Saturday, March 29, 2008

MIRLN - Misc. IT Related Legal News [9-29 March 2008; v11.04]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley ( with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at and blogged at

**************End of Introductory Note***************

SECRET PRINTER ID CODES MAY BREACH EU PRIVACY LAWS (The Register, 15 Feb 2008) - A little-noticed system that allows printed documents to be tracked by government agents has gotten the attention of the EU Commissioner for Justice Freedom and Security, who says the technology may violate EU human rights guarantees. The technology is baked in to many popular color laser printers and photocopiers, including those made by Brother, Canon, Xerox and HP, according to a list compiled by the Electronic Frontier Foundation. It embeds almost invisible tracking dots onto documents that uniquely identify the machine that printed them. The enables the tracking of currency counterfeiters, but the EFF has been warning for years there’s nothing that prevents government spooks from using them for broader types of surveillance. Those concerns have at last found a home with Commissioner Franco Frattini. “To the extent that individuals may be identified through material printed or copied using certain equipment, such processing may give rise to the violation of fundamental human rights, namely the right to privacy and private life,” he wrote (Microsoft Word document here) last month in response to a question about the legality of the system. “It also might violate the right to protection of personal data.” Applicable EU documents include Article 8 of the Convention of Human Rights, which provides for the protection of personal data, and Article 7 of the Fundamental Freedoms and the Charter of Fundamental Rights of the European Union, which ensures the protection of private and family life, home and communication, he said. Directive 95/46/EC of Parliament and of the Council of 24 October 1995 also apply. Frattini stopped short of saying the practice violates any laws at either a national or Community level. That’s because the inquiry, which was filed by EU Member for Finland Satu Hassi, didn’t include information showing the tracking dots were being used to identify individuals. Frattini’s answer appears to bolster the EFF opinion that the technology unnecessarily opens the door to human rights abuses, throughout the world. List of affected printers:

DATA BREACHES IN HIGHER EDUCATION: FROM CONCERN TO ACTION (Educause, Jan/Feb 2008) - Data breaches that potentially expose personal information are of great concern to every U.S. citizen and consumer. In August 2007, as reported in The Wired Campus, the Privacy Rights Clearinghouse documented the total number of compromised private records during the past three years at almost 160 million. The Wired Campus article, which noted that many of these breaches had occurred at colleges and universities, concluded by asking: “When is higher education going to get serious about safeguarding the private information of students, faculty, and staff?” The Chronology of Data Breaches as recorded by the Privacy Rights Clearinghouse ( shines light on this question and on the problems of data security. It does identify higher education as a sector where much work remains to be done. However, the Chronology also reveals that from January to late August 2007, the records compromised at institutions of higher education accounted for less than 2 percent (896,349) of the total number of records compromised during that time. The other 98 percent of breaches occurred in private industry, financial institutions, medical institutions, and other sectors. What may be confusing is that higher education ranks second in the number of reported instances in 2007 (56), behind government entities (63). In fact, that number represents 25 percent of the reported instances in 2007, a significant decline from the nearly 50 percent level during 2005–6. Other sectors that reported instances of data breaches in 2007 include private industry (49), medical institutions (33), financial institutions (14), and K-12 schools (11). Don’t get me wrong: nearly 900,000 exposed records are too many, and data security must receive more attention at colleges and universities. Nonetheless, it is clear that data compromises are not concentrated in colleges and universities; they are a national problem that affects all sectors of the economy. In addition, it is likely that breaches in other sectors, especially the commercial sector, are substantially under-reported.

CRS REPORT - BORDER SEARCHES OF LAPTOPS AND OTHER ELECTRONIC STORAGE DEVICES (Congressional Research Service, 5 March 2008) - Summary: “The Fourth Amendment generally requires a warrant to support most searches and seizures conducted by the government. Federal courts have long recognized that there are many exceptions to this general presumption, one of which is the border search exception. The border search exception permits government officials, in most “routine” circumstances, to conduct searches with no suspicion of wrongdoing whatsoever. On the other hand, in some “non-routine” and particularly invasive situations, customs officials are required to have “reasonable suspicion” in order to conduct a search. Several federal courts have recently applied the border search exception to situations in which customs officials conducted searches of laptops and other electronic storage devices at the border. Though the federal courts have universally held that the border search exception applies to laptop searches conducted at the border, the degree of cause required to support the search has not been established. Though some federal appellate courts do not appear to require any degree of suspicion to justify a search, one federal district court stated categorically that all laptop searches conducted at the border require at least reasonable suspicion of wrongdoing.” CRS report here:

CYBER RISK MAY TRIGGER D&O LAWSUITS: AON (Business Insurance, 6 March 2008) - Cyber risks could be the next big trigger for lawsuits against company directors according to London-based brokerage Aon Ltd. At its Cyber Risk & Data Management Seminar, held Wednesday in London, Aon warned that directors could be held responsible for loss to companies and their shareholders if they fail in their duty of care by not taking preventative measures against risks such as phishing, improper data manipulation or data loss. The threat to directors is universal across all sectors, Aon said in a statement, as any company that utilizes technology as a platform or for business support is exposed. But in particular, financial institutions need to be very concerned due to the dependence on the confidentiality of their data and exposures that relate to online banking, the company added. “We are warning directors that they could find themselves being sued by employees or shareholders for not taking appropriate measures to prevent hacking, for example, or failing to provide back up for lost data,” commented Aon’s technical director, Tom Sheffield, in a statement. And insurance should be perceived as a last resort the company said. Directors must look to prevent the cyber risks through the development of strong information technology security defenses, business continuity plans and a heightened awareness of cyber risk issues at board level to create a security culture within all departments and employee roles, Aon advised. [Aon recommends this posting as “A must read for any company considering a privacy breach insurance

EUROPEAN UNION LAUNCHES PROBE INTO U.S. INTERNET GAMBLING LAWS (, 10 March 2008) - The European Union launched an investigation today into U.S. laws on Internet gambling, after European betting companies complained that Washington’s actions against them were infringing world trade rules. The investigation could lead the 27-nation EU to file a complaint at the World Trade Organization in the latest international tussle over a growing business worth more than $15.5 billion a year. “The U.S. has the right to address legitimate public policy concerns relating to Internet gambling, but discrimination against EU companies cannot be part of the policy mix,” said EU Trade Commissioner Peter Mandelson. He said he hoped the issue could be resolved amicably. Officials at the U.S. mission to the EU declined to comment, directing inquiries to the Office of the U.S. Trade Representative in Washington. European companies claim a U.S. ban that forced them out of the lucrative American market discriminates against them in violation of WTO rules, while permitting domestic gambling companies, particularly those offering betting on horse races, to flourish. In 2006, the WTO had ruled against a U.S. ban that stops American banks and credit card companies from processing payments to online gambling businesses outside the country. Washington responded by doing a deal with the EU, Japan, Canada and others in December to allow it to effectively opt out of WTO rules on gambling in return for offering them compensation in other areas.

PARAMOUNT MAKING MOVIE CLIPS AVAILABLE AS FACEBOOK MESSAGES (, 10 March 2008) - Paramount Pictures will become the first major studio to make clips from thousands of its movies available for use on the Internet. The unit of Viacom Inc. is teaming with Los Angeles-based developer FanRocket to launch the VooZoo application Monday on Facebook. The service gives Facebook users access to footage from thousands of movies, ranging from “The Ten Commandments” to “Forrest Gump,” to send to others on the popular social networking site. “The short clips for a movie that you’ve already seen before helps you relive the moment,” Paramount senior vice president of entertainment Derek Broes said. The clips last from a few seconds to several minutes and cover the gamut from Eddie Murphy’s guffaw in “Beverly Hills Cop” to Audrey Hepburn’s pleas over her “no-name slob” cat in “Breakfast at Tiffany’s.” The studio will market DVDs of the movies through a button that appears after each clip is played. It eventually wants to use the application to virally market upcoming releases.

HEART DEVICE FOUND VULNERABLE TO HACKER ATTACKS (New York Times, 11 March 2008) - To the long list of objects vulnerable to attack by computer hackers, add the human heart. The threat seems largely theoretical. But a team of computer security researchers plans to report Wednesday that it had been able to gain wireless access to a combination heart defibrillator and pacemaker. They were able to reprogram it to shut down and to deliver jolts of electricity that would potentially be fatal-if the device had been in a person. In this case, the researchers were hacking into a device in a laboratory. The researchers said they had also been able to glean personal patient data by eavesdropping on signals from the tiny wireless radio that Medtronic, the device’s maker, had embedded in the implant as a way to let doctors monitor and adjust it without surgery. [Editor: Peer behind the scenes, and things are quite a bit darker:]

LIONS GATE, APPLE TO ALLOW MOVIE TRANSFERS TO ITUNES (, 11 March 2008) - Lions Gate Entertainment, the largest independent U.S. film studio, and Apple will allow customers who buy DVDs to transfer the film from the disc to iTunes for viewing on mobile devices. The companies will initially offer special-edition and high-definition versions of “Rambo” on May 27, Lions Gate said Monday in a statement. “The Eye,” will be available during the summer, the Vancouver company said. Media companies are trying to make it easier for consumers who buy DVDs to watch films in a variety of formats, Lions Gate President Steve Beeks said in the statement. To transfer the film to iTunes, consumers need only to insert the DVD into their computer and enter a code, Lions Gate said. Films can be transferred only to one iTunes library. Twentieth Century Fox and Paramount studios announced similar agreements with Apple in January.

SEC PROPOSES EXPANSION OF PRIVACY REGULATION (Goodwin Procter, 11 March 2008) - On March 4, 2008, the Securities and Exchange Commission announced proposed changes to Regulation S-P (“Reg S-P”) to address identity theft of securities industry customers. Reg S-P was adopted seven years ago under the Gramm-Leach- Bliley Act (“GLBA”) and the Fair Credit Reporting Act, and requires financial institutions under the authority of the SEC (including investment advisers, mutual funds, broker-dealers and SEC-registered transfer agents) to adopt policies and procedures to protect client information. The two requirements of Reg S-P relating to safeguarding and disposal of confidential information have not kept pace with bank and other regulators’ detailed programs for information privacy and data security. The four proposed amendments to Reg S-P will require more comprehensive information security programs similar to the framework adopted by other financial institution regulators. Comments on the proposed amendments are due 60 days after publication in the Federal Register. [Editor: analysis and discussion then follows.]

NEW WAYS TO MANAGE HEALTH DATA (Washington Post, 11 March 2008) - You already bank online and use computer software to do your taxes. So why don’t you trust technology to help you manage your health? Microsoft, Google and more than 100 Web sites offering personal health records know the answer, but they’re betting they can quell your fears about posting your most private information online and get you to sign on soon. Online personal health records, or PHRs, began years ago as password-protected templates for storing basic medical information, accessible from any computer connected to the Web. Some still function that way, making them a convenience for patients with chronic conditions, life-threatening allergies and long medication lists. Many experts also recommend PHRs for adult caregivers of elderly family members or parents of children with chronic health problems. Many PHRs automatically link to hospital Web sites; some upload data from lab tests and medical devices; and others allow emergency rooms to access your medical history even if you’re unconscious and far from home. Lately, Internet giants Microsoft and Google have upped the ante, developing sites that combine PHRs with search engines and other services. The new capabilities raise the value of PHRs - as well as the risk from breaches of privacy. And as the records sites grow in number and sophistication, privacy advocates are stepping up their warnings, especially about PHRs offered by health insurers. [Editor: HIPAA does not protect personal health information voluntarily shared by patients with a non-health care provider.]

OVERHAULING LAW SCHOOL’S THIRD YEAR (InsideHigherEd, 12 March 2008) - “We wouldn’t dream of training doctors only from a book.” In many ways, that quote from the dean of the law school at Washington and Lee University sums up a dramatic curricular change announced this week — in which the law school is adding the equivalent at the very least of dissections, if not of medical residencies. The law school is completely replacing all academic courses in the third year of its program with “experiential” courses in which students will perform work equivalent to that done by lawyers. “Our students need a wider range of skills” than they can pick up with strictly academic courses, said the dean, Rodney A. Smolla. While a number of law schools have added individual courses that are based on the experiential model, several law school experts said that they did not know of another example of a law school taking such a move with its entire third year. If Washington and Lee is going beyond others, it is doing so at a time of considerable debate within law schools about whether a more practical orientation is needed. Last year, a report from the Carnegie Foundation for the Advancement of Teaching found a growing gap between legal education and the actual experiences a new lawyer needs, and called for major reforms of what students are taught. A good example of how third year courses will look at Washington and Lee can be found in the business law course led by Lyman Johnson, a professor who pioneered the experiential method at the law school and who helped prepare the plan to overhaul the curriculum. One of the first assignments in the class is for students to draft a deal for two entrepreneurs. The students would be given raw material (background on the business and the clients). They would then talk through with Johnson what information they didn’t have but needed to do a good job. Then they prepare a draft deal of about 25 pages, and a memo of 6 pages to a senior partner in a firm, explaining why the deal was structured as they proposed. Johnson said he would then give them detailed feedback, but not in the form of a standard academic evaluation, but of the sort the senior partner would give to a new associate. “The relevant standard is whether this work product is ready to go out the door,” he said. Since he started teaching this way, Johnson said, he has regularly heard from graduates that this was the course that set them up for successful work as lawyers, and that they wished they had been able to take more such courses.

JUDGE RULES VIACOM CAN’T PURSUE PUNITIVE DAMAGES IN YOUTUBE SUIT (BNA’s Internet Law News, 12 March 2008) - A U.S. federal judge ruled that Viacom could not pursue punitive damages in its $1 billion-plus copyright-infringement lawsuit against Google and YouTube. The denial does not impact Viacom’s original claim of more than $1 billion in damages. It simply prevents the New York-based company from amending its complaint and seeking additional damages.

PATENT OFFICE AGREES TO REVIEW INFAMOUS JPEG PATENT (TechDirt, 12 March 2008) - Last month, we noted that there was some effort being made to get the Patent Office to do a re-exam of a patent that attorney Ray Niro had been using to go after any site that had a JPEG image. While the patent itself had been re-examed before, one claim had been left intact, which Niro has said covers anyone using JPEG compression. It appears that the effort to get the USPTO to look into the patent once again has succeeded, though it’s a long and rather involved process that won’t come to fruition for quite a long time. The request includes a long list of prior art on that one particular claim, which the Patent Office admits it did not look at earlier and that raise substantial questions about the patentability of the remaining claim in the patent. This is rather good news.

DOCTOR BLOGS RAISE CONCERNS ABOUT PATIENT PRIVACY (NPR, 13 March 2008) - Medical blogs have drawn back the curtain on the inner workings of the health care profession. Online readers can learn about the latest medical gadgets, read physicians’ views on health care issues, even get a peek at the inner thoughts of surgeons. But despite their attraction, these blogs have raised concerns about privacy issues on the Web. Take a stroll through any of the 120,000 health care blogs and you can find opinions on everything from popular pharmaceuticals to celebrity skin problems. There are no precise figures on how many doctor blogs are out there, but they are easy to find. One blog called “EM Physician” recounts a scene of gang members turning up at the ER with severe burns. “Aggravated DocSurg” says that operations are “fun,” and “Radiology Picture of the Day” shows a range of horrific conditions from brain diseases to a breast implant rupture. One physician blogger, who draws about 12,000 readers a day, is New Hampshire internist Dr. Kevin Pho. His blog, “Kevin, M.D.,” offers a doctor’s eye view on medical issues that appeal to both his peers and the public. “I talk a lot about primary care because there’s a myriad of problems that I as a primary care physician face that I want to communicate to the public. I talk about malpractice and how physicians practice defensive medicine to avoid malpractice lawsuits,” says Pho. His daily writings have made him something of a celebrity in the blogosphere. But not all physician blogs are geared toward marketing. In fact, just the opposite seems to be the case in some extremely candid blogs, like “White Coat Rants,” “Cancer Doc” and “M.D.O.D.,” which bills itself as “Random Thoughts from a Few Cantankerous American Physicians.” These are more like diaries in which doctors vent about reimbursement rates, difficult cases and what a “bummer” it is to have so many patients die. Dr. Deborah Peel, a psychiatrist and founder of the group Patient Privacy Rights, thinks physician blogs often step too close to the limits of patient privacy. “The problem with physicians blogging about patients is the danger that that person will be able to identify themselves, or that others that know them will be able to identify them,” she says. Peel’s group worries that information about a patient’s case could be traced back to the individual and adversely affect his or her employment, health insurance or other aspects of his or her life. Dr. Robert Wachter, author of a blog called “Wachter’s World,” * * * says it’s important for doctors to be able to share cases, as long as they change the facts substantially. But he says that’s one reason patients shouldn’t take all the information on blogs at face value. Wachter says taken for what they are — unedited opinions, and in some cases entertainment — blogs can give readers some useful insight into the good, the bad and the ugly of the medical profession.

INSPECTOR GENERAL: FBI NOT EMBRACING PRIVACY SAFEGUARDS (Wired, 13 March 2008) - The FBI has wielded the Patriot Act’s extraordinary surveillance powers to unlawfully collect information about American citizens and has resisted some efforts to impose additional privacy safeguards, according to the U.S. Department of Justice’s inspector general. Inspector General Glenn Fine, in a pair of reports released on Thursday reviewing the 2006 calendar year, acknowledged the FBI’s top management has been receptive to the points he raised in his first report a year earlier. But he indicated that there was nevertheless resistance to increased oversight and better record-keeping, which would help to prevent further abuses. The longer of the two reports dealt with national security letters, or secret FBI requests - done without court oversight or approval - for administrative information that communication providers, credit agencies, or banks might store. The second report (PDF) discusses broader “Section 215” requests for information that can be sent to any individual or company under the Foreign Intelligence Surveillance Act; these, however, must be approved by a judge. (The second report was heavily redacted, with some key pages blacked out.) Some highlights:
* The FBI tried to whitewash illegal uses of Patriot Act surveillance authority that was intended to be used against terrorists and spies but ended up being used against Americans. FBI officials characterized these unlawful acts as “administrative errors,” which Fine said “diminishes their seriousness and fosters a perception that compliance with FBI policies... is annoying paperwork.”
* An FBI working group created by the attorney general recommended against the privacy-protective step of “tagging” information obtained through national security letters on grounds it would place “an undue burden on the operation” of the bureau.
* The same working group downplayed the severity of the FBI’s surveillance abuses, saying agents have a highly regulated system for approving national security letters and for identifying violations. Fine’s response: “Contrary to the NSL Working Group’s conclusions, we do not believe that existing controls are a sufficient basis on which to rely in evaluating the need for additional privacy protections.”
* The Justice Department inaccurately reported the number of national security letters. Eleven of the letters sought billing records on a total of 3,860 phone numbers - a whopping amount. That figure was not disclosed to Congress.
* Even though national security letters are not supposed to be used to obtain the contents of communications - they only can obtain billing records and so on - some e-mail providers handed over full message bodies or Subject: lines anyway. In these cases, however, the FBI’s general counsel directed that the records be sealed and a second request sent.
* No information from a Section 215 order was actually used in a criminal proceeding in 2006. In addition, “the evidence showed no instance where the information obtained from a Section 215 order... resulted in a major investigative development.” Nevertheless, Director of National Intelligence Mike McConnell responded by calling them “an invaluable tool.”
* Companies served with Section 215 orders in two known instances in 2006, either by accident or because they’re overeager, turned over more information than they’re authorized to divulge. In one case, a company handed over data “that was not requested in the Section 215 application or authorized by the FISA court.”
* In those cases, the FBI’s adherence to the law is spotty. A situation involved the FBI receiving information about a U.S. person for two months after the surveillance order expired - without objecting. In fact, the FBI argued that the information should be treated as an “voluntary production.” Fine’s report: “We disagree and believe that the production of these additional records should not be considered as voluntary...”
* The FISA court twice rejected the FBI’s request for Section 215 orders because the police were investigating lawful conduct protected by the First Amendment. But after the FBI was rejected, it sent national security letters instead. Fine said the FBI should have re-evaluated the investigation instead. NSL report at; redacted Section 215 report at

INSURERS LOOK TO COVER HACKING DAMAGE (The Globe & Mail, 14 March 2008) - Insurers are betting that an explosion of sophisticated computer hacking will create a new market in Canada for insurance to cover the growing costs of recovering from privacy breaches.Toronto-based Executive Risk Insurance Services says it is launching a new category of insurance for corporate clients, similar to products offered by U.S. giants like American International Group Inc. and Chubb Corp., to manage the fallout when sensitive data is lost or stolen.

- and -

CERTEGY OFFERS TO SETTLE LAWSUIT STEMMING FROM THEFT OF DATA ON 8.5M CONSUMERS (Computerworld, 14 March 2008) - In a move designed to avoid the time and costs associated with a protracted legal battle, Certegy Check Services Inc. has offered to settle a class-action lawsuit filed on behalf of 8.5 million people whose personal data was compromised by an insider theft that the company disclosed last July. The 52-page settlement was proposed by St. Petersburg, Fla.-based Certegy on Jan. 9 but just came to light this week. It currently is under review by a U.S. District Court judge in Tampa. Certegy, a check-processing company that is a subsidiary of Fidelity National Information Services Inc., said last summer that a rogue database administrator had illegally accessed and then sold the personal data of about 2.3 million consumers to data brokers. The company later upped the number of compromised accounts to 8.5 million in filings made to the U.S. Securities and Exchange Commission in August. If accepted, Certegy’s proposed settlement would give qualifying members of the plaintiffs class one year’s worth of free credit monitoring services and $10,000 worth of identity theft insurance coverage, except for residents of New York, where the third-party credit monitoring firm being used by Certegy doesn’t offer the insurance coverage. The settlement would also provide up to two year’s worth of free bank account monitoring services for individuals whose banking information may have been compromised in the incident. In addition, consumers who can show that they were victimized by identity theft as a result of the breach will be eligible for certain “out-of-pocket” costs, such as those resulting from bank overdraft fees, according to a copy of the settlement sent to Computerworld by Certegy. But there are several caveats to that particular offer. For instance, Certegy has capped the total amount of money it will pay for identity theft claims to $4 million, which will be disbursed on a first-come, first-served basis. Claims have to be filed within 90 days of the discovery of an identity theft incident or before March 31, 2011 — whichever comes first. And the maximum amount that an individual can recover is $20,000.

- and -

CREDIT CARD BREACH RAISES BROAD CONCERNS (New York Times, 23 March 2008) - When up to 4.2 million account numbers were stolen over three months by thieves who cracked computers at an Eastern supermarket chain, it at first sounded like the latest in a long line of credit card breaches. But the specifics of the crime, revealed last week, included some troubling twists that might expose big holes in the payment industry’s security standards. The supermarket chain, the Hannaford Brothers Company, said the data were exposed when shoppers swiped their cards and the information was transmitted to banks for approval. Thieves have commonly pilfered card data from databases maintained by merchants or card processors, but the Hannaford episode appears to be the first large-scale piracy of data in transit. “Catching data on the move is a bit more challenging,” said Aaron Bills, chief operating officer at 3Delta Systems Inc., a transaction processing firm in Chantilly, Va. Mr. Bills compared it to robbing a truckload of merchandise, noting that it was easier when the vehicle was parked than when it was traveling. And, even while the theft was under way last month, Hannaford was found to be in compliance with the security standards required by the Payment Card Industry, a coalition founded by credit card companies. The group sets rules on issues like screening of employees and precautions against hackers; industry standards were tightened in recent years after other significant data breaches. Outside assessors audit companies to ensure compliance. The identity of Hannaford’s auditor was not disclosed. Even though Hannaford met those security standards, the attack on its stores in the Northeast and its affiliated Sweetbay stores in Florida revealed 4.2 million card numbers from Dec. 7 to March 10. About 1,800 cards have been used fraudulently. The Secret Service is investigating. The breach has raised questions about whether other merchants are overconfident about their security. David Navetta, president of InfoSecCompliance, a Denver law firm that concentrates on computer security and regulatory compliance, said Hannaford and its assessor might have been tripped up by ambiguity in the Payment Card Industry standards about when companies must encrypt payment data to cloak it from outsiders. In particular, the standards require companies to encrypt data that travels over computer networks “that are easy and common for a hacker to intercept.” Whether internal networks are “easy and common” to crack is a matter of judgment. Mr. Navetta said Hannaford might have left data unencrypted in a spot that turned out to be vulnerable. and and

CRAIGSLIST GETS SEVENTH CIRCUIT 230 WIN IN FAIR HOUSING ACT CASE (Eric Goldman’s blog, 14 March 2008) - Yesterday, I declared this week “47 USC 230 Week” at the Technology & Marketing Law Blog. The Seventh Circuit helps us end 47 USC 230 Week with a bang with its Craigslist ruling, an important opinion that reinvigorates 47 USC 230 doctrine in the Seventh Circuit. Sadly, like the district court opinion, this opinion is filled with gratuitous and unfortunate dicta that dilutes the analysis. Nevertheless, on the plus side, the Seventh Circuit (like the district court) emphatically reaches the right result and grants Craigslist a solid win under 47 USC 230. Easterbrook’s opinion takes a loving and lengthy gaze at his previous Doe v. GTE opinion (including using about 20% of this opinion to quote from the prior opinion), but I don’t think there’s much value to parsing his confusing statutory analysis to figure out how the two opinions sit together. Instead, the key part of the opinion is that Easterbrook fully realizes the costs and benefits of making an intermediary filter user content. Craiglists provides an excellent test case for that because they are so leanly staffed, and the Fair Housing Act is a good test statute because of the squishy nature of making discrimination assessments. More fundamentally, Easterbrook also understands that any filtering system is imperfect: “Automated filters and human reviewers may be equally poor at sifting good from bad postings unless the discrimination is blatant; both false positives and false negatives are inevitable.” As a result, Easterbrook recognizes that turning Craiglist into a content cop may not be the best solution. I think his conclusion says it best: “Using the remarkably candid postings on craigslist, the Lawyers’ Committee can identify many targets to investigate. It can dispatch testers and collect damages from any landlord or owner who engages in discrimination....It can assemble a list of names to send to the Attorney General for prosecution. But given §230(c)(1) it cannot sue the messenger just because the message reveals a third party’s plan to engage in unlawful discrimination.” It will be interesting to see how this opinion affects the Ninth Circuit’s en banc consideration of the case. After all, the legal issues are identical, and Easterbrook’s Doe v. GTE ruling was a key precedent for the plaintiffs. Now, with Easterbrook having said (decisively) that 230 preempts claims for the Fair Housing Act, it seems like the Doe precedent is effectively worthless to the plaintiffs. As a result, the only solid way for the plaintiffs to distinguish the uniformly defense-favorable precedent is by hammering on the fact that provided structured categories for user content-a fact that might be enough to craft an exception to 230, though I think it shouldn’t.

STATE GOVERNMENTS RESIST ‘SUNSHINE LAWS’ (Washington Post, 15 March 2008) - In New Jersey, the governor’s e-mails might shed light on whether he inappropriately conferred with a labor leader he once dated. In Detroit, the mayor’s text messages revealed a sexually charged scandal. In California, a fight rages for access to e-mails sent by a city councilwoman about a controversial biological laboratory. Even the White House has been under pressure from Democrats in Congress over its problem-plagued e-mail system. While e-mail and text messaging has become a hugely popular way to communicate throughout society, governments at all levels are often unwilling to let the public see the e-mails of their elected officials. Officially, e-mails in all but a handful of states are treated like paper documents and subject to Freedom of Information requests. But most of these states have rules allowing them to choose which e-mails to turn over, and most decide on their own when e-mail records are deleted. “There seems to be an attitude throughout government _ at all levels _ that somehow electronic communications are of its own kind and not subject to the laws in the way that print communications are,” said Patrice McDermott, director of “So we keep hearing reports of governors and mayors who decree that their e-mail records can be destroyed, in six weeks or six months, with no appraisal for permanent value and no review by an independent body,” she said. Open records advocates contend by keeping electronic communications private, states are giving their elected officials an avenue to operate in secret _ they use taxpayer-funded computers to send and receive e-mail but with little or no obligation to make such communications public. “The public needs to realize that is their possibility for accountability and historical review that is being put through the electronic shredder,” McDermott said.

SPITZER’S CALL GIRL THREATENS PUBLICITY RIGHTS ACTION (The Reporter blog, 16 March 2008) - The high-priced escort hired by former New York Gov. Eliot Spitzer could be planning to bring a publicity rights lawsuit against media outlets that published photos of her without her consent. The NY Post - no surprise here - led the way in the “Spitzergate” press frenzy by running four photos Friday which, among other things, depict a topless Ashley Alexandra Dupré barely covering her breasts. Dupré’s court-appointed attorney Don Buchwald of Kelley Drye & Warren in New York quickly rattled off a Marty Singer-style press release in which he complained that “some publications, in violation of journalistic norms, have used the occasion of Governor Spitzer’s political misfortunes as an excuse to exploit Ms. Dupré’s persona for commercial purposes.” “In view of what happened, we feel constrained to put the media on notice that as counsel for Ms. Dupré we will take all steps that we deem necessary or appropriate to protect Ms. Dupré from any unwarranted exploitation of her name, picture, voice, or likeness for purposes of profit,” Buchwald warned. According to various media reports, the Post purchased the photos from New York-based photographer Wesley Mann, who shot them in 2007. Any claim Dupré might have against the Post could be pretty shaky if Mann had her sign a release. Some eyebrows have also been raised over the widespread media reproduction of snapshots that Dupré had posted on her MySpace page - with three attorneys interviewed by Photo Digest News suggesting those who published them “are sailing in dangerous waters,” while others believe fair use would apply.

ITALIAN FILE-SHARERS LET OFF THE HOOK (, 17 March 2008) - Italian companies may not spy on individuals who engage in illegal file-sharing, according to a controversial new ruling. The ruling of Francesco Pizzetti, president of the official Italian body for Guaranteeing the Protection of Private Data, follows the attempts of a German record label, Peppermint, which last year began using the Swiss computer firm Logistep to gather the IP addresses of at least 300 Italians who were illegally sharing files. An Italian magistrate granted the companies permission to obtain the street addresses of the file-sharers from Internet service providers and send them registered letters, inviting them to destroy the files in question or else face hefty fines. Italian consumer rights groups protested against the decision and the case was brought to the attention of the Guarantor, who handed down the ruling.

LAW FIRM DEVELOPS IN-HOUSE SYSTEM TO DEAL WITH DISCOVERY REQUESTS (Computerworld, 17 March 2008) - The lawyers at Fenwick & West LLP had to sort through more than 100 million files for a client facing litigation. The firm sought outside providers to handle the discovery, but the client was put off by the estimated multimillion-dollar cost. “They asked us to find another way,” says Chief Technology Officer Matt Kesner. Kesner’s team came up with a solution: a proprietary in-house process called FIND, for File Identification Narrowed by Definition, which culls through data to identify pertinent pieces of information that lawyers can then review. Since that initial innovation about five years ago, Kesner’s IT department has refined the process, making the technology-driven service an important part of what it offers to the firm’s lawyers as well as their clients. “It is a great thing for firms to be doing, because it’s just not possible to do this kind of work anymore without using software,” says Gene Koo, a fellow at Harvard Law School’s Berkman Center for Internet & Society.

COLLEGE GOSSIP SITE UNDER SCRUTINY (AP, 18 March 2008) - New Jersey prosecutors have subpoenaed records of, a Web site that publishes anonymous, often malicious gossip about college students. Language on the site ranges from catty to hateful and offensive. One thread, for example, on the “most overrated Princeton student” quickly dissolves into name-calling, homophobia and anti-Semitism. JuicyCampus may be violating the state’s Consumer Fraud Act by suggesting that it doesn’t allow offensive material but providing no enforcement of that rule — and no way for users to report or dispute the material, New Jersey Attorney General Anne Milgram said Tuesday. The site seems designed to shield its users from the threat of libel claims. “It is not possible for anyone to use this Web site to find out who you are or where you are located,” assures a JuicyCampus privacy page. “We do not track any information that can be used by us to identify you. “

SCIENCE JOURNAL WON’T PUBLISH PAPERS BECAUSE AUTHORS WANT TO PUT THEM ON WIKIPEDIA (TechDirt, 19 March 2008) - Over the last few months, we’ve been hearing more and more stories concerning some of the ridiculous levels of control that academic journals exert over the copyrights on the various papers and research they publish. Since many of those journals are ridiculously expensive, much of this important research is basically locked up entirely. This is especially troublesome when it comes to publicly funded research, which you would think should be available to the taxpayers who paid for it. While we’ve definitely seen a trend towards more open rules to publishing, many journals are still behind the curve. Reader parsko writes in to alert us to the news of the American Physical Society, which withdrew the offer to publish two recent studies in the Physical Review Letters because the authors wanted to be able to publish parts of the study in Wikipedia. Since the APS requires you hand over the rights to the study, they wouldn’t allow it, and turned down the papers because of it. Not surprisingly, various scientists are upset about this, pointing out that it seems totally contrary to the purpose of the journal to hide such information using copyright claims.

FBI POSTS FAKE HYPERLINKS TO SNARE CHILD PORN SUSPECTS (CNET, 20 March 2008) - The FBI has recently adopted a novel investigative technique: posting hyperlinks that purport to be illegal videos of minors having sex, and then raiding the homes of anyone willing to click on them. Undercover FBI agents used this hyperlink-enticement technique, which directed Internet users to a clandestine government server, to stage armed raids of homes in Pennsylvania, New York, and Nevada last year. The supposed video files actually were gibberish and contained no illegal images. A CNET review of legal documents shows that courts have approved of this technique, even though it raises questions about entrapment, the problems of identifying who’s using an open wireless connection-and whether anyone who clicks on a FBI link that contains no child pornography should be automatically subject to a dawn raid by federal police. While it might seem that merely clicking on a link wouldn’t be enough to justify a search warrant, courts have ruled otherwise. On March 6, U.S. District Judge Roger Hunt in Nevada agreed with a magistrate judge that the hyperlink-sting operation constituted sufficient probable cause to justify giving the FBI its search warrant. But the magistrate judge ruled that even the possibilities of spoofing or other users of an open Wi-Fi connection “would not have negated a substantial basis for concluding that there was probable cause to believe that evidence of child pornography would be found on the premises to be searched.” Translated, that means the search warrant was valid.The implications of the FBI’s hyperlink-enticement technique are sweeping. Using the same logic and legal arguments, federal agents could send unsolicited e-mail messages to millions of Americans advertising illegal narcotics or child pornography-and raid people who click on the links embedded in the spam messages. The bureau could register the “” domain name and prosecute intentional visitors. And so on.

CYBER ATTACKS TARGET PRO-TIBET GROUPS (Washington Post, 21 March 2008) - Human rights and pro-democracy groups sympathetic to anti-China demonstrators in Tibet are being targeted by sophisticated cyber attacks designed to disrupt their work and steal information on their members and activitiesAlison Reynolds, director of the Tibet Support Network, said organizations affiliated with her group are receiving on average 20 e-mail virus attacks daily. Increasingly, she said, the contents of the messages suggest that someone on one or more of the member groups’ mailing lists has an e-mail account or computer that has already been compromised. Sharon Hom, executive director of the New York-based Human Rights in China, said the group’s 25 staff members have reported a marked upswing in the number and sophistication of e-mail virus attacks. In 2006, the group intercepted just two targeted e-mail attacks, and by the end of last year that number had grown to 40. In the first three months of 2008, the group has received more than 100 such targeted attacks. Experts say attributing such attacks to any one group or government is extremely difficult, as computer systems that appear to be the source of malicious activity online often are controlled by persons or groups using computers in completely different locations. But Reynolds said these types of sustained, targeted attacks suggest a level of organization, tenacity and degree of commitment not typically seen in attacks by individual hackers. A handful of recent targeted attacks shared the same Internet resources and tactics in common with those used in a spate of digital assaults against number of major U.S. defense contractors, said Maarten Van Horenbeeck, an incident handler with the SANS Internet Storm Center, Bethesda, Md.-based organization that tracks online security trends. According to a January article in Air Force Online, a series of e-mail attacks originating in China targeted 28 defense contractor locations in the United States late last year. The story named specific Beijing-based Internet addresses that the FBI later determined were the origin of the attacks. and

- and -

FBI OPENS PROBE OF CHINA-BASED HACKERS (Washington Post, 21 March 2008) - The FBI has opened a preliminary investigation of a report that China-based hackers have penetrated the e-mail accounts of leaders and members of the Save Darfur Coalition, a national advocacy group pushing to end the six-year-old conflict in Sudan. The accounts of 10 members were hacked into between early February and last week, and the intruders also gained access to the group’s Web server and viewed pages from the inside, the group said yesterday. The intruders, said coalition spokesman M. Allyn Brooks-LaSure, “seemed intent on subversively monitoring, probing and disrupting coalition activities.” He said Web site logs and e-mails showed Internet protocol addresses that were traced to China. The allegation fits a near decade-old pattern of cyber-espionage and cyber-intimidation by the Chinese government against critics of its human rights practices, experts said. It comes as calls for a boycott of the 2008 Beijing Olympics have been mounting since China’s crackdown on Tibetan protesters last week.

FIVE TIPS FOR LAWYER ADVERTISING: FROM BILLBOARDS TO BLOGS (ABA Journal, 25 March 2008) - Long gone are the days when advertising in the Yellow Pages was the sole means of growing a law practice. Lawyers are now using a variety of media to advertise, including Web sites, blogs, television, billboards and direct mail. While advertising for most industries is virtually painless with few restrictions, advertising for lawyers is a more complex process that is bound by many laws, including federal and state regulations, as well as the ABA Model Rules, which offer guidance on lawyer conduct. A recent ABA teleconference, “Advertising for the Next Generation: From Billboards to Blogs,” provided an overview of some of these regulations. ABA teleconference available for purchase here:

IF I DON’T SEE IT, DOES IT MEAN IT’S NOT THERE? METADATA–ETHICS, TECHNOLOGY AND MORE (ABA Journal, 25 March 2008) - As much information and entertainment as the Internet may provide and as beneficial as we find e-mail and word processing, the world of technology is wrought with potential pitfalls. Metadata—data about data—is one possible source of distress. Many electronic documents contain information beyond the printable page, such as the author’s identity, the number of revisions made and even comments and redlining revealed with a few quick strokes on the keyboard. Users may unintentionally share things that they didn’t expect to. As Catherine Sanders Reach, director of the ABA Legal Technology Resource Center, outlines in her presentation, “Dangerous Curves Ahead: The Crossroads of Ethics and Technology,” metadata is coming to the forefront as technology proliferates. Because the Model Rules of Professional Conduct “do not contain any specific prohibition against a lawyer’ s reviewing and using embedded information in electronic documents, whether received from opposing counsel, an adverse party, or an agent of an adverse party,” metadata has become the basis of several ethics opinions by states and the ABA. View ABA ethics opinion 06-442, for example. ABA Ethics Opinion here:

COURT UPHOLDS CONYERS MAN’S CRITICISMS OF WAL-MART (Atlanta Journal, 25 March 2008) - A Conyers man may continue criticizing Wal-Mart with parodies on T-shirts that compare the retail giant to the Holocaust and al-Qaida terrorists, a federal judge has ruled. Rejecting Wal-Mart’s claim of trademark infringement, U.S. District Judge Timothy Batten in Atlanta ruled that Charles Smith may maintain his Web sites, and Smith also may continue to sell novelty, satirical merchandise that criticizes the company, the judge said. Sharon Weber, a Wal-Mart spokeswoman, said the company is studying the decision and considering its options for appeal. “We feel we have a duty to defend our trademarks and other intellectual property,” Weber said. Smith, who runs a computer store across the street from a Wal-Mart in Covington, invented the term “Walocaust” to express his feelings about the company. He created “Walocaust” designs to call attention to his beliefs and to get others to join his cause. Once a Wal-Mart shopper, Smith said he came to believe that the company has a destructive effect on communities and treats workers badly. In July 2005, Smith began marketing T-shirts bearing “I [heart] Wal-ocaust” logos. Another reads, “Wal-Qaeda, The Dime Store From Hell.” He sold a few dozen of them through CafePress, an online retailer that imprints shirts with designs created by individuals. In late 2005 and early 2006, Wal-Mart sent letters demanding that CafePress cease selling all of Smith’s products. The retailer soon removed all of Smith’s Wal-Mart-related merchandise from its online store. Smith then filed suit against Wal-Mart to seek a judgment allowing him to continue marketing his satirical logos and designs. A month later, Wal-Mart countersued and said the “tasteless” and “repulsive” logos tarnished its trademarks and business reputation. It also objected to Smith’s registration and use of the Internet domain name.

CT RULES WEB WINE RETAILER MAY NOT DELEGATE AGE VERIFICATION DUTY TO DELIVERY COMPANY (BNA’s Internet Law News, 27 March 2008) -The Massachusetts Supreme Judicial Court has ruled that an online retailer cannot avoid liability under Massachusetts law for selling and delivering alcohol to a minor by delegating delivery duties to a third party. Although the company held a delivery contract with Federal Express, it retained affirmative age-verification duties, the court held. Case name is eVineyard Retail Sales-Massachusetts Inc. v. Alcoholic Beverages Control Comm’n.

6 BANKS ARE SUED IN CLEAR CHANNEL DEAL (New York Times, 27 March 2008) - The buyers of Clear Channel Communications received a curious e-mail message last July from Credit Suisse, one of the banks financing the radio broadcaster’s sale. But it was misdirected and not meant for their eyes. Attached to the message were confidential documents from the six banks that had agreed to finance that $19.5 billion takeover. What the prospective buyers, Bain Capital and THL Partners, found most startling was that the banks were discussing how they planned to renege on terms of the lending agreements, just two months after they had reaffirmed their commitment to financing the deal. That e-mail message has set the stage for a big and complex battle over a broken private equity deal. On Wednesday, Bain and THL filed suits against the bank consortium, naming Citigroup, Morgan Stanley, Deutsche Bank, the Royal Bank of Scotland and Wachovia, as well as Credit Suisse.

PROPOSED SEC REGULATIONS WOULD REQUIRE DATA BREACH NOTIFICATION (Steptoe & Johnson, 27 March 2008) - Citing “the increase in reported security breaches and the potential for identity theft among” brokers, dealers, investment companies, investment advisers, and transfer agents, the Securities and Exchange Commission has proposed a rule (73 Fed. Reg. 13692 (Mar. 13, 2008)) that would impose new data security requirements on those institutions. Among these requirements would be a duty to notify the Commission (or, for certain broker-dealers, their designated examining authority) “as soon as possible after [they] become aware of any incident of unauthorized access to or use of personal information in which … [t]here is a significant risk that an individual identified with the information might suffer substantial harm or inconvenience ... or [a]n unauthorized person has intentionally obtained access to or used sensitive personal information.” Covered institutions would also have to notify affected individuals if there has been unauthorized access to or use of “sensitive” personal information and “misuse of the information has occurred or is reasonably possible.” If adopted, the rule would create more consistency in the rules for financial institutions, since other financial regulators already require such breach notification. See Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (70 Fed. Reg. 15736 (Mar. 29, 2005)). (Notably, though, the SEC’s threshold for notification of regulators is higher than the other financial regulators’.) The proposed rule would also impose new record-keeping requirements and duties to protect personal data during use and disposal. Comments on the proposed rule are due by May 12, 2008. Proposed rule:; Interagency Guidance:

YOUTUBE FEATURE TELLS VIDEO CREATORS WHEN AND WHERE A CLIP IS BEING WATCHED (New York Times, 27 March 2008) - In a move to provide better data to its users, YouTube formally announced late Wednesday that it had added a free feature that will show video creators when and where viewers are watching their videos. With this, the company hopes to turn YouTube from an online video site into a place where marketers can test their messages, Tracy Chan, YouTube product manager, said. This program, called YouTube Insight, provides a detailed view of a video’s popularity, both over time and geographically, broken down by state. (Internationally, YouTube Insight is not as insightful, providing only popularity by country.) YouTube has provided basic analytical information to creators of videos since its introduction, including the number of views, the viewers’ ratings of the video, and the number of comments left. Advertisers received a slightly more sophisticated summary. With the Insight information, video creators can dig into the specifics of a video’s performance and find, for example, that it peaks on Fridays in winter months, or it has taken several weeks to get traction — information that can help better promote their work. The information, presented as a color-coded map and a graph of a video’s popularity, is accessible through a link from a video creator’s account page on YouTube. The company will update the data once a day. But it is likely that marketers rather than casual users will be clamoring for these tools the most. YouTube executives suggest that marketers can use the tools in several ways. A movie studio might run several versions of a trailer to see what is catching on where, and if a humorous spot is catching fire in Texas, might start running that trailer as a TV ad in the state. A political campaign could test spots of a candidate discussing the environment or the economy; if an environmental spot is popular in Pennsylvania, that might help decide what the candidate stumps about there.

COMCAST AGREES NOT TO INTERFERE WITH FILE-SHARING (CNN, 27 March 2008) - Comcast Corp., an Internet service provider under investigation for hampering online file-sharing by its subscribers, announced Thursday an about-face in its stance and said it will treat all types of Internet traffic equally. Since user reports of interference with file-sharing traffic were confirmed by an Associated Press investigation in October, Comcast has been vigorously defending its practices, most recently at a hearing of the Federal Communications Commission in February. Consumer and “Net Neutrality” advocates have been equally vigorous in their attacks on the company, saying that by secretly blocking some connections between file-sharing computers, Comcast made itself a judge and gatekeeper for the Internet. They also accused Comcast of stifling delivery of Internet video, an emerging competitor to the cable company’s core business. Comcast has said that its practices were necessary to keep file-sharing traffic from overwhelming local cable lines, where neighbors share capacity with one another. On Thursday, Comcast said that by the end of the year, it will move to a system that manages capacity without favoring one type of traffic over another. The company initially veiled its traffic-management system in secrecy, saying openness would allow users to circumvent it. But on Thursday, Werner said the company would “publish” the new technique and take into account feedback from the Internet community.

FTC SETTLES WITH TJX OVER BREACH (SC Magazine, 27 March 2008) - The Federal Trade Commission (FTC) on Thursday announced a settlement with TJX over the discount retailer’s massive breach of customer credit card records. Last year, Framingham, Mass.-based TJX, which operates more than 2,500 stores worldwide, revealed that hackers stole some 45.7 million records from its systems over a two-year period period. Court filings since the disclosure have placed the amount at twice that number. Based on its charges, the FTC painted a bleak information security picture of TJX, the parent company for Marshalls and T.J. Maxx outlets. The FTC, in a statement Thursday, said TJX lacked proper security solutions, such as firewalls and wireless defense, and failed to patch vulnerabilities and update anti-virus signatures. The company also transmitted personal information in clear text, failed to require strong passwords and lacked measures to detect and prevent unauthorized computer access, the FTC also stated. As part of the settlement, TJX must create a “comprehensive security program reasonably designed to protect the security, confidentiality and integrity of personal information it collects from or about consumers.” Specifically, the FTC ordered TJX to designate an individual responsible for information security, identify risks to personal data, deploy safeguards to mitigate that risk, work out agreements with service providers that handle customer data, and evaluate and adjust its security program to meet operation changes. In addition, TJX must submit to a third-party audit of its security program every two years for the next two decades.

ONLINE ACCESS TO PUBLIC INFORMATION (IT Conversations, 18 March 2008) - Very interesting interview with Carl Malamud, a tireless crusader for online access to U.S. public information: SEC filings, patents, Congressional video, the Smithsonian’s historical photgraphy, and most recently, case law. On this edition of Interviews with Innovators, host Jon Udell asks Malamud about his strategies, accomplishments, and future plans. Malamud was responsible for the SEC’s EDGAR project, and has been involved in important sunshine projects ever since involving the FEC, the Library of Congress, C-SPAN, Congressional hearing, and the Smithsonian. More recently, he’s been providing open access to Federal case law. Rated: 3 stars. This podcast at; the case-law project is at … click on ran a story about Malamud, which was reported in MIRLN 11.03 - story at

JUSTICE GINSBURG AND BARONESS HALE: THE BRITISH AND UNITED STATES LEGAL SYSTEMS (Georgetown Law School, 24 Jan 2008) - Editor: Interesting dialogue between the two most-senior sitting judges in the U.S. and the U.K., touching on judicial independence, the coming Supreme Court of the United Kingdom, the proper use of other nations’ judicial decisions in our own, and our common histories. Rated: 1 star. Podcast (audio and video) at:

DANAH BOYD ON MYFRIENDS, MYSPACE (Harvard’s Berkman Center, 19 June 2007) - Editor: Fascinating discussion of the evolution of social network activities (from the Use-Net to Friendster, to MySpace, to Facebook) and the evolution of the concept of “Public Space”, with concentration on use by younger adults and analysis of the implications. I started listening closely because of my interest in Communities of Practice and Expertise-Locator systems (in the knowledge management context), but came to value the discussion for its larger implications. (The Q&A is quite good, too.) Rated: 2 stars. Podcast (audio and video) at:

**** MISC ****
SCARY SCREENSAVER? (Google) - SurveillanceSaver is a screensaver for OS X and Windows that shows live images of over 400 network surveillance cameras worldwide. A haunting live soap opera.

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. BNA’s Internet Law News,
6. Crypto-Gram,
7. McGuire Wood’s Technology & Business Articles of Note,
8. Steptoe & Johnson’s E-Commerce Law Week,
9. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

Saturday, March 08, 2008

MIRLN - Misc. IT Related Legal News [17 February - 8 March 2008; v11.03]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley ( with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at and blogged at

**************End of Introductory Note***************

ADMINISTRATION SHUTTING DOWN ECONOMIC INDICATORS SITE (TechDirt, 14 Feb 2008) - While there was some decent news suggesting the economy might not be falling into a recession, there are still plenty of knowledgeable folks who think some sort of recession is likely. Last week, in New York, plenty of folks I spoke to seemed to believe we were already in one. Of course, to actually call a recession, the general consensus is that there would need to be two consecutive quarters of negative economic growth. So how would you measure that growth? Well, apparently the White House would prefer to make it as difficult as possible. Reader Jon writes in to note the rather inconvenient timing of the Administration suddenly deciding to shut down its own website that aggregated economic indicators. The site, had even won awards from Forbes as a great resource.

EUROPEAN HIGH COURT PROTECTS INTERNET PRIVACY (EPIC, 15 Feb 2008) - In response to a request from the Spanish national court, the European Court of Justice ruled today that European community law does not require European countries to disclose user information in civil cases involving copyright. The high court for the European Union also ruled that European Parliament directives on personal data do not entail an obligation of disclosure of the data for the purposes of ensuring effective protection of copyright in the context of civil proceedings. When interpreting and applying the directives, EU Member States should rely on an interpretation “which allows a fair balance to be struck between the various fundamental rights protected by the Community legal order,” the court said. The case is Promusicae, C-275/06.

FREE ONLINE ACCESS TO U.S. COURT DECISIONS (, 19 Feb 2008) - This week, Carl Malamud invites you to enhance your federal case law library by downloading millions of pages of decisions stretching back more than 250 years, all free of charge. His latest online “public works” project is a Web site,, which will open up all Supreme Court opinions dating back to the 1700s and all U.S. appeals courts decisions dating back to 1950. The activist’s efforts for the nonprofit group present a potential challenge to paid legal research services Thomson and LexisNexis. Malamud’s northern California-based group last week received full delivery of content from legal research company Fastcase, which agreed in November to sell the information with no strings attached. Malamud’s group has spent the past several days reformatting the data to post on the Web site, an event that will occur sometime this week. “We’re about getting bulk data and making it available,” free of charge, to the public, Malamud told the Law Tribune last week. “I want to see all federal case law downloadable in bulk.” He noted that there are no restrictions on the use of the information after it’s downloaded and that it’s up to individuals to create Web sites that utilize the information.

F.B.I. GAINED UNAUTHORIZED ACCESS TO E-MAIL (New York Times, 17 Feb 2008) - A technical glitch gave the F.B.I. access to the e-mail messages from an entire computer network — perhaps hundreds of accounts or more — instead of simply the lone e-mail address that was approved by a secret intelligence court as part of a national security investigation, according to an internal report of the 2006 episode. F.B.I. officials blamed an “apparent miscommunication” with the unnamed Internet provider, which mistakenly turned over all the e-mail from a small e-mail domain for which it served as host. The records were ultimately destroyed, officials said. Bureau officials noticed a “surge” in the e-mail activity they were monitoring and realized that the provider had mistakenly set its filtering equipment to trap far more data than a judge had actually authorized. The episode is an unusual example of what has become a regular if little-noticed occurrence, as American officials have expanded their technological tools: government officials, or the private companies they rely on for surveillance operations, sometimes foul up their instructions about what they can and cannot collect. [Editor: Actually, this happens much more often than it should, and more news is coming.]

CAYMAN ISLANDS BANK GETS WIKILEAKS TAKEN OFFLINE IN U.S. - UPDATED WITH LINKS (Wired, 18 Feb 2008) - Wikileaks, the whistleblower site that recently leaked documents related to prisons in Iraq and Guantanamo Bay, was taken offline last week by its U.S. host after posting documents that implicate a Cayman Islands bank in money laundering and tax evasion activities. In a pretty extraordinary ex-parte move, the Julius Baer Bank and Trust got Dynadot, the U.S. hosting company and domain registrar for Wikileaks, to agree not only to take down the Wikileaks site but also to “lock the domain name to prevent transfer of the domain name to a different domain registrar.” A judge in the U.S. District Court for Northern California signed off on the stipulation between the two parties last week without giving Wikileaks a chance to address the issue in court. The Julius Baer Bank, a Swiss bank with a division in the Cayman Islands, took issue with documents that were published on Wikileaks by an unidentified whistleblower, whom the bank claims is the former vice president of its Cayman Islands operation, Rudolf Elmer. The documents purport to provide evidence that the Cayman Islands bank helps customers hide assets and wash funds. After failing to convince Wikileaks to take down the documents, the bank went after its U.S. hosting service, which responded by agreeing not only to remove the Wikileaks account from Dyndadot’s server but also to help prevent Wikileaks from moving its site to a different host. Julie Turner, an attorney in California who represented Wikileaks prior to this latest litigation but is not counsel for the group on this matter, is surprised that the court sanctioned such a broad agreement. When the bank’s lawyers indicated they would be filing a suit, she asked them to tell her where so that Wikileaks could find an attorney in the appropriate jurisdiction to represent it. She says the lawyers refused to tell her. Two and a half weeks later, the bank filed a restraining order against Dynadot and Wikileaks in San Francisco. Wikileaks received notice only a few hours before the case went to a judge who accepted the agreement between Dynadot and the bank. UPDATE: Readers have asked for links to access Wikileaks. Cryptome has provided the bank documents in a convenient download: You can also view a mirror of the Wikileaks site ( or download a torrent of the Wikileaks archive ( Alternatively, as a few readers have pointed out, you can still reach the original Wikileaks site by using this direct link to it: New York Times story at

- a few days later -

WIKILEAKS RULING LEAVES BIG QUESTIONS UNANSWERED (New York Times, 1 March 2008) - Free speech advocates immediately hailed as a victory the decision on Friday of a federal judge to withdraw a prior order turning off the Web address of the site But the reasoning of United States District Judge Jeffrey S. White also means that the court may dodge having to grapple with some of the meaty First Amendment questions posed by the case and touched on repeatedly at a lengthy hearing in San Francisco. The lawsuit, brought by a Swiss bank and its Cayman Islands subsidiary against Wikileaks and Dynadot, the San Mateo, Calif., company that is the registrar for the domain name, became a cause célèbre for organizations like the American Civil Liberties Union, Public Citizen and the Electronic Frontier Foundation. Such organizations responded with a barrage of court filings in the wake of an order signed by Judge White last month that required Dynadot to disable the address, making it more difficult – but far from impossible – for Internet users to get to materials published by Wikileaks. The bank, Bank Julius Baer & Co., claimed that Wikileaks had displayed confidential, personally identifiable account information of its customers, as a result of possibly criminal actions by a former employee. Lawyers for the bank on Friday repeatedly told Judge White that Julius Baer clients had a right to keep their account information private and that there was no compelling interest to justify their disclosure. In this way lawyers for the bank set up a conflict between freedom of speech and the right to personal privacy. “All of this is private info that is not newsworthy,” said William J. Briggs, one of the lawyers for the bank. If one of the affected customers had been Ken Lay, the late, disgraced former chief executive of Enron, then perhaps there would be news value, Mr. Briggs continued, but that was not the case here. Judge White questioned lawyers about the possibility of redacting names from the documents. But Joshua Koltun, a lawyer for a graduate student whom the bank said was an “officer” of Wikileaks, warned that the names could prove to be essential information. “That’s how you identify who’s been salting away money in accounts,” Mr. Koltun said, drawing laughter from reporters in the courtroom. (The laugher in turn drew a rebuke from Judge White, who said sternly, “I won’t tolerate that.”) The judge and the lawyers also struggled mightily to define Wikileaks, which defines itself as an organization “founded by Chinese dissidents, journalists, mathematicians and startup company technologists, from the U.S., Taiwan, Europe, Australia and South Africa.” Traditional entities, like companies and individuals, have citizenship status that can determine when they are subject to a particular court’s jurisdiction. But what is Wikileaks, which has not been represented by a lawyer throughout these proceedings? “Whatever this entity is, it has not filed a response,” Judge White observed. Paul Alan Levy, a lawyer for Public Citizen in Washington, argued that the bank had brought more publicity to the documents on Wikileaks than ever by filing its lawsuit and obtaining the order affecting the site’s domain name. Under such circumstances, Mr. Levy asked the judge, “Should you give them any relief to help them unring the bell?” The question implicitly was whether the victims of public disclosure on the Web have any shot at redress. After hours of discussion that suggested the judge’s level of concern with reaching the correct outcome, Judge White looked unhappy that he could not think of a way to help the bank customers affected by the release of the documents. But he said that he feared the initial order suspending raised serious questions of unjustified prior restraint on free speech, and that in any event, once the documents were online, the court might well be powerless. “Maybe that’s just the reality of the world that we live in,” Judge White said. “When this genie gets out of the bottle, that’s it.”

- and, finally -

SWISS BANK JULIUS BAER DROPS WIKILEAKS LAWSUIT (Reuters, 6 March 2008) - Swiss bank Julius Baer Holding AG on Wednesday dropped its lawsuit against a whistle-blower Web site after losing a battle to keep the site from posting private account-holder information. The bank dismissed the lawsuit against the Web site,, and Dynadot LLC, the site’s registrar, without explanation in a filing in U.S. district court in San Francisco. It left open the possibility of filing another lawsuit in the same or in a different court. [Editor: the bank’s counsel might have tried harder to impress upon the bank the risks of proceeding. This case seems ill-advised; certainly the end-of-the-day results were very counterproductive.]

COMPUTER SOFTWARE TERMS ‘UNFAIR’ (BBC, 19 Feb 2008) - Some of the world’s biggest computer firms have been accused of imposing unfair contracts on customers who buy their software. The National Consumer Council (NCC) has accused 17 firms, including Microsoft, Adobe and Symantec, of using unfair “end user licence agreements” (EULAs). The NCC has asked the Office of Fair Trading to launch an investigation. The NCC said the firms’ EULAs were misleading customers into “signing away legal rights”. “Software rights-holders are shifting the legal burden on to consumers who buy computer programmes, leaving them with less protection than when they buy a cheap Biro,” said Carl Belgrove of the NCC. Symantec said it would welcome the opportunity to engage with the NCC and any other organisations in order to best serve the interests of its customers. The NCC looked at 25 software packages and said that in 17 instances, the packaging did not tell potential buyers they would have to sign an EULA in order to use it.

BANKS: LOSSES FROM COMPUTER INTRUSIONS UP IN 2007 (Washington Post, 20 Feb 2008) - U.S. financial institutions reported a sizable increase last year in the number of computer intrusions that led to online bank account takeovers and stolen funds, according to data obtained by Security Fi. xThe data also suggest such incidents are becoming far more costly for banks, businesses and consumers alike. The unusually detailed information comes from a non-public report assembled by the Federal Deposit Insurance Corporation, the federal entity that oversees and insures more than 9,000 U.S. financial institutions. The statistics were gathered as part of a routine quarterly survey called the Technology Incident Report, which examines so-called suspicious activity reports (SARs). In this case, SARs that were filed in the 2nd Quarter of 2007. SARs are federally mandated write-ups that banks are required to file anytime they spot a suspicious or fraudulent transaction that amounts to $5,000 or more. While the number of reported computer intrusion-related SARs (536) paled in comparison to the leading SARs categories - mortgage loan fraud (12,554) and check fraud (17,558) - the FDIC said financial crime aided by computer intrusions is growing at a rapid pace. Further, it noted that the mean (average) loss per SAR from computer intrusions was roughly $29,630 - almost triple the estimated loss per SAR during the same time period in 2006 ($10,536). The report indicates that in most cases, banks are at a loss to say exactly how cyber crooks are stealing the funds. The report indicates that the 80 percent of the computer intrusions were classified as “unknown unauthorized access - online banking,” and that “unknown unauthorized access to online banking has risen from 10 to 63 percent in the past year.”

NEW TOOL FOR ONLINE COLLECTIONS (InsideHigherEd, 20 Feb 2008) - Archival collections, impossible to house centrally at many campuses, are about to get easier to use. Starting today, librarians and archivists can upload digital content into online collections with relative ease, allowing them to effectively curate items with open-source tools instead of relying on third-party consultants to build specialized Web portals. The solution is a software package called Omeka (whose Swahili name means, among other things, “to display,” “to lay out for discussion” or “to unpack”), developed by George Mason University’s Center for History and New Media. The center, which supports numerous projects exploring online archives for historical purposes, also developed the open-source citation management tool Zotero. Omeka evolved from several similar historical archive projects being produced independently at the center, such as the September 11 Digital Archive and the Hurricane Digital Memory Bank. Today, the beta code is being made available to the general public. Using blogging software as a kind of model, the software’s developers envision Omeka as a relatively simple way to produce a rich, well-designed site that meets the common needs of librarians and archivists. The software is highly customizable and open-source, and the site has a database of plug-ins written by other users and contributors that can, for example, alter a collection’s look, features and layout. While there are plenty of open-source solutions for “the back of the house,” covering the cataloging and researching components, Scheinfeldt explained, there isn’t as much of a focus on access and presentation. “What access means to the general public is something more stylized, something more constructed, something more vetted, more curated, something more designed — an experience,” he said. The software allows curators to post items to a digital collection, in virtually any format they’d need. The interface also lets users upload their own materials and control copyright options for each item. For example, someone could decide to post something only for scholars to view privately, instead of for the public display, while others could upload material anonymously.

THREE MAY KEEP A SECRET, IF TWO OF THEM ARE DEAD (OR THE SECRET IS POSTED ON AN OBSCURE WEBSITE) (Steptoe & Johnson, 21 Feb 2008) - Ben Franklin’s quip about the impossibility of keeping secrets may have to be revised after a recent federal ruling that a third party’s posting of confidential business information to a publicly available - but obscure - website did not destroy the “trade secret” status of the information. The court’s ruling came in a dispute between Silicon Image, Inc. and Analogix Semiconductor, Inc., two manufacturers of “HDMI” microchips used in high-definition audio and video equipment. Silicon Image sued Analogix for trade secret misappropriation under California law, alleging that Analogix had essentially stolen its confidential source code and developed chips that copied Silicon Image’s designs. Analogix contended that the source code was no longer a trade secret, since someone had posted it to a Chinese-language website months before Silicon Image sued. The court found that publishing the source code on the website “did not destroy the secrecy of the information at issue,” since there was no evidence that the postings to the “obscure” website were “generally known” to “potential competitors.” The lesson for companies? Allowing your confidential information to be posted to a public website is undoubtedly a bad idea, but so long as the website doesn’t attract much attention, the information may still be a trade secret.

EU DATA PRIVACY REGULATORS SAY INTERNET SEARCH ENGINES MUST FOLLOW EU RULES (, 21 Feb 2008) - European data privacy regulators said Thursday that Internet search engines based outside Europe must also comply with EU rules on how a person’s Internet address or search history is stored. EU rules that someone must consent to their data being collected and give individuals the right to object or verify their information apply to search engines, the regulators’ group said in a short statement as they prepare a full report due by April. They also apply to companies headquartered outside the EU but have “an establishment” in one of the EU member states, or that use automated equipment based in a member state for processing personal data, the statement said. “Search engines fall under the EU data protection directive if there are controllers collecting users’ IP addresses or search history information, and therefore have to comply with relevant provisions,” said the group of national regulators from each EU nation, known as the Article 29 Working Party. and

PUBLISHER PURGES THOUSANDS OF UNLICENSED FONTS (CNET, 22 Feb 2008) - Publishing giant Faber & Faber is wiping away the chance of costly lawsuits by using software to purge unlicensed fonts. The London publishing house, which has printed classic authors from T.S. Eliot to W.H. Auden, found hundreds of thousands of unlicensed fonts on their machines using software from Monotype Imaging. The haul could have cost hundreds of thousands if left unaddressed-a recent Business Software Alliance enquiry valued 11,000 unlicensed typefaces at another London publishing house as being worth 80,000 pounds ($156,000). Faber said it was shocked at the number of unlicensed fonts it uncovered on 21 Apple Macs by Montotype’s Fontwise software, nearly three times the initial estimate. The company has now cleansed nearly all unlicensed fonts from 19 of the computers and has purchased the remaining licenses. Work is continuing to flush unauthorized fonts off the remaining two computers. Roy Smith, information systems manager at Faber, said rogue fonts had built up over time as demand grew for a wide range of fonts within the design department. He said: “Alarm bells started ringing when we saw other publishers punished for breaching copyright. We were totally shocked to see a six-figure number of fonts across the 21 machines. But we now have the tools and the knowledge required to maintain legality indefinitely.

OSAMA BIN LADEN’S “SECOND LIFE” (, 25 Feb 2008) - Lately there has been some rather bizarre hype about the potential threat from terrorists in cyberspace. Security specialists have been expressing increasing concern about the potential for mischief with Web 2.0. In particular, during the past six months a spate of newspaper articles have been citing security experts about the alleged danger that terrorists will use virtual worlds for nefarious purposes. Groups such as the U.S. government’s Intelligence Advanced Research Projects Activity say they fear that terrorists - using virtual personas called “avatars” - will recruit new members online, transfer funds in ways that cannot be traced, and may engage in training exercises that are useful for real-world terrorist operations. They point to existing “terrorist groups” operating on virtual reality sites as an ominous sign. Granted, militant jihadists have long used the Internet as a propaganda tool; recently, Osama bin Laden’s No. 2 man, Ayman al-Zawahiri, was even planning an online advice column for followers of al-Qaida worldwide. But what’s the real game here?

JOINING THE LAW SCHOOL RANKINGS GAME (InsideHighedEd, 26 Feb 2008) - In the highly competitive worlds of law school admissions and faculty recruitment, it often seems as if the Lake Wobegon effect is in full force. On their Web sites and in the other marketing materials that law schools distribute to raise their profiles — sometimes derided as “law porn” — virtually every law school boasts of having a faculty made up of stellar scholars, brilliant teachers and selfless public servants. “We continue to add depth to our already diverse and multifaceted faculty — excellent teachers whose high-quality research impacts leading academic and public policy issues,” reads the Web site of Northwestern University’s law school. “Columbia Law School is justifiably world renowned as a leader in scholarly research and a trailblazer in the development and application of legal theories and principles,” Columbia University says on its law school’s faculty page. “In both traditional and emerging fields of law, Columbia professors are at the forefront of developing and interpreting legal issues and precedents of great consequence to society. But the Law School’s overriding commitment continues to be as a teaching institution.” But how are applicants — for admission and/or jobs — to know whether the schools are living up to their promises on faculty quality, that all-important indicator of the institutions’ overall quality? asks the Green Bag, which describes itself as “an entertaining journal of law.” Consider some potential sources of such information. The Association of American Law Schools and the American Bar Association, both of which have law schools as their members, “appear to be committed to obfuscation” and avoid qualitative assessment of law schools at all costs, the Green Bag argues. And while the “void has been filled in part” by U.S. News & World Report, the only national journalistic publication that now ranks law schools, its ranking virtually ignores questions of faculty quality in its criteria, members, focusing instead on student-faculty ratio, spending on staff (including faculty) and peer assessments by other law school officials. The Green Bag plans to step into that breach, the journal announces in an editorial in its forthcoming issue. Starting this spring, it will begin work on the “Deadwood Report,” which it envisions being an annual assessment of “whether faculty members do the work that the law schools say they do.” The journal acknowledges that the ranking will provide “rough and admittedly partial” measures of law school faculty quality, but posits that by being transparent (it will disclose the sources of its data and how it derives its numbers and rankings from those data), and by bringing more information into public view, “it will help law school applicants make better decisions about where to study or work.... We are trying to do some good here.”

GERMAN COURT SHOOTS DOWN PC SURVEILLANCE (AP, 27 Feb 2008) - Government surveillance of personal computers violates the individual right to privacy, Germany’s highest court found Wednesday, in a ruling that German investigators say will restrict their ability to pursue terrorists. In the ruling, Germany’s Constitutional Court in Karlsruhe, established the privacy of data stored or exchanged on personal computers as a basic right protected by the nation’s constitution. “Collecting such data directly encroaches on a citizen’s rights, given that fear of being observed ... can prevent unselfconscious personal communication,” presiding judge Hans-Juergen Papier said in his ruling. At the same time, Papier said authorities would be allowed to spy on suspects’ computers using virus-like software in exceptional cases. However, any such action must have the approval of a judge before going forward. “Given the gravity of the intrusion, the secret infiltration of an IT system in such a way that use of the system and its data can be searched can only be constitutionally allowed if clear evidence of a concrete threat to a prominent object of legal protection exists,” Papier said. While Wednesday’s ruling was based on a law in the state of North Rhine-Westphalia that had permitted online spying, the high court’s decision will set a nationwide precedent, Papier said.;_ylt=AldSv2iEB_1K7QSi7CpZBKIE1vAI and and

FROM PAPER TO KILOBYTES (ABA Journal, February 2008) - You are a new associate in a medium sized 50-year-old law firm that has accumulated thousands of client files, most of which are closed or dormant. The cost of storing these files has become prohibitive. As the new lawyer in the firm whom everyone looks to as being presumptively up to date with current technology, you’ve been asked to formulate a firm policy about what items in the client files can be transferred to an electronic format, and once the transfer has been made, which items in the files can be discarded. As you begin to think through this process, you realize that even if you do make such a transfer, there will still be some items in individual client files that should not be discarded. What legal ethics issues should you keep in mind as you formulate this new firm policy? [ABA analysis, replete with references and citations, then follows.]

GOP HALTS EFFORT TO RETRIEVE WHITE HOUSE E-MAILS (Washington Post, 27 Feb 2008) - After promising last year to search its computers for tens of thousands of e-mails sent by White House officials, the Republican National Committee has informed a House committee that it no longer plans to retrieve the communications by restoring computer backup tapes, the panel’s chairman said yesterday. The move increases the likelihood that an untold number of RNC e-mails dealing with official White House business during the first term of the Bush administration - including many sent or received by former presidential adviser Karl Rove - will never be recovered, said House Democrats and public records advocates. The RNC had previously told the House Oversight and Government Reform Committee that it was attempting to restore e-mails from 2001 to 2003, when the RNC had a policy of purging all e-mails, including those to and from White House officials, after 30 days. But Chairman Henry A. Waxman (D-Calif.) disclosed during a hearing yesterday that the RNC has now said it “has no intention of trying to restore the missing White House e-mails.” “The result is a potentially enormous gap in the historical record,” Waxman said, including the buildup to the Iraq war. Spokesman Danny Diaz said in a statement that the RNC “is fully compliant with the spirit and letter of the law.” He declined further comment.

OVER 50% OF COMPANIES HAVE FIRED WORKERS FOR E-MAIL, NET ABUSE (ComputerWorld, 28 Feb 2008) - Think you can get away with using e-mail and the Internet in violation of company policy? Think again. A new survey found that more than a quarter of employers have fired workers for misusing e-mail and one third have fired workers for misusing the Internet on the job. The study, conducted by the American Management Association (AMA) and The ePolicy Institute, surveyed 304 U.S. companies of all sizes. The vast majority of bosses who fired workers for Internet misuse - 84 percent - said the employee was accessing porn or other inappropriate content. While looking at inappropriate content is an obvious no-no on company time, simply surfing the Web led to a surprising number of firings. As many as 34 percent of managers in the study said they let go of workers for excessive personal use of the Internet, according to the survey. Among managers who fired workers for e-mail misuse, 64 percent did so because the employee violated company policy and 62 percent said the workers’ e-mail contained inappropriate or offensive language. More than a quarter of bosses said they fired workers for excessive personal use of e-mail and 22 percent said their workers were fired for breaching confidentiality rules in e-mail.

HARVARD SCHOLARS TO EXPLORE NET SAFETY (Wired, 28 Feb 2008) - Leading Internet scholars at Harvard University will convene a yearlong task force to explore how children can avoid unwanted contact and content when using MySpace and other popular online hangouts. The Internet Safety Technical Task Force is the result of an agreement that MySpace reached with all state attorneys general except Texas’ in January. Announced Thursday, it will be make up of leading Internet service companies and nonprofit groups, including those focused on children’s safety. MySpace, a unit of News Corp., created the task force, named its members and chose Harvard’s Berkman Center for Internet and Society to run it, but the group will operate independently, said John Palfrey, Berkman’s executive director. Its recommendations will be nonbinding. Although the task force grew out of concerns that attorneys general have about Internet sexual predators who target children on social-networking sites, it will also explore how to keep children safe from online bullies and pornography. Palfrey said the group would consider how technology could bring safety “without causing collateral damage.” Procedures for verifying users’ ages are expected to be among the topics of discussion.

SEC ADOPTS FINAL RULES FOR ELECTRONIC FILING OF FORM D BY ISSUERS OF PRIVATE OFFERINGS (Duane Morris, 28 Feb 2008) - The Securities and Exchange Commission (“SEC”) has adopted final rules regarding the electronic filing of Form D by issuers in private offerings pursuant to Regulation D under the Securities Act of 1933, as amended. Beginning on September 15, 2008, issuers will have the option of filing reports on Form D either in paper form or electronically until March 16, 2009, when electronic filing becomes mandatory. In connection with the new electronic filing requirement, the SEC also established a reconfigured, 16-item format for Form D, which retains most (but not all) of the requirements of the current form and provides for the disclosure of some additional items of information. One new item to be disclosed in the electronic Form D is the CRD number of any broker or broker-dealer that receives compensation in connection with the offering reported on the Form. The CRD number corresponds to a broker’s or broker-dealer’s record located in the Central Registration Depository, a computer database of brokers and broker-dealers maintained by FINRA. The inclusion (or omission, as applicable) of CRD numbers on the new form will clearly indicate whether or not persons receiving sales compensation are registered broker-dealers. As a result, issuers paying compensation to finders and other non-registered parties in connection with private offerings under Regulation D should be all the more careful how they engage and compensate finders in capital-raising transactions. Moreover, this new disclosure requirement could well facilitate more rigorous scrutiny by the SEC and state securities regulators of payments to non-registered persons or entities.

LIFELOCK-EXPERIAN LAWSUIT COULD SET LEGAL PRECEDENT (Phoenix Business Journal, 29 Feb 2008) - The lawsuit between identity theft prevention firm LifeLock Inc. and a U.S. credit bureau is taking legal experts into new territory, potentially establishing credit reporting case law for years to come. Officials at Experian, one of the country’s three credit bureaus and holder of more than 230 million credit files, filed suit against the Tempe firm last week. They claim LifeLock violates the Fair Credit Reporting Act by posing as individual consumers rather than as a clearinghouse for fraud alerts. There is little case law surrounding the Fair Credit Reporting Act. Those that have been decided are relatively small and do not extend beyond individual states. Cotterman said there has never been a FCRA-related case with two companies of this size and scope going at each other this way. While much of FCRA’s wording is vague, the lawsuit may call into question the definitive nature of some of the law’s components. Among those is the notion that an individual must file a fraud alert by “direct request,” not through a third-party service. Experian claims LifeLock violates this with every fraud alert it places. LifeLock, on the other hand, contends it is simply providing a service to its customers. LifeLock CEO Todd Davis said the claim is “meritless” and an attempt to disrupt the fast-growing company’s momentum. But what the lawsuit does not say is what really screams the truth, he said. Davis claims Experian is losing money from its highly profitable marketing wing, which sells demographic information to companies that use bulk-mail marketing campaigns and other mass mailings. Through LifeLock’s fraud-alert system, customer information is removed from the Experian data sets being sold to third-party marketers.

EUROPE, U.S. LEAD RISE IN IT GOVERNANCE EFFORTS (CNET, 28 Feb 2008) - More businesses across the globe are stepping up their IT governance efforts, with North America and Europe leading the way, according to a study. The “IT Governance Global Status Report 2008” claims that 34 percent of respondents, compared to 19 percent in 2005, are implementing practices that address IT governance-an organization’s management, from the boardroom on down, of the performance and security of its IT system. Commissioned by the IT Governance Institute (ITGI) and conducted every two years, the study surveyed about 750 C-level executives from 23 countries between July and October last year. The survey also determined that 24 percent of companies are considering plans to introduce IT governance practices, compared to 22 percent in 2005 and 18 percent in 2003. In addition, only 20 percent said their organisations were not considering implementing such practices, compared to 36 percent in 2005 and 42 percent in 2003. By region, North America and Europe have the highest adoption of IT governance initiatives globally, with 50 percent of respondents from each of these two regions indicating that they have already implemented, or are in the process of implementing, such processes and practices. Forty-four percent of executives from Asia and 27 percent of South American respondents reported similar plans. “The bottom line is that many organizations around the world are needlessly sacrificing money, productivity, and competitive advantage by not implementing effective IT governance,” said Lynn Lawton, international president of ITGI. “Well-governed enterprises have been shown to provide better returns to stakeholders, and the same goes for governance over information technology.” [Editor: I co-authored an IEEE paper last year on this subject: “A Coherent Strategy for Data Security through Data Governance”, at There is significant competitive advantage to doing this properly.]

TOP BANKS NAMED IN NEW IDENTITY THEFT STUDY (BankInfoSecurity, 29 Feb 2008) - Shockwaves rumbled through the US banking industry this week with the release of a new report estimating the annual incidents of Identity Theft associated with the nation’s top banks. The study, published by the Center for Law and Technology at the University of California, Berkeley, draws from thousands of consumer complaints to the Federal Trade Commission over a three-month period in 2006. The top five financial institutions named are Bank of America, JPMorgan Chase, Capital One, Citibank and American Express.

BUSH NOMINATES THREE TO EMPTY PRIVACY BOARD (Wired, 29 Feb 2008) - A newly independent Privacy and Civil Liberties Oversight Board may soon actually have members again, after sitting empty for nearly a full month. On Thursday, President Bush took the first step to fill vacancies on the Board as he nominated 3 people, including a chairman, to fill some of the five seats. Bush allowed the board to be emptied on January 30, even as he pushed Congress to grant him wide powers to install blanket wiretap orders inside the United States. Bush nominated Daniel Sutherland, the current civil liberties officer at the Department of Homeland Security, to head the commission for the next six years. Ronald Rotunda, a George Mason University law professor known for his bow ties and for work on the Senate Watergate Commission, was nominated to join the board for an initial four-year term, while Francis Taylor, who previously served on the board, was re-nominated for a two-year term.

WAL-MART TASTEMAKERS WRITE UNFILTERED BLOG (New York Times, 3 March 2008) - Microsoft is one of Wal-Mart’s biggest suppliers. But that did not stop the Wal-Mart employee in charge of buying computers from panning Microsoft’s newest operating system, Vista. “Is it really all that and a bag of chips?” he wrote on his blog. “My life has not changed dramatically — well, for that matter, it hasn’t changed at all.” His public burst of candor was not isolated. On the same blog, a video game buyer for Wal-Mart slammed a “Star Wars” film as a “debacle” even though Wal-Mart still sells the movie. Known for its strict, by-the-books culture — accepting a cup of coffee from a supplier can be a firing offense — Wal-Mart is now encouraging its merchants to speak frankly, even critically, about the products the chain carries. This unusual new Web site, which was quietly created during the holiday shopping season, has become a forum for unvarnished rants about gadgets, raves about new video games and advice on selecting environmentally sustainable food. Corporate blogs are nothing new — General Motors, Dell and Boeing have them — but Wal-Mart’s site, called Check Out (, turns the traditional model on its head. Instead of relying on polished high-level executives, it is written by little-known buyers, largely without editing. Their decisions about what makes it onto Wal-Mart’s shelves have enormous impact, earning (or costing) vendors millions of dollars. It was a blogger on the Check Out, after all, who first disclosed last month that Wal-Mart would stock only high-definition DVDs and players using the Blu-ray format, rather than the rival HD DVD system. The decision was considered the death knell for HD DVD. Wal-Mart says the Web site helps buyers solicit quick feedback from consumers on the merchandise — and shows a softer side of the giant company, which has 5,000 stores, 1.2 million workers and annual sales of nearly $400 billion. “We are real people, and that gets lost in the to and fro of business,” said Nick Agarwal, a Wal-Mart communications official who helped develop the blog. “It puts real personality out there in a real conversation.” But all that uncensored rambling has its potential drawbacks, like irritating suppliers or consumers. Mr. Muha, the video game buyer, may have ventured into dangerous territory, for example, when describing Call of Duty 4: Modern Warfare. “The bad guys are the usual Middle Eastern extremists. I guess they are the new Nazis for the modern era,” he wrote. This is not Wal-Mart’s first plunge into the blogosphere. Several years ago, when the retailer’s public relations problems began to mount, it turned to the Web for relief. It created one blog, Working Families for Wal-Mart, to trumpet the chain’s accomplishments and ding its critics. It created another, Wal-Marting Across America, to highlight the good deeds and productive careers of Wal-Mart employees. Critics dismissed both as thinly veiled extensions of Wal-Mart’s P.R. department, and Wal-Mart shut them down. The lesson seemed clear: create an authentic blog or don’t create a blog at all. Wal-Mart employees began developing Check Out (subtitled “Where the Lanes Are All Open”) a year ago and recruited a handful of buyer-bloggers last fall, giving them rudimentary training on how to post their writing, upload videos and create hyperlinks. After heeding the lessons of Wal-Mart’s earlier blogs and consulting with several well-known bloggers from sites like the Huffington Post, the buyers decided the site would succeed only if they wrote in their own voice, free from censorship and corporate review. Anil Dash, a blogger at Six Apart, which makes blogging software, said the evolution in Wal-Mart’s thinking about blogs was typical. “You start with this total lockdown, suits read everything, one post a month model,” he said. “Then you evolve. A year later, you get one that is more open. A year after that, they start to do something that is far more authentic.” Mr. Dash said Wal-Mart’s decision to let buyers do the blogging reflected a growing recognition that “trying to control who can speak and what they can say does not work.”

PUBLISHERS PHASE OUT PIRACY PROTECTION ON AUDIO BOOKS (New York Times, 3 March 2008) - Some of the largest book publishers in the world are stripping away the anticopying software on digital downloads of audio books. The trend will allow consumers who download audio books to freely transfer these digital files between devices like their computers, iPods and cellphones — and conceivably share them with others. Dropping copying restrictions could also allow a variety of online retailers to start to sell audio book downloads. The publishers hope this openness could spark renewed growth in the audio book business, which generated $923 million in sales last year, according to the Audio Publishers Association. Random House was the first to announce it was backing away from D.R.M., or digital rights management software, the protective wrapping placed around digital files to make them difficult to copy. In a letter sent to its industry partners last month, Random House, the world’s largest publisher, announced it would offer all of its audio books as unprotected MP3 files beginning this month, unless retail partners or authors specified otherwise. Penguin Group, the second-largest publisher in the United States behind Random House, now appears set to follow suit. Dick Heffernan, publisher of Penguin Audio, said the company would make all of its audio book titles available for download in the MP3 format on eMusic, the Web’s second-largest digital music service after iTunes. Penguin was initially going to join the eMusic service last fall, when it introduced its audio books download store. But it backed off when executives at Pearson, the London-based media company that owns Penguin, became concerned that such a move could fuel piracy. Mr. Heffernan said the company changed its mind partly after watching the major music labels, like Warner Brothers and Sony BMG, abandon D.R.M. on the digital music they sell on “I’m looking at this as a test,” he said. “But I do believe the audio book market without D.R.M. is going to be the future.” Publishers, like the music labels and movie studios, stuck to D.R.M. out of fear that pirated copies would diminish revenue. Random House tested the justification for this fear when it introduced the D.R.M.-less concept with eMusic last fall. It encoded those audio books with a digital watermark and monitored online file sharing networks, only to find that pirated copies of its audio books had been made from physical CDs or D.R.M.-encoded digital downloads whose anticopying protections were overridden. “Our feeling is that D.R.M. is not actually doing anything to prevent piracy,” said Ms. McIntosh of Random House Audio.

DOES LAWYER’S E-MAIL SNOOPING MERIT 2-YEAR SUSPENSION? (ABA Journal, 3 March 2008) - At first, when attorney Michael Markins accessed his wife’s e-mail account at the law firm at which she worked, he was trying to find out whether she might be having an affair. But then, having figured out the uncomplicated password system there, the Charleston, W.Va., lawyer admittedly began accessing other lawyers’ e-mail accounts at his wife’s firm, out of “selfish curiosity,” reports the Charleston Gazette. At the time of the electronic snooping, the firm at which Markins worked, Huddleston Bolen, was on the opposing side of mass flood litigation from the firm at which his wife was an associate, Offutt, Fisher and Nord. However, the OFN firm does not believe any confidential client information was compromised. “On at least one occasion, an attachment from OFN’s chief accountant to the partners containing confidential financial information about the firm had been opened and reviewed,” according to a West Virginia Supreme Court brief filed by the State Bar’s Lawyer Disciplinary Board. The brief, upon which the newspaper’s account is based, says Markins accessed OFN e-mail more than 150 times between 2003 and 2006. “Eventually, one of OFN’s lawyers began to suspect that her e-mail account had been improperly accessed,” the newspaper recounts. “The firm’s computer consultant found that an IP address belonging to the Huddleston firm had been used to read e-mail on multiple occasions.” Both Markins and his wife lost their jobs after the intrusion was discovered, although he reportedly landed another position with John R. Fowler that paid $80,000 a year—a $2,000 pay raise over his Huddleston salary, the brief states. The Lawyer Disciplinary Board is recommending a two-year suspension of his license. But Markins’ attorney, Mike Callaghan, says his client is contesting this “very harsh” punishment, which Callaghan describes as “excessive for the acts committed.” [Editor: “Harsh”? Sounds lenient to me.]

US AIRBASE E-MAILS GO TO TOWN WEB (BBC, 4 March 2008) - Confidential US Air Force (USAF) e-mails, some including flight plans for a presidential visit, have been mistakenly sent to a tourism website. The e-mails were meant to go to the US airbase at RAF Mildenhall, Suffolk, via its website. But instead they went to a town tourism website which had a similar address. The USAF said there had been no “verified security breach” and it had advised airmen and other staff to use the correct e-mail address. Gary Sinnott, of Mildenhall, set up the website “” in the late 1990s to promote the town. But by 2001 he was starting to get hundreds of e-mails meant for people at the airbase. The e-mails included jokes, spam, personal information and military information. He said he contacted the base a number of times, but officials told him not to worry about it. He added that another e-mail he received was about US “military procedures and tactics”. “It had the notice ‘Destroy by any means to prevent capture’,” he said. [Editor: Now that’s a signature line much more interesting than the standard “This email is privileged and confidential * * *” ones we see far too often.]

FBI CHIEF SAYS REPORT WILL SHOW ANOTHER YEAR OF PRIVACY ABUSES (, 5 March 2008) - The FBI acknowledged Wednesday it improperly accessed Americans’ telephone records, credit reports and Internet traffic in 2006, the fourth straight year of privacy abuses resulting from investigations aimed at tracking terrorists and spies. The breach occurred before the FBI enacted broad new reforms in March 2007 to prevent future lapses, FBI Director Robert Mueller said. And it was caused, in part, by banks, telecommunication companies and other private businesses giving the FBI more personal client data than was requested. Testifying at a Senate Judiciary Committee hearing, Mueller raised the issue of the FBI’s controversial use of so-called national security letters in reference to an upcoming report on the topic by the Justice Department’s inspector general. An audit by the inspector general last year found the FBI demanded personal records without official authorization or otherwise collected more data than allowed in dozens of cases between 2003 and 2005. Additionally, last year’s audit found that the FBI had underreported to Congress how many national security letters were requested by more than 4,600. The new audit, which examines use of national security letters issued in 2006, “will identify issues similar to those in the report issued last March,” Mueller told senators. The privacy abuse “predates the reforms we now have in place,” he said. “We are committed to ensuring that we not only get this right, but maintain the vital trust of the American people,” Mueller said. He offered no additional details about the upcoming audit.

RECORDING INDUSTRY WINS SUBPOENAS FOR INFO ON 14 AT UA (Arizona Star, 5 March 2008) - A federal judge has granted the recording industry’s request to subpoena the University of Arizona to turn over personal information of 14 students accused of copyright infringement. The students are currently identified as John Does in a lawsuit that alleges they illegally downloaded or shared music files over the Internet. The initial complaint was filed on Feb. 21 in U.S. District Court. On Feb. 26, attorneys for the Recording Industry Association of America asked Judge Susan R. Bolton to subpoena the UA to provide the names and contact information for the students now identified by computer IP addresses. Bolton agreed in an order signed Monday. The RIAA will likely contact the university with subpoenas within a week, and universities typically have 30 days to release the information, said RIAA spokeswoman Liz Kennedy. UA spokesman Johnny Cruz said he had no comment on subpoenas that the university has yet to receive. The lawsuit comes after the RIAA sent 14 prelitigation settlement letters to the UA on Dec. 6, part of an ongoing effort by the industry trade group that has involved hundreds of such letters each month for the past two years. UA officials have decided against forwarding prelitigation settlement offers from the RIAA to students because they’re not required to by law, said dean of libraries Carla Stoffle, who led a campus group that studied the issue.

LIFE IS GOOD®—BUT ITS SECURITY WAS NOT (Wiley Reid LLP, 5 March 2008) - Popular retailer Life is good® became the latest target of a Federal Trade Commission (FTC) information security enforcement action, following a hacking incident affecting credit cards collected on the company’s website. This case is only the most recent reminder of what has become a critical challenge for all companies. Information security is now a realistic risk for all companies in all industries, and federal enforcement actions (along with a variety of other problems) may well arise if effective security practices are not implemented. The Life is good® settlement stems from an ongoing series of FTC cases, driven by the principle that a failure to maintain and implement an effective information security program constitutes a deceptive trade practice. While part of the FTC settlement derives from general statements made by Life is good® representing that it would keep the information it collects secure, it is clear—from the Life is good® case and its predecessors, mainly the settlement involving B.J.’s Wholesale—that an effective information security program is now a legal requirement for any company that collects personal information about customers or employees.

- and -

UK INFORMATION COMMISSIONER REQUIRES FINANCIAL SERVICES COMPANY TO ENCRYPT LAPTOPS (Steptoe & Johnson, 6 March 2008) - The United Kingdom’s Information Commissioner’s Office (ICO) has required another company to encrypt all sensitive personal information stored on its laptop computers. As we previously reported, the theft of an unencrypted laptop from a Marks & Spencer contractor led to the ICO’s January ruling that that retailer must encrypt all personal information stored on its laptops. Late last month, the ICO announced that Skipton Financial Services (SFS) had suffered a similar laptop theft, and required the company to use encryption to protect the information on its laptops. According to the Office, the laptop - which was stolen from an SFS contractor - contained the unencrypted personal information of 14,000 SFS customers. Noting that SFS “should have had appropriate encryption measures in place to keep the data secure,” the ICO announced that SFS had agreed to protect against future data breaches by: ensuring that sensitive personal data stored on the laptops of SFS and its contractors is “suitably encrypted”; assessing the data security of contractors before hiring them to process SFS data; and implementing other “appropriate” security measures. So while governments once tried to curb the widespread use of strong encryption by companies, we are now entering an age in which encryption is being mandated - at least where sensitive information is at issue. Nevertheless, many countries - including the United States and UK - still maintain controls on exports of encryption, while other countries control the import and use of encryption as well. Companies therefore need to be mindful of any regulations governing the export, import or use of encryption in the countries in which they operate.

**** RESOURCES ****
INTERACTIVE MAP: DATA BREACH NOTIFICATION LAWS, STATE BY STATE (CSO, March 2008) - More than five years after California’s seminal data breach disclosure law, SB 1386, was enacted, not all states have followed suit. Eleven states still have not passed laws mandating that companies notify consumers when that company has lost the consumer’s personal data. One state, Oklahoma, does have a breach notification law, but it only applies to state entities that have lost data. That leaves 38 states that have enacted some sort of breach disclosure law. This map will help you sort them out. Click on any state to see highlights from that state’s law. (The gray states do not yet have disclosure laws). For more explanation, see the text below the map.

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. BNA’s Internet Law News,
6. Crypto-Gram,
7. McGuire Wood’s Technology & Business Articles of Note,
8. Steptoe & Johnson’s E-Commerce Law Week,
9. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.