Saturday, March 08, 2008

MIRLN - Misc. IT Related Legal News [17 February - 8 March 2008; v11.03]

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley ( with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN editions are archived at and blogged at

**************End of Introductory Note***************

ADMINISTRATION SHUTTING DOWN ECONOMIC INDICATORS SITE (TechDirt, 14 Feb 2008) - While there was some decent news suggesting the economy might not be falling into a recession, there are still plenty of knowledgeable folks who think some sort of recession is likely. Last week, in New York, plenty of folks I spoke to seemed to believe we were already in one. Of course, to actually call a recession, the general consensus is that there would need to be two consecutive quarters of negative economic growth. So how would you measure that growth? Well, apparently the White House would prefer to make it as difficult as possible. Reader Jon writes in to note the rather inconvenient timing of the Administration suddenly deciding to shut down its own website that aggregated economic indicators. The site, had even won awards from Forbes as a great resource.

EUROPEAN HIGH COURT PROTECTS INTERNET PRIVACY (EPIC, 15 Feb 2008) - In response to a request from the Spanish national court, the European Court of Justice ruled today that European community law does not require European countries to disclose user information in civil cases involving copyright. The high court for the European Union also ruled that European Parliament directives on personal data do not entail an obligation of disclosure of the data for the purposes of ensuring effective protection of copyright in the context of civil proceedings. When interpreting and applying the directives, EU Member States should rely on an interpretation “which allows a fair balance to be struck between the various fundamental rights protected by the Community legal order,” the court said. The case is Promusicae, C-275/06.

FREE ONLINE ACCESS TO U.S. COURT DECISIONS (, 19 Feb 2008) - This week, Carl Malamud invites you to enhance your federal case law library by downloading millions of pages of decisions stretching back more than 250 years, all free of charge. His latest online “public works” project is a Web site,, which will open up all Supreme Court opinions dating back to the 1700s and all U.S. appeals courts decisions dating back to 1950. The activist’s efforts for the nonprofit group present a potential challenge to paid legal research services Thomson and LexisNexis. Malamud’s northern California-based group last week received full delivery of content from legal research company Fastcase, which agreed in November to sell the information with no strings attached. Malamud’s group has spent the past several days reformatting the data to post on the Web site, an event that will occur sometime this week. “We’re about getting bulk data and making it available,” free of charge, to the public, Malamud told the Law Tribune last week. “I want to see all federal case law downloadable in bulk.” He noted that there are no restrictions on the use of the information after it’s downloaded and that it’s up to individuals to create Web sites that utilize the information.

F.B.I. GAINED UNAUTHORIZED ACCESS TO E-MAIL (New York Times, 17 Feb 2008) - A technical glitch gave the F.B.I. access to the e-mail messages from an entire computer network — perhaps hundreds of accounts or more — instead of simply the lone e-mail address that was approved by a secret intelligence court as part of a national security investigation, according to an internal report of the 2006 episode. F.B.I. officials blamed an “apparent miscommunication” with the unnamed Internet provider, which mistakenly turned over all the e-mail from a small e-mail domain for which it served as host. The records were ultimately destroyed, officials said. Bureau officials noticed a “surge” in the e-mail activity they were monitoring and realized that the provider had mistakenly set its filtering equipment to trap far more data than a judge had actually authorized. The episode is an unusual example of what has become a regular if little-noticed occurrence, as American officials have expanded their technological tools: government officials, or the private companies they rely on for surveillance operations, sometimes foul up their instructions about what they can and cannot collect. [Editor: Actually, this happens much more often than it should, and more news is coming.]

CAYMAN ISLANDS BANK GETS WIKILEAKS TAKEN OFFLINE IN U.S. - UPDATED WITH LINKS (Wired, 18 Feb 2008) - Wikileaks, the whistleblower site that recently leaked documents related to prisons in Iraq and Guantanamo Bay, was taken offline last week by its U.S. host after posting documents that implicate a Cayman Islands bank in money laundering and tax evasion activities. In a pretty extraordinary ex-parte move, the Julius Baer Bank and Trust got Dynadot, the U.S. hosting company and domain registrar for Wikileaks, to agree not only to take down the Wikileaks site but also to “lock the domain name to prevent transfer of the domain name to a different domain registrar.” A judge in the U.S. District Court for Northern California signed off on the stipulation between the two parties last week without giving Wikileaks a chance to address the issue in court. The Julius Baer Bank, a Swiss bank with a division in the Cayman Islands, took issue with documents that were published on Wikileaks by an unidentified whistleblower, whom the bank claims is the former vice president of its Cayman Islands operation, Rudolf Elmer. The documents purport to provide evidence that the Cayman Islands bank helps customers hide assets and wash funds. After failing to convince Wikileaks to take down the documents, the bank went after its U.S. hosting service, which responded by agreeing not only to remove the Wikileaks account from Dyndadot’s server but also to help prevent Wikileaks from moving its site to a different host. Julie Turner, an attorney in California who represented Wikileaks prior to this latest litigation but is not counsel for the group on this matter, is surprised that the court sanctioned such a broad agreement. When the bank’s lawyers indicated they would be filing a suit, she asked them to tell her where so that Wikileaks could find an attorney in the appropriate jurisdiction to represent it. She says the lawyers refused to tell her. Two and a half weeks later, the bank filed a restraining order against Dynadot and Wikileaks in San Francisco. Wikileaks received notice only a few hours before the case went to a judge who accepted the agreement between Dynadot and the bank. UPDATE: Readers have asked for links to access Wikileaks. Cryptome has provided the bank documents in a convenient download: You can also view a mirror of the Wikileaks site ( or download a torrent of the Wikileaks archive ( Alternatively, as a few readers have pointed out, you can still reach the original Wikileaks site by using this direct link to it: New York Times story at

- a few days later -

WIKILEAKS RULING LEAVES BIG QUESTIONS UNANSWERED (New York Times, 1 March 2008) - Free speech advocates immediately hailed as a victory the decision on Friday of a federal judge to withdraw a prior order turning off the Web address of the site But the reasoning of United States District Judge Jeffrey S. White also means that the court may dodge having to grapple with some of the meaty First Amendment questions posed by the case and touched on repeatedly at a lengthy hearing in San Francisco. The lawsuit, brought by a Swiss bank and its Cayman Islands subsidiary against Wikileaks and Dynadot, the San Mateo, Calif., company that is the registrar for the domain name, became a cause célèbre for organizations like the American Civil Liberties Union, Public Citizen and the Electronic Frontier Foundation. Such organizations responded with a barrage of court filings in the wake of an order signed by Judge White last month that required Dynadot to disable the address, making it more difficult – but far from impossible – for Internet users to get to materials published by Wikileaks. The bank, Bank Julius Baer & Co., claimed that Wikileaks had displayed confidential, personally identifiable account information of its customers, as a result of possibly criminal actions by a former employee. Lawyers for the bank on Friday repeatedly told Judge White that Julius Baer clients had a right to keep their account information private and that there was no compelling interest to justify their disclosure. In this way lawyers for the bank set up a conflict between freedom of speech and the right to personal privacy. “All of this is private info that is not newsworthy,” said William J. Briggs, one of the lawyers for the bank. If one of the affected customers had been Ken Lay, the late, disgraced former chief executive of Enron, then perhaps there would be news value, Mr. Briggs continued, but that was not the case here. Judge White questioned lawyers about the possibility of redacting names from the documents. But Joshua Koltun, a lawyer for a graduate student whom the bank said was an “officer” of Wikileaks, warned that the names could prove to be essential information. “That’s how you identify who’s been salting away money in accounts,” Mr. Koltun said, drawing laughter from reporters in the courtroom. (The laugher in turn drew a rebuke from Judge White, who said sternly, “I won’t tolerate that.”) The judge and the lawyers also struggled mightily to define Wikileaks, which defines itself as an organization “founded by Chinese dissidents, journalists, mathematicians and startup company technologists, from the U.S., Taiwan, Europe, Australia and South Africa.” Traditional entities, like companies and individuals, have citizenship status that can determine when they are subject to a particular court’s jurisdiction. But what is Wikileaks, which has not been represented by a lawyer throughout these proceedings? “Whatever this entity is, it has not filed a response,” Judge White observed. Paul Alan Levy, a lawyer for Public Citizen in Washington, argued that the bank had brought more publicity to the documents on Wikileaks than ever by filing its lawsuit and obtaining the order affecting the site’s domain name. Under such circumstances, Mr. Levy asked the judge, “Should you give them any relief to help them unring the bell?” The question implicitly was whether the victims of public disclosure on the Web have any shot at redress. After hours of discussion that suggested the judge’s level of concern with reaching the correct outcome, Judge White looked unhappy that he could not think of a way to help the bank customers affected by the release of the documents. But he said that he feared the initial order suspending raised serious questions of unjustified prior restraint on free speech, and that in any event, once the documents were online, the court might well be powerless. “Maybe that’s just the reality of the world that we live in,” Judge White said. “When this genie gets out of the bottle, that’s it.”

- and, finally -

SWISS BANK JULIUS BAER DROPS WIKILEAKS LAWSUIT (Reuters, 6 March 2008) - Swiss bank Julius Baer Holding AG on Wednesday dropped its lawsuit against a whistle-blower Web site after losing a battle to keep the site from posting private account-holder information. The bank dismissed the lawsuit against the Web site,, and Dynadot LLC, the site’s registrar, without explanation in a filing in U.S. district court in San Francisco. It left open the possibility of filing another lawsuit in the same or in a different court. [Editor: the bank’s counsel might have tried harder to impress upon the bank the risks of proceeding. This case seems ill-advised; certainly the end-of-the-day results were very counterproductive.]

COMPUTER SOFTWARE TERMS ‘UNFAIR’ (BBC, 19 Feb 2008) - Some of the world’s biggest computer firms have been accused of imposing unfair contracts on customers who buy their software. The National Consumer Council (NCC) has accused 17 firms, including Microsoft, Adobe and Symantec, of using unfair “end user licence agreements” (EULAs). The NCC has asked the Office of Fair Trading to launch an investigation. The NCC said the firms’ EULAs were misleading customers into “signing away legal rights”. “Software rights-holders are shifting the legal burden on to consumers who buy computer programmes, leaving them with less protection than when they buy a cheap Biro,” said Carl Belgrove of the NCC. Symantec said it would welcome the opportunity to engage with the NCC and any other organisations in order to best serve the interests of its customers. The NCC looked at 25 software packages and said that in 17 instances, the packaging did not tell potential buyers they would have to sign an EULA in order to use it.

BANKS: LOSSES FROM COMPUTER INTRUSIONS UP IN 2007 (Washington Post, 20 Feb 2008) - U.S. financial institutions reported a sizable increase last year in the number of computer intrusions that led to online bank account takeovers and stolen funds, according to data obtained by Security Fi. xThe data also suggest such incidents are becoming far more costly for banks, businesses and consumers alike. The unusually detailed information comes from a non-public report assembled by the Federal Deposit Insurance Corporation, the federal entity that oversees and insures more than 9,000 U.S. financial institutions. The statistics were gathered as part of a routine quarterly survey called the Technology Incident Report, which examines so-called suspicious activity reports (SARs). In this case, SARs that were filed in the 2nd Quarter of 2007. SARs are federally mandated write-ups that banks are required to file anytime they spot a suspicious or fraudulent transaction that amounts to $5,000 or more. While the number of reported computer intrusion-related SARs (536) paled in comparison to the leading SARs categories - mortgage loan fraud (12,554) and check fraud (17,558) - the FDIC said financial crime aided by computer intrusions is growing at a rapid pace. Further, it noted that the mean (average) loss per SAR from computer intrusions was roughly $29,630 - almost triple the estimated loss per SAR during the same time period in 2006 ($10,536). The report indicates that in most cases, banks are at a loss to say exactly how cyber crooks are stealing the funds. The report indicates that the 80 percent of the computer intrusions were classified as “unknown unauthorized access - online banking,” and that “unknown unauthorized access to online banking has risen from 10 to 63 percent in the past year.”

NEW TOOL FOR ONLINE COLLECTIONS (InsideHigherEd, 20 Feb 2008) - Archival collections, impossible to house centrally at many campuses, are about to get easier to use. Starting today, librarians and archivists can upload digital content into online collections with relative ease, allowing them to effectively curate items with open-source tools instead of relying on third-party consultants to build specialized Web portals. The solution is a software package called Omeka (whose Swahili name means, among other things, “to display,” “to lay out for discussion” or “to unpack”), developed by George Mason University’s Center for History and New Media. The center, which supports numerous projects exploring online archives for historical purposes, also developed the open-source citation management tool Zotero. Omeka evolved from several similar historical archive projects being produced independently at the center, such as the September 11 Digital Archive and the Hurricane Digital Memory Bank. Today, the beta code is being made available to the general public. Using blogging software as a kind of model, the software’s developers envision Omeka as a relatively simple way to produce a rich, well-designed site that meets the common needs of librarians and archivists. The software is highly customizable and open-source, and the site has a database of plug-ins written by other users and contributors that can, for example, alter a collection’s look, features and layout. While there are plenty of open-source solutions for “the back of the house,” covering the cataloging and researching components, Scheinfeldt explained, there isn’t as much of a focus on access and presentation. “What access means to the general public is something more stylized, something more constructed, something more vetted, more curated, something more designed — an experience,” he said. The software allows curators to post items to a digital collection, in virtually any format they’d need. The interface also lets users upload their own materials and control copyright options for each item. For example, someone could decide to post something only for scholars to view privately, instead of for the public display, while others could upload material anonymously.

THREE MAY KEEP A SECRET, IF TWO OF THEM ARE DEAD (OR THE SECRET IS POSTED ON AN OBSCURE WEBSITE) (Steptoe & Johnson, 21 Feb 2008) - Ben Franklin’s quip about the impossibility of keeping secrets may have to be revised after a recent federal ruling that a third party’s posting of confidential business information to a publicly available - but obscure - website did not destroy the “trade secret” status of the information. The court’s ruling came in a dispute between Silicon Image, Inc. and Analogix Semiconductor, Inc., two manufacturers of “HDMI” microchips used in high-definition audio and video equipment. Silicon Image sued Analogix for trade secret misappropriation under California law, alleging that Analogix had essentially stolen its confidential source code and developed chips that copied Silicon Image’s designs. Analogix contended that the source code was no longer a trade secret, since someone had posted it to a Chinese-language website months before Silicon Image sued. The court found that publishing the source code on the website “did not destroy the secrecy of the information at issue,” since there was no evidence that the postings to the “obscure” website were “generally known” to “potential competitors.” The lesson for companies? Allowing your confidential information to be posted to a public website is undoubtedly a bad idea, but so long as the website doesn’t attract much attention, the information may still be a trade secret.

EU DATA PRIVACY REGULATORS SAY INTERNET SEARCH ENGINES MUST FOLLOW EU RULES (, 21 Feb 2008) - European data privacy regulators said Thursday that Internet search engines based outside Europe must also comply with EU rules on how a person’s Internet address or search history is stored. EU rules that someone must consent to their data being collected and give individuals the right to object or verify their information apply to search engines, the regulators’ group said in a short statement as they prepare a full report due by April. They also apply to companies headquartered outside the EU but have “an establishment” in one of the EU member states, or that use automated equipment based in a member state for processing personal data, the statement said. “Search engines fall under the EU data protection directive if there are controllers collecting users’ IP addresses or search history information, and therefore have to comply with relevant provisions,” said the group of national regulators from each EU nation, known as the Article 29 Working Party. and

PUBLISHER PURGES THOUSANDS OF UNLICENSED FONTS (CNET, 22 Feb 2008) - Publishing giant Faber & Faber is wiping away the chance of costly lawsuits by using software to purge unlicensed fonts. The London publishing house, which has printed classic authors from T.S. Eliot to W.H. Auden, found hundreds of thousands of unlicensed fonts on their machines using software from Monotype Imaging. The haul could have cost hundreds of thousands if left unaddressed-a recent Business Software Alliance enquiry valued 11,000 unlicensed typefaces at another London publishing house as being worth 80,000 pounds ($156,000). Faber said it was shocked at the number of unlicensed fonts it uncovered on 21 Apple Macs by Montotype’s Fontwise software, nearly three times the initial estimate. The company has now cleansed nearly all unlicensed fonts from 19 of the computers and has purchased the remaining licenses. Work is continuing to flush unauthorized fonts off the remaining two computers. Roy Smith, information systems manager at Faber, said rogue fonts had built up over time as demand grew for a wide range of fonts within the design department. He said: “Alarm bells started ringing when we saw other publishers punished for breaching copyright. We were totally shocked to see a six-figure number of fonts across the 21 machines. But we now have the tools and the knowledge required to maintain legality indefinitely.

OSAMA BIN LADEN’S “SECOND LIFE” (, 25 Feb 2008) - Lately there has been some rather bizarre hype about the potential threat from terrorists in cyberspace. Security specialists have been expressing increasing concern about the potential for mischief with Web 2.0. In particular, during the past six months a spate of newspaper articles have been citing security experts about the alleged danger that terrorists will use virtual worlds for nefarious purposes. Groups such as the U.S. government’s Intelligence Advanced Research Projects Activity say they fear that terrorists - using virtual personas called “avatars” - will recruit new members online, transfer funds in ways that cannot be traced, and may engage in training exercises that are useful for real-world terrorist operations. They point to existing “terrorist groups” operating on virtual reality sites as an ominous sign. Granted, militant jihadists have long used the Internet as a propaganda tool; recently, Osama bin Laden’s No. 2 man, Ayman al-Zawahiri, was even planning an online advice column for followers of al-Qaida worldwide. But what’s the real game here?

JOINING THE LAW SCHOOL RANKINGS GAME (InsideHighedEd, 26 Feb 2008) - In the highly competitive worlds of law school admissions and faculty recruitment, it often seems as if the Lake Wobegon effect is in full force. On their Web sites and in the other marketing materials that law schools distribute to raise their profiles — sometimes derided as “law porn” — virtually every law school boasts of having a faculty made up of stellar scholars, brilliant teachers and selfless public servants. “We continue to add depth to our already diverse and multifaceted faculty — excellent teachers whose high-quality research impacts leading academic and public policy issues,” reads the Web site of Northwestern University’s law school. “Columbia Law School is justifiably world renowned as a leader in scholarly research and a trailblazer in the development and application of legal theories and principles,” Columbia University says on its law school’s faculty page. “In both traditional and emerging fields of law, Columbia professors are at the forefront of developing and interpreting legal issues and precedents of great consequence to society. But the Law School’s overriding commitment continues to be as a teaching institution.” But how are applicants — for admission and/or jobs — to know whether the schools are living up to their promises on faculty quality, that all-important indicator of the institutions’ overall quality? asks the Green Bag, which describes itself as “an entertaining journal of law.” Consider some potential sources of such information. The Association of American Law Schools and the American Bar Association, both of which have law schools as their members, “appear to be committed to obfuscation” and avoid qualitative assessment of law schools at all costs, the Green Bag argues. And while the “void has been filled in part” by U.S. News & World Report, the only national journalistic publication that now ranks law schools, its ranking virtually ignores questions of faculty quality in its criteria, members, focusing instead on student-faculty ratio, spending on staff (including faculty) and peer assessments by other law school officials. The Green Bag plans to step into that breach, the journal announces in an editorial in its forthcoming issue. Starting this spring, it will begin work on the “Deadwood Report,” which it envisions being an annual assessment of “whether faculty members do the work that the law schools say they do.” The journal acknowledges that the ranking will provide “rough and admittedly partial” measures of law school faculty quality, but posits that by being transparent (it will disclose the sources of its data and how it derives its numbers and rankings from those data), and by bringing more information into public view, “it will help law school applicants make better decisions about where to study or work.... We are trying to do some good here.”

GERMAN COURT SHOOTS DOWN PC SURVEILLANCE (AP, 27 Feb 2008) - Government surveillance of personal computers violates the individual right to privacy, Germany’s highest court found Wednesday, in a ruling that German investigators say will restrict their ability to pursue terrorists. In the ruling, Germany’s Constitutional Court in Karlsruhe, established the privacy of data stored or exchanged on personal computers as a basic right protected by the nation’s constitution. “Collecting such data directly encroaches on a citizen’s rights, given that fear of being observed ... can prevent unselfconscious personal communication,” presiding judge Hans-Juergen Papier said in his ruling. At the same time, Papier said authorities would be allowed to spy on suspects’ computers using virus-like software in exceptional cases. However, any such action must have the approval of a judge before going forward. “Given the gravity of the intrusion, the secret infiltration of an IT system in such a way that use of the system and its data can be searched can only be constitutionally allowed if clear evidence of a concrete threat to a prominent object of legal protection exists,” Papier said. While Wednesday’s ruling was based on a law in the state of North Rhine-Westphalia that had permitted online spying, the high court’s decision will set a nationwide precedent, Papier said.;_ylt=AldSv2iEB_1K7QSi7CpZBKIE1vAI and and

FROM PAPER TO KILOBYTES (ABA Journal, February 2008) - You are a new associate in a medium sized 50-year-old law firm that has accumulated thousands of client files, most of which are closed or dormant. The cost of storing these files has become prohibitive. As the new lawyer in the firm whom everyone looks to as being presumptively up to date with current technology, you’ve been asked to formulate a firm policy about what items in the client files can be transferred to an electronic format, and once the transfer has been made, which items in the files can be discarded. As you begin to think through this process, you realize that even if you do make such a transfer, there will still be some items in individual client files that should not be discarded. What legal ethics issues should you keep in mind as you formulate this new firm policy? [ABA analysis, replete with references and citations, then follows.]

GOP HALTS EFFORT TO RETRIEVE WHITE HOUSE E-MAILS (Washington Post, 27 Feb 2008) - After promising last year to search its computers for tens of thousands of e-mails sent by White House officials, the Republican National Committee has informed a House committee that it no longer plans to retrieve the communications by restoring computer backup tapes, the panel’s chairman said yesterday. The move increases the likelihood that an untold number of RNC e-mails dealing with official White House business during the first term of the Bush administration - including many sent or received by former presidential adviser Karl Rove - will never be recovered, said House Democrats and public records advocates. The RNC had previously told the House Oversight and Government Reform Committee that it was attempting to restore e-mails from 2001 to 2003, when the RNC had a policy of purging all e-mails, including those to and from White House officials, after 30 days. But Chairman Henry A. Waxman (D-Calif.) disclosed during a hearing yesterday that the RNC has now said it “has no intention of trying to restore the missing White House e-mails.” “The result is a potentially enormous gap in the historical record,” Waxman said, including the buildup to the Iraq war. Spokesman Danny Diaz said in a statement that the RNC “is fully compliant with the spirit and letter of the law.” He declined further comment.

OVER 50% OF COMPANIES HAVE FIRED WORKERS FOR E-MAIL, NET ABUSE (ComputerWorld, 28 Feb 2008) - Think you can get away with using e-mail and the Internet in violation of company policy? Think again. A new survey found that more than a quarter of employers have fired workers for misusing e-mail and one third have fired workers for misusing the Internet on the job. The study, conducted by the American Management Association (AMA) and The ePolicy Institute, surveyed 304 U.S. companies of all sizes. The vast majority of bosses who fired workers for Internet misuse - 84 percent - said the employee was accessing porn or other inappropriate content. While looking at inappropriate content is an obvious no-no on company time, simply surfing the Web led to a surprising number of firings. As many as 34 percent of managers in the study said they let go of workers for excessive personal use of the Internet, according to the survey. Among managers who fired workers for e-mail misuse, 64 percent did so because the employee violated company policy and 62 percent said the workers’ e-mail contained inappropriate or offensive language. More than a quarter of bosses said they fired workers for excessive personal use of e-mail and 22 percent said their workers were fired for breaching confidentiality rules in e-mail.

HARVARD SCHOLARS TO EXPLORE NET SAFETY (Wired, 28 Feb 2008) - Leading Internet scholars at Harvard University will convene a yearlong task force to explore how children can avoid unwanted contact and content when using MySpace and other popular online hangouts. The Internet Safety Technical Task Force is the result of an agreement that MySpace reached with all state attorneys general except Texas’ in January. Announced Thursday, it will be make up of leading Internet service companies and nonprofit groups, including those focused on children’s safety. MySpace, a unit of News Corp., created the task force, named its members and chose Harvard’s Berkman Center for Internet and Society to run it, but the group will operate independently, said John Palfrey, Berkman’s executive director. Its recommendations will be nonbinding. Although the task force grew out of concerns that attorneys general have about Internet sexual predators who target children on social-networking sites, it will also explore how to keep children safe from online bullies and pornography. Palfrey said the group would consider how technology could bring safety “without causing collateral damage.” Procedures for verifying users’ ages are expected to be among the topics of discussion.

SEC ADOPTS FINAL RULES FOR ELECTRONIC FILING OF FORM D BY ISSUERS OF PRIVATE OFFERINGS (Duane Morris, 28 Feb 2008) - The Securities and Exchange Commission (“SEC”) has adopted final rules regarding the electronic filing of Form D by issuers in private offerings pursuant to Regulation D under the Securities Act of 1933, as amended. Beginning on September 15, 2008, issuers will have the option of filing reports on Form D either in paper form or electronically until March 16, 2009, when electronic filing becomes mandatory. In connection with the new electronic filing requirement, the SEC also established a reconfigured, 16-item format for Form D, which retains most (but not all) of the requirements of the current form and provides for the disclosure of some additional items of information. One new item to be disclosed in the electronic Form D is the CRD number of any broker or broker-dealer that receives compensation in connection with the offering reported on the Form. The CRD number corresponds to a broker’s or broker-dealer’s record located in the Central Registration Depository, a computer database of brokers and broker-dealers maintained by FINRA. The inclusion (or omission, as applicable) of CRD numbers on the new form will clearly indicate whether or not persons receiving sales compensation are registered broker-dealers. As a result, issuers paying compensation to finders and other non-registered parties in connection with private offerings under Regulation D should be all the more careful how they engage and compensate finders in capital-raising transactions. Moreover, this new disclosure requirement could well facilitate more rigorous scrutiny by the SEC and state securities regulators of payments to non-registered persons or entities.

LIFELOCK-EXPERIAN LAWSUIT COULD SET LEGAL PRECEDENT (Phoenix Business Journal, 29 Feb 2008) - The lawsuit between identity theft prevention firm LifeLock Inc. and a U.S. credit bureau is taking legal experts into new territory, potentially establishing credit reporting case law for years to come. Officials at Experian, one of the country’s three credit bureaus and holder of more than 230 million credit files, filed suit against the Tempe firm last week. They claim LifeLock violates the Fair Credit Reporting Act by posing as individual consumers rather than as a clearinghouse for fraud alerts. There is little case law surrounding the Fair Credit Reporting Act. Those that have been decided are relatively small and do not extend beyond individual states. Cotterman said there has never been a FCRA-related case with two companies of this size and scope going at each other this way. While much of FCRA’s wording is vague, the lawsuit may call into question the definitive nature of some of the law’s components. Among those is the notion that an individual must file a fraud alert by “direct request,” not through a third-party service. Experian claims LifeLock violates this with every fraud alert it places. LifeLock, on the other hand, contends it is simply providing a service to its customers. LifeLock CEO Todd Davis said the claim is “meritless” and an attempt to disrupt the fast-growing company’s momentum. But what the lawsuit does not say is what really screams the truth, he said. Davis claims Experian is losing money from its highly profitable marketing wing, which sells demographic information to companies that use bulk-mail marketing campaigns and other mass mailings. Through LifeLock’s fraud-alert system, customer information is removed from the Experian data sets being sold to third-party marketers.

EUROPE, U.S. LEAD RISE IN IT GOVERNANCE EFFORTS (CNET, 28 Feb 2008) - More businesses across the globe are stepping up their IT governance efforts, with North America and Europe leading the way, according to a study. The “IT Governance Global Status Report 2008” claims that 34 percent of respondents, compared to 19 percent in 2005, are implementing practices that address IT governance-an organization’s management, from the boardroom on down, of the performance and security of its IT system. Commissioned by the IT Governance Institute (ITGI) and conducted every two years, the study surveyed about 750 C-level executives from 23 countries between July and October last year. The survey also determined that 24 percent of companies are considering plans to introduce IT governance practices, compared to 22 percent in 2005 and 18 percent in 2003. In addition, only 20 percent said their organisations were not considering implementing such practices, compared to 36 percent in 2005 and 42 percent in 2003. By region, North America and Europe have the highest adoption of IT governance initiatives globally, with 50 percent of respondents from each of these two regions indicating that they have already implemented, or are in the process of implementing, such processes and practices. Forty-four percent of executives from Asia and 27 percent of South American respondents reported similar plans. “The bottom line is that many organizations around the world are needlessly sacrificing money, productivity, and competitive advantage by not implementing effective IT governance,” said Lynn Lawton, international president of ITGI. “Well-governed enterprises have been shown to provide better returns to stakeholders, and the same goes for governance over information technology.” [Editor: I co-authored an IEEE paper last year on this subject: “A Coherent Strategy for Data Security through Data Governance”, at There is significant competitive advantage to doing this properly.]

TOP BANKS NAMED IN NEW IDENTITY THEFT STUDY (BankInfoSecurity, 29 Feb 2008) - Shockwaves rumbled through the US banking industry this week with the release of a new report estimating the annual incidents of Identity Theft associated with the nation’s top banks. The study, published by the Center for Law and Technology at the University of California, Berkeley, draws from thousands of consumer complaints to the Federal Trade Commission over a three-month period in 2006. The top five financial institutions named are Bank of America, JPMorgan Chase, Capital One, Citibank and American Express.

BUSH NOMINATES THREE TO EMPTY PRIVACY BOARD (Wired, 29 Feb 2008) - A newly independent Privacy and Civil Liberties Oversight Board may soon actually have members again, after sitting empty for nearly a full month. On Thursday, President Bush took the first step to fill vacancies on the Board as he nominated 3 people, including a chairman, to fill some of the five seats. Bush allowed the board to be emptied on January 30, even as he pushed Congress to grant him wide powers to install blanket wiretap orders inside the United States. Bush nominated Daniel Sutherland, the current civil liberties officer at the Department of Homeland Security, to head the commission for the next six years. Ronald Rotunda, a George Mason University law professor known for his bow ties and for work on the Senate Watergate Commission, was nominated to join the board for an initial four-year term, while Francis Taylor, who previously served on the board, was re-nominated for a two-year term.

WAL-MART TASTEMAKERS WRITE UNFILTERED BLOG (New York Times, 3 March 2008) - Microsoft is one of Wal-Mart’s biggest suppliers. But that did not stop the Wal-Mart employee in charge of buying computers from panning Microsoft’s newest operating system, Vista. “Is it really all that and a bag of chips?” he wrote on his blog. “My life has not changed dramatically — well, for that matter, it hasn’t changed at all.” His public burst of candor was not isolated. On the same blog, a video game buyer for Wal-Mart slammed a “Star Wars” film as a “debacle” even though Wal-Mart still sells the movie. Known for its strict, by-the-books culture — accepting a cup of coffee from a supplier can be a firing offense — Wal-Mart is now encouraging its merchants to speak frankly, even critically, about the products the chain carries. This unusual new Web site, which was quietly created during the holiday shopping season, has become a forum for unvarnished rants about gadgets, raves about new video games and advice on selecting environmentally sustainable food. Corporate blogs are nothing new — General Motors, Dell and Boeing have them — but Wal-Mart’s site, called Check Out (, turns the traditional model on its head. Instead of relying on polished high-level executives, it is written by little-known buyers, largely without editing. Their decisions about what makes it onto Wal-Mart’s shelves have enormous impact, earning (or costing) vendors millions of dollars. It was a blogger on the Check Out, after all, who first disclosed last month that Wal-Mart would stock only high-definition DVDs and players using the Blu-ray format, rather than the rival HD DVD system. The decision was considered the death knell for HD DVD. Wal-Mart says the Web site helps buyers solicit quick feedback from consumers on the merchandise — and shows a softer side of the giant company, which has 5,000 stores, 1.2 million workers and annual sales of nearly $400 billion. “We are real people, and that gets lost in the to and fro of business,” said Nick Agarwal, a Wal-Mart communications official who helped develop the blog. “It puts real personality out there in a real conversation.” But all that uncensored rambling has its potential drawbacks, like irritating suppliers or consumers. Mr. Muha, the video game buyer, may have ventured into dangerous territory, for example, when describing Call of Duty 4: Modern Warfare. “The bad guys are the usual Middle Eastern extremists. I guess they are the new Nazis for the modern era,” he wrote. This is not Wal-Mart’s first plunge into the blogosphere. Several years ago, when the retailer’s public relations problems began to mount, it turned to the Web for relief. It created one blog, Working Families for Wal-Mart, to trumpet the chain’s accomplishments and ding its critics. It created another, Wal-Marting Across America, to highlight the good deeds and productive careers of Wal-Mart employees. Critics dismissed both as thinly veiled extensions of Wal-Mart’s P.R. department, and Wal-Mart shut them down. The lesson seemed clear: create an authentic blog or don’t create a blog at all. Wal-Mart employees began developing Check Out (subtitled “Where the Lanes Are All Open”) a year ago and recruited a handful of buyer-bloggers last fall, giving them rudimentary training on how to post their writing, upload videos and create hyperlinks. After heeding the lessons of Wal-Mart’s earlier blogs and consulting with several well-known bloggers from sites like the Huffington Post, the buyers decided the site would succeed only if they wrote in their own voice, free from censorship and corporate review. Anil Dash, a blogger at Six Apart, which makes blogging software, said the evolution in Wal-Mart’s thinking about blogs was typical. “You start with this total lockdown, suits read everything, one post a month model,” he said. “Then you evolve. A year later, you get one that is more open. A year after that, they start to do something that is far more authentic.” Mr. Dash said Wal-Mart’s decision to let buyers do the blogging reflected a growing recognition that “trying to control who can speak and what they can say does not work.”

PUBLISHERS PHASE OUT PIRACY PROTECTION ON AUDIO BOOKS (New York Times, 3 March 2008) - Some of the largest book publishers in the world are stripping away the anticopying software on digital downloads of audio books. The trend will allow consumers who download audio books to freely transfer these digital files between devices like their computers, iPods and cellphones — and conceivably share them with others. Dropping copying restrictions could also allow a variety of online retailers to start to sell audio book downloads. The publishers hope this openness could spark renewed growth in the audio book business, which generated $923 million in sales last year, according to the Audio Publishers Association. Random House was the first to announce it was backing away from D.R.M., or digital rights management software, the protective wrapping placed around digital files to make them difficult to copy. In a letter sent to its industry partners last month, Random House, the world’s largest publisher, announced it would offer all of its audio books as unprotected MP3 files beginning this month, unless retail partners or authors specified otherwise. Penguin Group, the second-largest publisher in the United States behind Random House, now appears set to follow suit. Dick Heffernan, publisher of Penguin Audio, said the company would make all of its audio book titles available for download in the MP3 format on eMusic, the Web’s second-largest digital music service after iTunes. Penguin was initially going to join the eMusic service last fall, when it introduced its audio books download store. But it backed off when executives at Pearson, the London-based media company that owns Penguin, became concerned that such a move could fuel piracy. Mr. Heffernan said the company changed its mind partly after watching the major music labels, like Warner Brothers and Sony BMG, abandon D.R.M. on the digital music they sell on “I’m looking at this as a test,” he said. “But I do believe the audio book market without D.R.M. is going to be the future.” Publishers, like the music labels and movie studios, stuck to D.R.M. out of fear that pirated copies would diminish revenue. Random House tested the justification for this fear when it introduced the D.R.M.-less concept with eMusic last fall. It encoded those audio books with a digital watermark and monitored online file sharing networks, only to find that pirated copies of its audio books had been made from physical CDs or D.R.M.-encoded digital downloads whose anticopying protections were overridden. “Our feeling is that D.R.M. is not actually doing anything to prevent piracy,” said Ms. McIntosh of Random House Audio.

DOES LAWYER’S E-MAIL SNOOPING MERIT 2-YEAR SUSPENSION? (ABA Journal, 3 March 2008) - At first, when attorney Michael Markins accessed his wife’s e-mail account at the law firm at which she worked, he was trying to find out whether she might be having an affair. But then, having figured out the uncomplicated password system there, the Charleston, W.Va., lawyer admittedly began accessing other lawyers’ e-mail accounts at his wife’s firm, out of “selfish curiosity,” reports the Charleston Gazette. At the time of the electronic snooping, the firm at which Markins worked, Huddleston Bolen, was on the opposing side of mass flood litigation from the firm at which his wife was an associate, Offutt, Fisher and Nord. However, the OFN firm does not believe any confidential client information was compromised. “On at least one occasion, an attachment from OFN’s chief accountant to the partners containing confidential financial information about the firm had been opened and reviewed,” according to a West Virginia Supreme Court brief filed by the State Bar’s Lawyer Disciplinary Board. The brief, upon which the newspaper’s account is based, says Markins accessed OFN e-mail more than 150 times between 2003 and 2006. “Eventually, one of OFN’s lawyers began to suspect that her e-mail account had been improperly accessed,” the newspaper recounts. “The firm’s computer consultant found that an IP address belonging to the Huddleston firm had been used to read e-mail on multiple occasions.” Both Markins and his wife lost their jobs after the intrusion was discovered, although he reportedly landed another position with John R. Fowler that paid $80,000 a year—a $2,000 pay raise over his Huddleston salary, the brief states. The Lawyer Disciplinary Board is recommending a two-year suspension of his license. But Markins’ attorney, Mike Callaghan, says his client is contesting this “very harsh” punishment, which Callaghan describes as “excessive for the acts committed.” [Editor: “Harsh”? Sounds lenient to me.]

US AIRBASE E-MAILS GO TO TOWN WEB (BBC, 4 March 2008) - Confidential US Air Force (USAF) e-mails, some including flight plans for a presidential visit, have been mistakenly sent to a tourism website. The e-mails were meant to go to the US airbase at RAF Mildenhall, Suffolk, via its website. But instead they went to a town tourism website which had a similar address. The USAF said there had been no “verified security breach” and it had advised airmen and other staff to use the correct e-mail address. Gary Sinnott, of Mildenhall, set up the website “” in the late 1990s to promote the town. But by 2001 he was starting to get hundreds of e-mails meant for people at the airbase. The e-mails included jokes, spam, personal information and military information. He said he contacted the base a number of times, but officials told him not to worry about it. He added that another e-mail he received was about US “military procedures and tactics”. “It had the notice ‘Destroy by any means to prevent capture’,” he said. [Editor: Now that’s a signature line much more interesting than the standard “This email is privileged and confidential * * *” ones we see far too often.]

FBI CHIEF SAYS REPORT WILL SHOW ANOTHER YEAR OF PRIVACY ABUSES (, 5 March 2008) - The FBI acknowledged Wednesday it improperly accessed Americans’ telephone records, credit reports and Internet traffic in 2006, the fourth straight year of privacy abuses resulting from investigations aimed at tracking terrorists and spies. The breach occurred before the FBI enacted broad new reforms in March 2007 to prevent future lapses, FBI Director Robert Mueller said. And it was caused, in part, by banks, telecommunication companies and other private businesses giving the FBI more personal client data than was requested. Testifying at a Senate Judiciary Committee hearing, Mueller raised the issue of the FBI’s controversial use of so-called national security letters in reference to an upcoming report on the topic by the Justice Department’s inspector general. An audit by the inspector general last year found the FBI demanded personal records without official authorization or otherwise collected more data than allowed in dozens of cases between 2003 and 2005. Additionally, last year’s audit found that the FBI had underreported to Congress how many national security letters were requested by more than 4,600. The new audit, which examines use of national security letters issued in 2006, “will identify issues similar to those in the report issued last March,” Mueller told senators. The privacy abuse “predates the reforms we now have in place,” he said. “We are committed to ensuring that we not only get this right, but maintain the vital trust of the American people,” Mueller said. He offered no additional details about the upcoming audit.

RECORDING INDUSTRY WINS SUBPOENAS FOR INFO ON 14 AT UA (Arizona Star, 5 March 2008) - A federal judge has granted the recording industry’s request to subpoena the University of Arizona to turn over personal information of 14 students accused of copyright infringement. The students are currently identified as John Does in a lawsuit that alleges they illegally downloaded or shared music files over the Internet. The initial complaint was filed on Feb. 21 in U.S. District Court. On Feb. 26, attorneys for the Recording Industry Association of America asked Judge Susan R. Bolton to subpoena the UA to provide the names and contact information for the students now identified by computer IP addresses. Bolton agreed in an order signed Monday. The RIAA will likely contact the university with subpoenas within a week, and universities typically have 30 days to release the information, said RIAA spokeswoman Liz Kennedy. UA spokesman Johnny Cruz said he had no comment on subpoenas that the university has yet to receive. The lawsuit comes after the RIAA sent 14 prelitigation settlement letters to the UA on Dec. 6, part of an ongoing effort by the industry trade group that has involved hundreds of such letters each month for the past two years. UA officials have decided against forwarding prelitigation settlement offers from the RIAA to students because they’re not required to by law, said dean of libraries Carla Stoffle, who led a campus group that studied the issue.

LIFE IS GOOD®—BUT ITS SECURITY WAS NOT (Wiley Reid LLP, 5 March 2008) - Popular retailer Life is good® became the latest target of a Federal Trade Commission (FTC) information security enforcement action, following a hacking incident affecting credit cards collected on the company’s website. This case is only the most recent reminder of what has become a critical challenge for all companies. Information security is now a realistic risk for all companies in all industries, and federal enforcement actions (along with a variety of other problems) may well arise if effective security practices are not implemented. The Life is good® settlement stems from an ongoing series of FTC cases, driven by the principle that a failure to maintain and implement an effective information security program constitutes a deceptive trade practice. While part of the FTC settlement derives from general statements made by Life is good® representing that it would keep the information it collects secure, it is clear—from the Life is good® case and its predecessors, mainly the settlement involving B.J.’s Wholesale—that an effective information security program is now a legal requirement for any company that collects personal information about customers or employees.

- and -

UK INFORMATION COMMISSIONER REQUIRES FINANCIAL SERVICES COMPANY TO ENCRYPT LAPTOPS (Steptoe & Johnson, 6 March 2008) - The United Kingdom’s Information Commissioner’s Office (ICO) has required another company to encrypt all sensitive personal information stored on its laptop computers. As we previously reported, the theft of an unencrypted laptop from a Marks & Spencer contractor led to the ICO’s January ruling that that retailer must encrypt all personal information stored on its laptops. Late last month, the ICO announced that Skipton Financial Services (SFS) had suffered a similar laptop theft, and required the company to use encryption to protect the information on its laptops. According to the Office, the laptop - which was stolen from an SFS contractor - contained the unencrypted personal information of 14,000 SFS customers. Noting that SFS “should have had appropriate encryption measures in place to keep the data secure,” the ICO announced that SFS had agreed to protect against future data breaches by: ensuring that sensitive personal data stored on the laptops of SFS and its contractors is “suitably encrypted”; assessing the data security of contractors before hiring them to process SFS data; and implementing other “appropriate” security measures. So while governments once tried to curb the widespread use of strong encryption by companies, we are now entering an age in which encryption is being mandated - at least where sensitive information is at issue. Nevertheless, many countries - including the United States and UK - still maintain controls on exports of encryption, while other countries control the import and use of encryption as well. Companies therefore need to be mindful of any regulations governing the export, import or use of encryption in the countries in which they operate.

**** RESOURCES ****
INTERACTIVE MAP: DATA BREACH NOTIFICATION LAWS, STATE BY STATE (CSO, March 2008) - More than five years after California’s seminal data breach disclosure law, SB 1386, was enacted, not all states have followed suit. Eleven states still have not passed laws mandating that companies notify consumers when that company has lost the consumer’s personal data. One state, Oklahoma, does have a breach notification law, but it only applies to state entities that have lost data. That leaves 38 states that have enacted some sort of breach disclosure law. This map will help you sort them out. Click on any state to see highlights from that state’s law. (The gray states do not yet have disclosure laws). For more explanation, see the text below the map.

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. BNA’s Internet Law News,
6. Crypto-Gram,
7. McGuire Wood’s Technology & Business Articles of Note,
8. Steptoe & Johnson’s E-Commerce Law Week,
9. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: