan (S.B. 1022) and Washington State (H.B. 2838 and H.B. 2574) have recently introduced bills that would require businesses to use encryption to protect personal information. The states differ, though, in how they define encryption, when they would require its use, and how they would enforce the mandate. Michigan takes the most extreme approach, as it would provide criminal fines and imprisonment for anyone who fails to encrypt computerized “personal identifying information” collected for business purposes. The Michigan and Washington bills would also allow banks to recover certain expenses from companies that suffer a data breach - including costs for cancelling or reissuing credit or debit cards, closing or opening accounts, providing refunds to cardholders, and notifying customers. (Minnesota already has similar requirements.) Finally, at least four more states are considering jumping on the breach notification bandwagon this year. So 2008 promises to be another banner year for data security legislation at the state level.

- and -

WHITEHALL LOCKS DOWN LAPTOPS (, 23 Jan 2008) - The UK government has banned laptops leaving government buildings unless the contents are encrypted. A series of catastrophic data leaks has caused the clampdown, after growing fears about the amount of personal data being lost by government employees. The move is likely to lead to a boom in sales of encryption technology. Cabinet Secretary Sir Gus O’Donnell said in an email to top civil servants on Monday: “From now on, no unencrypted laptops or drives containing personal data should be taken outside secured office premises.

- and -

LIFE IS GOOD, BUT DATA SECURITY WITHOUT ENCRYPTION - NOT SO MUCH (Steptoe & Johnson’s E-Commerce Law Week, 26 Jan 2008) - The Federal Trade Commission has again taken action against a company for its failure to live up to representations made in its online privacy statement. “Life is good, Inc.” (LIG), a designer and seller of retail apparel, promised to store “in a secure file” any consumer information gathered while processing online purchases - and then neglected to encrypt or otherwise adequately protect this information. According to the FTC, LIG indefinitely stored consumers’ credit card numbers, expiration dates, and security codes on an unsecured, Internet-accessible server. After a hacker (using an SQL injection attack) stole thousands of LIG customers’ information, LIG notified affected customers and law enforcement and took steps to prevent further breaches. Still, proving that no good deed goes unpunished, the FTC launched an investigation and ultimately lodged a complaint, alleging that LIG had violated provisions of the FTC Act barring deceptive acts or practices. LIG agreed to settle the complaint on the FTC’s usual terms (including requirements for a comprehensive information security program and 20 years of FTC oversight). The settlement reinforces the Commission’s position as the principal federal arbiter of what constitutes “reasonable” data security. It also underscores a trend in which the lack of encryption is increasingly regarded as a major factor in determining that a company’s data security measures were inadequate.

GOOGLE CUTS AD INCENTIVES FOR DOMAIN NAME TASTING (, 26 Jan 2008) - Online advertising leader Google said Friday it would help make it less lucrative to tie up millions of Internet addresses using a loophole and keep those domain names from legitimate individuals and businesses. Over the next few weeks, Google will start looking for names that are repeatedly registered and dropped within a five-day grace period for full refunds. Google’s AdSense program would exclude those names so no one can generate advertising revenue from claiming them temporarily, a practice known as domain name tasting - the online equivalent of buying expensive clothes on a charge card only to return them for a full refund after wearing them to a party. Name tasting exploits a grace period originally designed to rectify legitimate mistakes, such as registrants mis-typing the domain name they are about to buy. But with automation and a burgeoning online advertising market, entrepreneurs have generated big bucks exploiting the policy to test hordes of names, keeping just the ones that turn out to generate the most revenue. The practice ties up millions of domain names at any given time, making it more difficult for legitimate individuals and businesses to get a desirable name. Jay Westerdal, who earlier wrote about Google’s change on his DomainTools blog, said in an interview that the ban should make domain name tasting far less lucrative. He noted that Google’s chief rival, Yahoo, already tries to ban tasted addresses that infringe on trademarks and account for much of the problem.

- and -

NEW POLICY AIMS TO CURB WEB SITE NAME ABUSE (Washington Post, 30 Jan 2008) - Consumers and businesses may soon find it easier to register an attractive Web site name, now that the nonprofit organization that oversees the global domain name system has agreed to a policy change. In a meeting last week, board members of the Internet Corporation for Assigned Names and Numbers voted unanimously to make the Web site name registration process more expensive for “domain tasters,” who take advantage of loopholes in the process to register - and profit from - millions of domain names without paying for them. Under the current rules, domain registrars have up to five days to sample domains before committing to purchase them, typically at a cost of around $6.25 per domain. An additional 20-cent surcharge per domain goes to ICANN, but the group has always refunded that fee if the registrar failed to purchase the domain within five days of claiming it. Until now. The new policy would not refund the 20-cent fee.

STUDY SHOWS EBAY BUYERS SAVE BILLIONS OF DOLLARS (CNET, 27 Jan 2008) - Buyers save billions of dollars each year bidding on eBay auctions, according to a new study that quantifies the benefits online consumers enjoy over and above what is derived by sellers, or eBay itself. The independent research by two statisticians from the University of Maryland’s Robert H. Smith School of Business found buyers saved $7 billion that they might have otherwise been ready to pay in a study of eBay auction behavior in 2003. Applying the same analysis to 2004 buyer data, consumers saved $8.4 billion, said Wolfgang Jank, one author of the study. A linear projection of the research findings would mean consumers saved around $19 billion during 2007, Jank said. The study seeks to calculate what economists call “consumer surplus”-the difference between the top price buyers were ready to pay and what they actually ended up paying. E-commerce sites provide a treasure trove of data that allows researchers to test out theories of consumer behavior.

EU COURT: FILE SHARERS DON’T HAVE TO BE NAMED (CNET, 29 Jan 2008) - European Union countries can refuse to disclose names of file sharers on the Internet in civil cases, the EU’s top court said on Tuesday in a blow to copyright holders trying to fight digital piracy. The European Court of Justice ruled on a dispute between Spanish music rights holders association Promusicae and Spain’s top telecommunications operator, Telefonica. Telefonica argued that, under a national law based on EU rules, it had to disclose the name of an Internet subscriber only for criminal actions, not civil ones. “Community law does not require the member states, in order to ensure the effective protection of copyright, to lay down an obligation to disclose personal data in the context of civil proceedings,” the court said in a statement.

WISDOM OF THE WEB (New York Times, 29 Jan 2008) - It may be a little late to the game, but business travel is now the subject of a variety of blogs. In the last two years, companies in the travel business including Starwood Hotels and Resorts, Marriott International, Delta Air Lines and Southwest Airlines have introduced blogs to promote their products and brand images, as have business travelers who want to narrate experiences and share complaints. According to Forrester Research, in the second quarter of 2007, 21 percent of business travelers who use the Internet read blogs, not just ones about business travel, but also those involving sports, business, finance and other topics. “This indicates that organizing a portal for business travel blogs, especially with good content, means the site has potential,” said Henry H. Harteveldt, travel analyst for Forrester, a research firm. Hotels, airlines and other companies in the travel business have also harnessed blogs to promote their brands and offer insights from their employees. One of the most prominent bloggers is J. W. Marriott Jr., chairman and chief executive of Marriott International, who began a blog, Marriott on the Move, a year ago. It includes four or five posts a month and podcasts. “I love it. I read an awful lot of responses we’re getting,” he said. “It gives us a chance to communicate with the world and a chance for people to communicate back.” Mr. Marriott’s blog has already attracted more than 345,000 visitors; as a result of this success, Marriott plans to add the blog to some of its foreign Web sites and has started a second blog, by its corporate chef. The hotel chain Starwood started its blog,, in April 2006 to provide information for participants in its loyalty program. Chris Holdren, vice president for Starwood Preferred Guest and global Web services, said the tone had changed since the blog’s introduction to allow the “perspectives of the bloggers to be brought to life.” They include 4 travel writers and some 70 Starwood employees. Southwest Airlines has operated its staff-written blog, Nuts About Southwest, since April 2006. (The name refers to the carrier’s in-flight snack, peanuts.) Blogs can also be a quick way to gauge customer reaction to policies. Early last year, Bill Owen, a schedule planner at Southwest, wrote in a post that the airline sold its inventory only three months in advance. But after an outcry online, it changed its policy and now sells tickets at least four months in advance.

QUALCOMM CASE SENDS TREMORS NATIONWIDE (, 31 Jan 2008) - The San Francisco earthquake measured 8.25 on the Richter scale, claimed 3000 lives and caused half a billion of damage in 1906 dollars. The 1989 Loma Prieta earthquake registered 6.9 on the scale, left 63 dead, 3,700 injured and delayed the World Series for 10 days. The 1994 Northridge quake, a mere 6.7, resulted in 57 deaths, 9,000 injuries, and $40 billion of damage. The 2008 Qualcomm case has not been assigned a Richter number; it caused no deaths. But it should send shock waves far outside of California. On Jan. 8, Magistrate Judge Barbara Major issued a sanction order and referred six attorneys to the State Bar of California for investigation of possible ethical lapses. All because e-discovery had not been properly conducted. Let us be clear. This decision was issued but a few weeks ago; it may be reversed or modified. There no doubt is a way to tell the tale that is less damning to Qualcomm and its lawyers than Major’s recitation. But she is the judge and she has judged and, oh boy, has she damned. We will use pseudonyms in this article because we take no joy in reporting that lawyers have been sanctioned. These six lawyers, judging from their bios, are fine lawyers at the top of the profession. If this happened to them, it could happen to us. It could happen to you.

AND FOR YOUR HOMEWORK, PLEASE DESIGN A TORTURE DEVICE (The Guardian, 2 Feb 2008) - An architectural school was at the centre of a row last night after it emerged that students were required to design a fully operational torture device. The project, part of a masters course aimed at first-year students of the University of Kent’s School of Architecture, was described as “sick”. One student has lodged a complaint on the grounds that he was uncomfortable about carrying out the brief. Illustrated by a skull and a view of a Gestapo electric torture chamber, the brief handed to a class of students at the school was to “design, construct and draw a fully operational prototype torture device based on ergonomic principles”. They were encouraged to “be original” and instructed: “You may use a historical precedent as a point of departure or attempt to develop something completely without precedent. Through design development we hope you may advance your understanding of ergonomics as it pertains to torture.” The two-week project was designed by course tutor Mike Richards, in advance of a project to design a new headquarters for Amnesty International.,,2251089,00.html [Not relevant to MIRLN, but too strange NOT to include.]

PEER-TO-PEER LENDING ONLINE TAKES OFF (, 4 Feb 2008) - - When Walter Kond needed $25,000 to buy a shipment of home-theater seats for his company to resell, he didn’t go to the bank. He went online. Kond posted a loan request on and a few days later, more than 300 absolute strangers had pooled together the cash for a three-year loan at 13 percent interest. Welcome to the world of peer-to-peer lending - where anyone with Web access can be a banker and small business owners like Kond are finding a new way to raise cash. The industry is still in its infancy, but has been catching fire as major players enter the market. The UK’s Zopa - considered the grand-daddy of the niche - launched its U.S. operations in December, California-based Lending Club debuted on social networking giant Facebook in May, and billionaire Richard Branson re-launched Circle Lending as Virgin Money USA in October. “There is so little innovation in traditional consumer finance that anytime something new like this comes along, it’s a rarity and something to watch,” said George Hofheimer, chief research officer at Filene Research Institute in Wisconsin, which studies the lending sector. “This has a high probability of being what academics refer to as a ‘disruptive innovation.”‘

OVERHAUL OF NET ADDRESSES BEGINS (BBC, 4 Feb 2008) - The first big steps on the road to overhauling the net’s core addressing system have been taken. On Monday the master address books for the net are being updated to include records prepared in a new format known as IP version 6. Widespread use of this format will end the shortage of addresses that sites can be given. The net’s current addressing scheme is expected to exhaust the pool of unallocated addresses by 2011.

START-UP SHUTS DOWN CELL-PHONE DIRECTORY AFTER CONSUMER COMPLAINTS (, 4 Feb 2008) - Intelius Inc., a startup that launched online directory assistance for cell-phone numbers, has shut down the service after complaints from consumers and Verizon Wireless. Intelius had 90 million numbers in its database, according to its Web site, and was selling them for $15 each to anyone who had a name and wanted a number. The company said in a statement released Friday that it has discontinued the directory service due to “consumer feedback.” Several TV stations and had publicized the directory last week. Verizon Wireless called on Intelius last Tuesday to stop selling numbers. “This is a violation of Americans’ privacy. People expect their cell phone numbers to remain private,” Steve Zipperstein, Verizon Wireless’ general counsel, said in the statement. Intelius still operates a reverse cell-phone lookup, which reveals the name of the subscriber for a given number. Several other Web sites offer the same service. Intelius also conducts background checks, people searches and sells records on property and neighborhoods. The cellular industry organization CTIA - The Wireless Association attempted to create a cell-phone directory, but abandoned the effort a few year ago after opposition from consumers and legislators.

CALIFORNIA COURT BARS UNMASKING OF WEB CRITIC (CNET, 6 Feb 2008) - A California appeals court on Wednesday said an anonymous Internet poster does not have to reveal his identity after being sued for making “scathing verbal attacks” against executives at a Florida company on a Yahoo message board. The Sixth Appellate District in Santa Clara County reversed a trial court ruling that would have allowed a former executive at SFBC International to subpoena Yahoo for the names of her critics. The appeal was filed by a poster whose screen name includes a Spanish expletive but who is known as “Doe 6” in the lawsuit filed by former SFBC Chairman and COO Lisa Krinsky in 2006. Krinsky accuses Doe 6 and nine other Yahoo Finance posters of libel, fraud, and other claims arising from posts they made about her while she was a company officer. The appellate court concluded that while Doe 6’s messages were “unquestionably offensive and demeaning,” they could not be counted as defamation since they could not be considered assertions of fact. Without a cause of action, Krinsky could not overcome Doe 6’s First Amendment right to speak anonymously on the Internet, the court said.

CIA MONITORS YOUTUBE FOR INTELLIGENCE (Information Week, 6 Feb 2008) - In keeping with its mandate to gather intelligence, the CIA is watching YouTube. U.S. spies, now under the Director of National Intelligence (DNI), are looking increasingly online for intelligence; they have become major consumers of social media. “We’re looking at YouTube, which carries some unique and honest-to-goodness intelligence,” said Doug Naquin, director of the DNI Open Source Center (OSC), in remarks to the Central Intelligence Retirees’ Association last October. “We’re looking at chat rooms and things that didn’t exist five years ago, and trying to stay ahead. We have groups looking at what they call ‘Citizens Media’: people taking pictures with their cell phones and posting them on the Internet.” In November 2005, the OSC subsumed the CIA’s Foreign Broadcast Information Service, which housed the agency’s foreign media analysts. The OSC is responsible for collecting and analyzing public information, including Internet content. Steven Aftergood, director of the Federation of American Scientists project on government secrey, posted transcript of Naquin’s remarks on his blog. “I found the speech interesting and thoughtful,” he said in an e-mail. “I would not have thought of YouTube as an obvious source of intelligence, but I think it’s a good sign that the Open Source Center is looking at it, and at other new media.”

- and -

SPIES’ BATTLEGROUND TURNS VIRTUAL (Washington Post, 6 Feb 2008) - U.S. intelligence officials are cautioning that popular Internet services that enable computer users to adopt cartoon-like personas in three-dimensional online spaces also are creating security vulnerabilities by opening novel ways for terrorists and criminals to move money, organize and conduct corporate espionage. Over the last few years, “virtual worlds” such as Second Life and other role-playing games have become home to millions of computer-generated personas known as avatars. Corporations and government agencies have opened animated virtual offices, and a growing number of organizations hold meetings where avatars gather and converse in newly minted conference centers. Intelligence officials who have examined these systems say they’re convinced that the qualities that many computer users find so attractive about virtual worlds - including anonymity, global access and the expanded ability to make financial transfers outside normal channels - have turned them into seedbeds for transnational threats. “The virtual world is the next great frontier and in some respects is still very much a Wild West environment,” a recent paper by the government’s new Intelligence Advanced Research Projects Activity said. “Unfortunately, what started out as a benign environment where people would congregate to share information or explore fantasy worlds is now offering the opportunity for religious/political extremists to recruit, rehearse, transfer money, and ultimately engage in information warfare or worse with impunity.” The government’s growing concern seems likely to make virtual worlds the next battlefield in the struggle over the proper limits on the government’s quest to improve security through data collection and analysis and the surveillance of commercial computer systems. Virtual worlds could also become an actual battlefield. The intelligence community has begun contemplating how to use Second Life and other such communities as platforms for cyber weapons that could be used against terrorists or enemies, intelligence officials said. One analyst suggested beginning tests with so-called teams of cyber warfare experts. The IARPA paper concurred: “What additional things are possible in the virtual world that cannot be done in the real world? The [intelligence community] needs to ‘red team’ some possible scenarios of use.” The CIA has created a few virtual islands for internal use, such as training and unclassified meetings, government officials said. Some veterans of privacy debates said they believe that law enforcement and national security authorities are preparing to make a move, through coercion or new laws, to gain access to the giant computer servers where virtual worlds reside.

COURT RULES AUCTION TAKEDOWN REQUEST SUFFICIENT FOR JURISDICTION (BNA’s Internet Law News, 7 Feb 2008) - BNA’s Electronic Commerce & Law Report reports that the 10th Circuit Court of Appeals has ruled that a company which requested that eBay shut down an auction of allegedly-infringing products is subject to the jurisdiction of a court in the state where the auction hosts reside. The court ruled that held that the company’s auction termination request and threatening e-mail were sufficiently directed to Colorado to support the exercise of specific jurisdiction over it. Case name is Dudnikov v. Chalk & Vermilion Fine Arts.

DID LAWYER’S E-MAIL GOOF LAND $1B SETTLEMENT ON NYT’S FRONT PAGE? (ABA Journal, 6 Feb 2008) - An outside lawyer for Eli Lilly & Co. apparently has two people named “Berenson” in her e-mail address book. One is a reporter for the New York Times and the other is her co-counsel assisting in confidential negotiations on a possible $1 billion settlement between the pharmaceutical company and the government. The question is whether her e-mail to the wrong Berenson spurred last week’s front-page New York Times story revealing talks to resolve criminal and civil investigations into the company’s marketing of the anti-psychotic drug Zyprexa, as reports. The unidentified lawyer who wrote the e-mail works at Pepper Hamilton in Philadelphia, the story says. She was trying to e-mail Bradford Berenson of Sidley Austin rather than Times reporter Alex Berenson. The Drug and Device Law blog contacted Berenson, the reporter, who said he did receive an e-mail, but it did not contain a detailed description of the status of the settlement talks. Berenson told the blog he got his information from other sources. Berenson said in a later interview with WNYC Radio that the e-mail, sent by a “high-powered” Pepper Hamilton lawyer, was not a “really big blunder.” The e-mail mentioned the name of the U.S. attorney overseeing settlement talks, but didn’t refer to Eli Lilly, its case or settlement numbers. It read in part: “They’re in the stratosphere on number and Meehan wants a deal.” Eli Lilly had initially believed that federal officials leaked the information. “As the company’s lawyers began turning over rocks closer to home, however, they discovered what could be called A Nightmare on E-mail Street,” the Portfolio story says. A Lilly spokeswoman told that the company will continue to retain Pepper Hamilton. A search for the words “Eli Lilly” on the firm’s Web site shows that two of the firm’s lawyers are scheduled to speak on the subject of “Resolving Ethical Concerns and Preserving Attorney-Client Privilege When Faced With Fraud and Abuse Charges” at an April conference.

BBC WARNS STAFF OVER INTERNET PICTURES (The Guardian, 11 Feb 2008) - BBC editorial staff have been told to be cautious over the use of photos from social networking websites, saying the practice raises a number of legal and ethical issues. The BBC does not yet have a fixed policy on content from social networking sites, but an update for editorial staff and producers sent on Friday and seen by warned that just because pictures are easily available, it should not remove the “responsibility to assess the sensitivities in using it”. “Simply because material may have been put into the public domain may not always give the media the right to exploit its existence. The use of a picture by the BBC brings material to a much wider public than a personal website that would only be found with very specific search criteria,” the email said. “Consideration should be given to the context in which it was originally published including the intended audience.” Editorial staff were told that they need to consider the original context of photos and how their use might impact grieving or distressed friends and relatives. Photos also need to be verified before use. There are further concerns around copyright of photographs copied and pasted from the web, which may belong to either the host site or one of its users. Issues were raised over the use of photos from personal profile pages on sites such as MySpace after the shootings at Virginia Tech, and following the recent spate of suicides in Bridgend. Writing about the issue on the BBC’s news blog recently, the news website editor, Steve Hermann, said it is reasonable to assume that photos on a social networking site user’s personal profile would be seen only by that person’s family and friends.

DATA BREACHES HIT MORE CAMPUSES (, 12 Feb 2008) - A new report summarizing computer security incidents over the past year found that the number of losses and unauthorized disclosures of data increased markedly along with the number of colleges and universities affected. The most common incidents last year tended to involve “the release of information to unknown and/or unauthorized individuals,” shifting the focus from hacker-style attacks to breaches involving information technology employees themselves — whether acting knowingly or not. The “Year in Review” report for 2007 by Educational Security Incidents, an online repository intended to collect data on security incidents in higher educational institutions, scoured online databases dedicated to campus security reporting, as well as news sources, to create a consolidated picture breaking down the number and types of breaches that occurred last year. The total number of incidents reported rose 67.5 percent to 139, and they affected 112 institutions, a 72.3 percent jump from 2006. October’s annual survey by the Campus Computing Project found that while problems resulting from computer viruses and spyware had plummeted over the previous two years, security incidents involving social networking sites (like Facebook) were increasing — to 13.2 percent of campuses polled in 2007. Campus IT officials in the survey called network security the “single most important IT issue affecting my institution over the next two-three years,” although the percentage saying so decreased from 30 to 25.5 percent over the previous two years. The survey also found an increase in physical theft of computer hardware and a small but growing fraction of incidents involving intentional wrongdoing by IT employees. Year-in-Review report at

HOW STICKY IS MEMBERSHIP ON FACEBOOK? JUST TRY BREAKING FREE (New York Times, 11 Feb 2008) - Are you a member of You may have a lifetime contract. Some users have discovered that it is nearly impossible to remove themselves entirely from Facebook, setting off a fresh round of concern over the popular social network’s use of personal data. While the Web site offers users the option to deactivate their accounts, Facebook servers keep copies of the information in those accounts indefinitely. Indeed, many users who have contacted Facebook to request that their accounts be deleted have not succeeded in erasing their records from the network. “It’s like the Hotel California,” said Nipon Das, 34, a director at a biotechnology consulting firm in Manhattan, who tried unsuccessfully to delete his account this fall. “You can check out any time you like, but you can never leave.” It took Mr. Das about two months and several e-mail exchanges with Facebook’s customer service representatives to erase most of his information from the site, which finally occurred after he sent an e-mail threatening legal action. But even after that, a reporter was able to find Mr. Das’s empty profile on Facebook and successfully sent him an e-mail message through the network. In response to difficulties faced by ex-Facebook members, a cottage industry of unofficial help pages devoted to escaping Facebook has sprung up online — both outside and inside the network. “I thought it was kind of strange that they save your information without telling you in a really clear way,” said Magnus Wallin, a 26-year-old patent examiner in Stockholm who founded a Facebook group, “How to permanently delete your facebook account.” The group has almost 4,300 members and is steadily growing. The technological hurdles set by Facebook have a business rationale: they allow ex-Facebookers who choose to return the ability to resurrect their accounts effortlessly. According to an e-mail message from Amy Sezak, a spokeswoman for Facebook, “Deactivated accounts mean that a user can reactivate at any time and their information will be available again just as they left it.” But it also means that disenchanted users cannot disappear from the site without leaving footprints. Facebook’s terms of use state that “you may remove your user content from the site at any time,” but also that “you acknowledge that the company may retain archived copies of your user content.” Its privacy policy says that after someone deactivates an account, “removed information may persist in backup copies for a reasonable period of time.” Only people who contact Facebook’s customer service department are informed that they must painstakingly delete, line by line, all of the profile information, “wall” messages and group memberships they may have created within Facebook. But even users who try to delete every piece of information they have ever written, sent or received via the network have found their efforts to permanently leave stymied. Other social networking sites like MySpace and Friendster, as well as online dating sites like, may require departing users to confirm their wishes several times — but in the end they offer a delete option.

- and -

QUITTING FACEBOOK GETS EASIER (New York Times, 13 Feb 2008) - Aiming to address the privacy concerns of disenchanted users, said on Tuesday that it was trying to make it easier for people to delete their accounts permanently from the social networking site. Until now, Facebook has offered only a deactivation option, which keeps copies of the account’s personal information on the company’s servers. It is possible to delete an account fully using a cumbersome manual method, but it is difficult; many users complained that Facebook did not provide clear instructions. On Monday, Facebook modified its help pages to tell people that if they wanted to remove their accounts entirely, they can direct the company by e-mail to have it done. But on Tuesday, representatives of Facebook stopped short of saying the company would introduce a one-step delete account option. The updated Facebook help page now includes the question “How do I delete my account?” The answer: “If you do not think you will use Facebook again and would like your account deleted, we can take care of this for you. Keep in mind that you will not be able to reactivate your account or retrieve any of the content or information you have added.” The entry then says, “If you would like your account deleted, please contact us using the form at the bottom of the page and confirm your request in the text box.” Ms. Geminder said that Facebook’s policies were a reflection of the fact that many people came back to Facebook after they stopped using the site for a time. “On any given day, the number of users reactivating their accounts is roughly half of the number of users deactivating their accounts,” she said.

BLOGGER LOSES DAY JOB WITH CNN OVER BLOGGING (AR&D Blog, 13 Feb 2008) - Chez Pazienza, a producer at CNN assigned to American Morning, was unceremoniously fired from his job today — without severance — over the content of his popular and edgy blog, Deus Ex Malcontent (warning: adult language). He had worked for CNN for four years, beginning as a Senior Producer in Atlanta. Chez is a member of my tribe and a friend, and I’m not happy about this turn of events. According to Chez, he was terminated for violating network policy by not running what he was writing through their vetting system. So he was fired not for blogging but for the content of his blog. “It’s not that I’ve been writing,” he wrote in an email. “It’s WHAT I’ve been writing.” That may be the official decision, but the truth is he was fired because he had the balls to write about the industry without telling CNN. I would add that there is no mention of his connection to the network on his site, and as a producer, it’s hard to justify the notion that he’s in any way a public figure or publicly connected with the company.

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. Internet Law & Policy Forum,
6. BNA’s Internet Law News,
7. Crypto-Gram,
8. McGuire Wood’s Technology & Business Articles of Note,
9. Steptoe & Johnson’s E-Commerce Law Week,
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: