MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al.
Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (vpolley@REMOVETHISSTRINGvip-law.com) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/.
**************End of Introductory Note***************
SECRET PRINTER ID CODES MAY BREACH EU PRIVACY LAWS (The Register, 15 Feb 2008) - A little-noticed system that allows printed documents to be tracked by government agents has gotten the attention of the EU Commissioner for Justice Freedom and Security, who says the technology may violate EU human rights guarantees. The technology is baked in to many popular color laser printers and photocopiers, including those made by Brother, Canon, Xerox and HP, according to a list compiled by the Electronic Frontier Foundation. It embeds almost invisible tracking dots onto documents that uniquely identify the machine that printed them. The enables the tracking of currency counterfeiters, but the EFF has been warning for years there’s nothing that prevents government spooks from using them for broader types of surveillance. Those concerns have at last found a home with Commissioner Franco Frattini. “To the extent that individuals may be identified through material printed or copied using certain equipment, such processing may give rise to the violation of fundamental human rights, namely the right to privacy and private life,” he wrote (Microsoft Word document here) last month in response to a question about the legality of the system. “It also might violate the right to protection of personal data.” Applicable EU documents include Article 8 of the Convention of Human Rights, which provides for the protection of personal data, and Article 7 of the Fundamental Freedoms and the Charter of Fundamental Rights of the European Union, which ensures the protection of private and family life, home and communication, he said. Directive 95/46/EC of Parliament and of the Council of 24 October 1995 also apply. Frattini stopped short of saying the practice violates any laws at either a national or Community level. That’s because the inquiry, which was filed by EU Member for Finland Satu Hassi, didn’t include information showing the tracking dots were being used to identify individuals. Frattini’s answer appears to bolster the EFF opinion that the technology unnecessarily opens the door to human rights abuses, throughout the world. http://www.theregister.co.uk/2008/02/15/secret_printer_tracking_dots/ List of affected printers: http://www.eff.org/pages/list-printers-which-do-or-do-not-display-tracking-dots
DATA BREACHES IN HIGHER EDUCATION: FROM CONCERN TO ACTION (Educause, Jan/Feb 2008) - Data breaches that potentially expose personal information are of great concern to every U.S. citizen and consumer. In August 2007, as reported in The Wired Campus, the Privacy Rights Clearinghouse documented the total number of compromised private records during the past three years at almost 160 million. The Wired Campus article, which noted that many of these breaches had occurred at colleges and universities, concluded by asking: “When is higher education going to get serious about safeguarding the private information of students, faculty, and staff?” The Chronology of Data Breaches as recorded by the Privacy Rights Clearinghouse (http://www.privacyrights.org/ar/ChronDataBreaches.htm) shines light on this question and on the problems of data security. It does identify higher education as a sector where much work remains to be done. However, the Chronology also reveals that from January to late August 2007, the records compromised at institutions of higher education accounted for less than 2 percent (896,349) of the total number of records compromised during that time. The other 98 percent of breaches occurred in private industry, financial institutions, medical institutions, and other sectors. What may be confusing is that higher education ranks second in the number of reported instances in 2007 (56), behind government entities (63). In fact, that number represents 25 percent of the reported instances in 2007, a significant decline from the nearly 50 percent level during 2005–6. Other sectors that reported instances of data breaches in 2007 include private industry (49), medical institutions (33), financial institutions (14), and K-12 schools (11). Don’t get me wrong: nearly 900,000 exposed records are too many, and data security must receive more attention at colleges and universities. Nonetheless, it is clear that data compromises are not concentrated in colleges and universities; they are a national problem that affects all sectors of the economy. In addition, it is likely that breaches in other sectors, especially the commercial sector, are substantially under-reported. http://connect.educause.edu/Library/EDUCAUSE+Review/DataBreachesinHigherEduca/45832?time=1206491571
CRS REPORT - BORDER SEARCHES OF LAPTOPS AND OTHER ELECTRONIC STORAGE DEVICES (Congressional Research Service, 5 March 2008) - Summary: “The Fourth Amendment generally requires a warrant to support most searches and seizures conducted by the government. Federal courts have long recognized that there are many exceptions to this general presumption, one of which is the border search exception. The border search exception permits government officials, in most “routine” circumstances, to conduct searches with no suspicion of wrongdoing whatsoever. On the other hand, in some “non-routine” and particularly invasive situations, customs officials are required to have “reasonable suspicion” in order to conduct a search. Several federal courts have recently applied the border search exception to situations in which customs officials conducted searches of laptops and other electronic storage devices at the border. Though the federal courts have universally held that the border search exception applies to laptop searches conducted at the border, the degree of cause required to support the search has not been established. Though some federal appellate courts do not appear to require any degree of suspicion to justify a search, one federal district court stated categorically that all laptop searches conducted at the border require at least reasonable suspicion of wrongdoing.” http://www.bespacific.com/mt/archives/017875.html#017875 CRS report here: http://assets.opencrs.com/rpts/RL34404_20080305.pdf
CYBER RISK MAY TRIGGER D&O LAWSUITS: AON (Business Insurance, 6 March 2008) - Cyber risks could be the next big trigger for lawsuits against company directors according to London-based brokerage Aon Ltd. At its Cyber Risk & Data Management Seminar, held Wednesday in London, Aon warned that directors could be held responsible for loss to companies and their shareholders if they fail in their duty of care by not taking preventative measures against risks such as phishing, improper data manipulation or data loss. The threat to directors is universal across all sectors, Aon said in a statement, as any company that utilizes technology as a platform or for business support is exposed. But in particular, financial institutions need to be very concerned due to the dependence on the confidentiality of their data and exposures that relate to online banking, the company added. “We are warning directors that they could find themselves being sued by employees or shareholders for not taking appropriate measures to prevent hacking, for example, or failing to provide back up for lost data,” commented Aon’s technical director, Tom Sheffield, in a statement. And insurance should be perceived as a last resort the company said. Directors must look to prevent the cyber risks through the development of strong information technology security defenses, business continuity plans and a heightened awareness of cyber risk issues at board level to create a security culture within all departments and employee roles, Aon advised. http://www.businessinsurance.com/cgi-bin/news.pl?newsId=12431 [Aon recommends this posting as “A must read for any company considering a privacy breach insurance
EUROPEAN UNION LAUNCHES PROBE INTO U.S. INTERNET GAMBLING LAWS (SiliconValley.com, 10 March 2008) - The European Union launched an investigation today into U.S. laws on Internet gambling, after European betting companies complained that Washington’s actions against them were infringing world trade rules. The investigation could lead the 27-nation EU to file a complaint at the World Trade Organization in the latest international tussle over a growing business worth more than $15.5 billion a year. “The U.S. has the right to address legitimate public policy concerns relating to Internet gambling, but discrimination against EU companies cannot be part of the policy mix,” said EU Trade Commissioner Peter Mandelson. He said he hoped the issue could be resolved amicably. Officials at the U.S. mission to the EU declined to comment, directing inquiries to the Office of the U.S. Trade Representative in Washington. European companies claim a U.S. ban that forced them out of the lucrative American market discriminates against them in violation of WTO rules, while permitting domestic gambling companies, particularly those offering betting on horse races, to flourish. In 2006, the WTO had ruled against a U.S. ban that stops American banks and credit card companies from processing payments to online gambling businesses outside the country. Washington responded by doing a deal with the EU, Japan, Canada and others in December to allow it to effectively opt out of WTO rules on gambling in return for offering them compensation in other areas. http://www.siliconvalley.com/news/ci_8521376?nclick_check=1
PARAMOUNT MAKING MOVIE CLIPS AVAILABLE AS FACEBOOK MESSAGES (SiliconValley.com, 10 March 2008) - Paramount Pictures will become the first major studio to make clips from thousands of its movies available for use on the Internet. The unit of Viacom Inc. is teaming with Los Angeles-based developer FanRocket to launch the VooZoo application Monday on Facebook. The service gives Facebook users access to footage from thousands of movies, ranging from “The Ten Commandments” to “Forrest Gump,” to send to others on the popular social networking site. “The short clips for a movie that you’ve already seen before helps you relive the moment,” Paramount senior vice president of entertainment Derek Broes said. The clips last from a few seconds to several minutes and cover the gamut from Eddie Murphy’s guffaw in “Beverly Hills Cop” to Audrey Hepburn’s pleas over her “no-name slob” cat in “Breakfast at Tiffany’s.” The studio will market DVDs of the movies through a button that appears after each clip is played. It eventually wants to use the application to virally market upcoming releases. http://www.siliconvalley.com/news/ci_8518213
HEART DEVICE FOUND VULNERABLE TO HACKER ATTACKS (New York Times, 11 March 2008) - To the long list of objects vulnerable to attack by computer hackers, add the human heart. The threat seems largely theoretical. But a team of computer security researchers plans to report Wednesday that it had been able to gain wireless access to a combination heart defibrillator and pacemaker. They were able to reprogram it to shut down and to deliver jolts of electricity that would potentially be fatal-if the device had been in a person. In this case, the researchers were hacking into a device in a laboratory. The researchers said they had also been able to glean personal patient data by eavesdropping on signals from the tiny wireless radio that Medtronic, the device’s maker, had embedded in the implant as a way to let doctors monitor and adjust it without surgery. http://www.news.com/Heart-device-found-vulnerable-to-hacker-attacks/2100-7349_3-6234024.html?tag=ne.fd.mnbc [Editor: Peer behind the scenes, and things are quite a bit darker: http://spaces.icgpartners.com/index2.asp?NGuid=DCAFA7FB7A0B4E719DA543067A1670EB]
LIONS GATE, APPLE TO ALLOW MOVIE TRANSFERS TO ITUNES (SiliconValley.com, 11 March 2008) - Lions Gate Entertainment, the largest independent U.S. film studio, and Apple will allow customers who buy DVDs to transfer the film from the disc to iTunes for viewing on mobile devices. The companies will initially offer special-edition and high-definition versions of “Rambo” on May 27, Lions Gate said Monday in a statement. “The Eye,” will be available during the summer, the Vancouver company said. Media companies are trying to make it easier for consumers who buy DVDs to watch films in a variety of formats, Lions Gate President Steve Beeks said in the statement. To transfer the film to iTunes, consumers need only to insert the DVD into their computer and enter a code, Lions Gate said. Films can be transferred only to one iTunes library. Twentieth Century Fox and Paramount studios announced similar agreements with Apple in January. http://www.siliconvalley.com/news/ci_8530106
SEC PROPOSES EXPANSION OF PRIVACY REGULATION (Goodwin Procter, 11 March 2008) - On March 4, 2008, the Securities and Exchange Commission announced proposed changes to Regulation S-P (“Reg S-P”) to address identity theft of securities industry customers. Reg S-P was adopted seven years ago under the Gramm-Leach- Bliley Act (“GLBA”) and the Fair Credit Reporting Act, and requires financial institutions under the authority of the SEC (including investment advisers, mutual funds, broker-dealers and SEC-registered transfer agents) to adopt policies and procedures to protect client information. The two requirements of Reg S-P relating to safeguarding and disposal of confidential information have not kept pace with bank and other regulators’ detailed programs for information privacy and data security. The four proposed amendments to Reg S-P will require more comprehensive information security programs similar to the framework adopted by other financial institution regulators. Comments on the proposed amendments are due 60 days after publication in the Federal Register. http://www.goodwinprocter.com/~/media/4189E0B6FD7441098DDC7C69BF6A5185.ashx [Editor: analysis and discussion then follows.]
NEW WAYS TO MANAGE HEALTH DATA (Washington Post, 11 March 2008) - You already bank online and use computer software to do your taxes. So why don’t you trust technology to help you manage your health? Microsoft, Google and more than 100 Web sites offering personal health records know the answer, but they’re betting they can quell your fears about posting your most private information online and get you to sign on soon. Online personal health records, or PHRs, began years ago as password-protected templates for storing basic medical information, accessible from any computer connected to the Web. Some still function that way, making them a convenience for patients with chronic conditions, life-threatening allergies and long medication lists. Many experts also recommend PHRs for adult caregivers of elderly family members or parents of children with chronic health problems. Many PHRs automatically link to hospital Web sites; some upload data from lab tests and medical devices; and others allow emergency rooms to access your medical history even if you’re unconscious and far from home. Lately, Internet giants Microsoft and Google have upped the ante, developing sites that combine PHRs with search engines and other services. The new capabilities raise the value of PHRs - as well as the risk from breaches of privacy. And as the records sites grow in number and sophistication, privacy advocates are stepping up their warnings, especially about PHRs offered by health insurers. http://www.washingtonpost.com/wp-dyn/content/article/2008/03/10/AR2008031001613.html [Editor: HIPAA does not protect personal health information voluntarily shared by patients with a non-health care provider.]
OVERHAULING LAW SCHOOL’S THIRD YEAR (InsideHigherEd, 12 March 2008) - “We wouldn’t dream of training doctors only from a book.” In many ways, that quote from the dean of the law school at Washington and Lee University sums up a dramatic curricular change announced this week — in which the law school is adding the equivalent at the very least of dissections, if not of medical residencies. The law school is completely replacing all academic courses in the third year of its program with “experiential” courses in which students will perform work equivalent to that done by lawyers. “Our students need a wider range of skills” than they can pick up with strictly academic courses, said the dean, Rodney A. Smolla. While a number of law schools have added individual courses that are based on the experiential model, several law school experts said that they did not know of another example of a law school taking such a move with its entire third year. If Washington and Lee is going beyond others, it is doing so at a time of considerable debate within law schools about whether a more practical orientation is needed. Last year, a report from the Carnegie Foundation for the Advancement of Teaching found a growing gap between legal education and the actual experiences a new lawyer needs, and called for major reforms of what students are taught. A good example of how third year courses will look at Washington and Lee can be found in the business law course led by Lyman Johnson, a professor who pioneered the experiential method at the law school and who helped prepare the plan to overhaul the curriculum. One of the first assignments in the class is for students to draft a deal for two entrepreneurs. The students would be given raw material (background on the business and the clients). They would then talk through with Johnson what information they didn’t have but needed to do a good job. Then they prepare a draft deal of about 25 pages, and a memo of 6 pages to a senior partner in a firm, explaining why the deal was structured as they proposed. Johnson said he would then give them detailed feedback, but not in the form of a standard academic evaluation, but of the sort the senior partner would give to a new associate. “The relevant standard is whether this work product is ready to go out the door,” he said. Since he started teaching this way, Johnson said, he has regularly heard from graduates that this was the course that set them up for successful work as lawyers, and that they wished they had been able to take more such courses. http://insidehighered.com/news/2008/03/12/thirdyear
JUDGE RULES VIACOM CAN’T PURSUE PUNITIVE DAMAGES IN YOUTUBE SUIT (BNA’s Internet Law News, 12 March 2008) - A U.S. federal judge ruled that Viacom could not pursue punitive damages in its $1 billion-plus copyright-infringement lawsuit against Google and YouTube. The denial does not impact Viacom’s original claim of more than $1 billion in damages. It simply prevents the New York-based company from amending its complaint and seeking additional damages.
PATENT OFFICE AGREES TO REVIEW INFAMOUS JPEG PATENT (TechDirt, 12 March 2008) - Last month, we noted that there was some effort being made to get the Patent Office to do a re-exam of a patent that attorney Ray Niro had been using to go after any site that had a JPEG image. While the patent itself had been re-examed before, one claim had been left intact, which Niro has said covers anyone using JPEG compression. It appears that the effort to get the USPTO to look into the patent once again has succeeded, though it’s a long and rather involved process that won’t come to fruition for quite a long time. The request includes a long list of prior art on that one particular claim, which the Patent Office admits it did not look at earlier and that raise substantial questions about the patentability of the remaining claim in the patent. This is rather good news. http://techdirt.com/articles/20080310/012214486.shtml
DOCTOR BLOGS RAISE CONCERNS ABOUT PATIENT PRIVACY (NPR, 13 March 2008) - Medical blogs have drawn back the curtain on the inner workings of the health care profession. Online readers can learn about the latest medical gadgets, read physicians’ views on health care issues, even get a peek at the inner thoughts of surgeons. But despite their attraction, these blogs have raised concerns about privacy issues on the Web. Take a stroll through any of the 120,000 health care blogs and you can find opinions on everything from popular pharmaceuticals to celebrity skin problems. There are no precise figures on how many doctor blogs are out there, but they are easy to find. One blog called “EM Physician” recounts a scene of gang members turning up at the ER with severe burns. “Aggravated DocSurg” says that operations are “fun,” and “Radiology Picture of the Day” shows a range of horrific conditions from brain diseases to a breast implant rupture. One physician blogger, who draws about 12,000 readers a day, is New Hampshire internist Dr. Kevin Pho. His blog, “Kevin, M.D.,” offers a doctor’s eye view on medical issues that appeal to both his peers and the public. “I talk a lot about primary care because there’s a myriad of problems that I as a primary care physician face that I want to communicate to the public. I talk about malpractice and how physicians practice defensive medicine to avoid malpractice lawsuits,” says Pho. His daily writings have made him something of a celebrity in the blogosphere. But not all physician blogs are geared toward marketing. In fact, just the opposite seems to be the case in some extremely candid blogs, like “White Coat Rants,” “Cancer Doc” and “M.D.O.D.,” which bills itself as “Random Thoughts from a Few Cantankerous American Physicians.” These are more like diaries in which doctors vent about reimbursement rates, difficult cases and what a “bummer” it is to have so many patients die. Dr. Deborah Peel, a psychiatrist and founder of the group Patient Privacy Rights, thinks physician blogs often step too close to the limits of patient privacy. “The problem with physicians blogging about patients is the danger that that person will be able to identify themselves, or that others that know them will be able to identify them,” she says. Peel’s group worries that information about a patient’s case could be traced back to the individual and adversely affect his or her employment, health insurance or other aspects of his or her life. Dr. Robert Wachter, author of a blog called “Wachter’s World,” * * * says it’s important for doctors to be able to share cases, as long as they change the facts substantially. But he says that’s one reason patients shouldn’t take all the information on blogs at face value. Wachter says taken for what they are — unedited opinions, and in some cases entertainment — blogs can give readers some useful insight into the good, the bad and the ugly of the medical profession. http://www.npr.org/templates/story/story.php?storyId=88163567&ft=1&f=1007
INSPECTOR GENERAL: FBI NOT EMBRACING PRIVACY SAFEGUARDS (Wired, 13 March 2008) - The FBI has wielded the Patriot Act’s extraordinary surveillance powers to unlawfully collect information about American citizens and has resisted some efforts to impose additional privacy safeguards, according to the U.S. Department of Justice’s inspector general. Inspector General Glenn Fine, in a pair of reports released on Thursday reviewing the 2006 calendar year, acknowledged the FBI’s top management has been receptive to the points he raised in his first report a year earlier. But he indicated that there was nevertheless resistance to increased oversight and better record-keeping, which would help to prevent further abuses. The longer of the two reports dealt with national security letters, or secret FBI requests - done without court oversight or approval - for administrative information that communication providers, credit agencies, or banks might store. The second report (PDF) discusses broader “Section 215” requests for information that can be sent to any individual or company under the Foreign Intelligence Surveillance Act; these, however, must be approved by a judge. (The second report was heavily redacted, with some key pages blacked out.) Some highlights:
* The FBI tried to whitewash illegal uses of Patriot Act surveillance authority that was intended to be used against terrorists and spies but ended up being used against Americans. FBI officials characterized these unlawful acts as “administrative errors,” which Fine said “diminishes their seriousness and fosters a perception that compliance with FBI policies... is annoying paperwork.”
* An FBI working group created by the attorney general recommended against the privacy-protective step of “tagging” information obtained through national security letters on grounds it would place “an undue burden on the operation” of the bureau.
* The same working group downplayed the severity of the FBI’s surveillance abuses, saying agents have a highly regulated system for approving national security letters and for identifying violations. Fine’s response: “Contrary to the NSL Working Group’s conclusions, we do not believe that existing controls are a sufficient basis on which to rely in evaluating the need for additional privacy protections.”
* The Justice Department inaccurately reported the number of national security letters. Eleven of the letters sought billing records on a total of 3,860 phone numbers - a whopping amount. That figure was not disclosed to Congress.
* Even though national security letters are not supposed to be used to obtain the contents of communications - they only can obtain billing records and so on - some e-mail providers handed over full message bodies or Subject: lines anyway. In these cases, however, the FBI’s general counsel directed that the records be sealed and a second request sent.
* No information from a Section 215 order was actually used in a criminal proceeding in 2006. In addition, “the evidence showed no instance where the information obtained from a Section 215 order... resulted in a major investigative development.” Nevertheless, Director of National Intelligence Mike McConnell responded by calling them “an invaluable tool.”
* Companies served with Section 215 orders in two known instances in 2006, either by accident or because they’re overeager, turned over more information than they’re authorized to divulge. In one case, a company handed over data “that was not requested in the Section 215 application or authorized by the FISA court.”
* In those cases, the FBI’s adherence to the law is spotty. A situation involved the FBI receiving information about a U.S. person for two months after the surveillance order expired - without objecting. In fact, the FBI argued that the information should be treated as an “voluntary production.” Fine’s report: “We disagree and believe that the production of these additional records should not be considered as voluntary...”
* The FISA court twice rejected the FBI’s request for Section 215 orders because the police were investigating lawful conduct protected by the First Amendment. But after the FBI was rejected, it sent national security letters instead. Fine said the FBI should have re-evaluated the investigation instead. NSL report at http://www.usdoj.gov/oig/special/s0803b/final.pdf; redacted Section 215 report at http://www.usdoj.gov/oig/special/s0803a/final.pdf
INSURERS LOOK TO COVER HACKING DAMAGE (The Globe & Mail, 14 March 2008) - Insurers are betting that an explosion of sophisticated computer hacking will create a new market in Canada for insurance to cover the growing costs of recovering from privacy breaches.Toronto-based Executive Risk Insurance Services says it is launching a new category of insurance for corporate clients, similar to products offered by U.S. giants like American International Group Inc. and Chubb Corp., to manage the fallout when sensitive data is lost or stolen. http://www.theglobeandmail.com/servlet/Page/document/v5/content/subscribe?user_URL=http://www.theglobeandmail.com%2Fservlet%2Fstory%2FLAC.20080313.RINSURANCE13%2FTPStory%2FBusiness&ord=99057156&brand=theglobeandmail&force_login=true
- and -
CERTEGY OFFERS TO SETTLE LAWSUIT STEMMING FROM THEFT OF DATA ON 8.5M CONSUMERS (Computerworld, 14 March 2008) - In a move designed to avoid the time and costs associated with a protracted legal battle, Certegy Check Services Inc. has offered to settle a class-action lawsuit filed on behalf of 8.5 million people whose personal data was compromised by an insider theft that the company disclosed last July. The 52-page settlement was proposed by St. Petersburg, Fla.-based Certegy on Jan. 9 but just came to light this week. It currently is under review by a U.S. District Court judge in Tampa. Certegy, a check-processing company that is a subsidiary of Fidelity National Information Services Inc., said last summer that a rogue database administrator had illegally accessed and then sold the personal data of about 2.3 million consumers to data brokers. The company later upped the number of compromised accounts to 8.5 million in filings made to the U.S. Securities and Exchange Commission in August. If accepted, Certegy’s proposed settlement would give qualifying members of the plaintiffs class one year’s worth of free credit monitoring services and $10,000 worth of identity theft insurance coverage, except for residents of New York, where the third-party credit monitoring firm being used by Certegy doesn’t offer the insurance coverage. The settlement would also provide up to two year’s worth of free bank account monitoring services for individuals whose banking information may have been compromised in the incident. In addition, consumers who can show that they were victimized by identity theft as a result of the breach will be eligible for certain “out-of-pocket” costs, such as those resulting from bank overdraft fees, according to a copy of the settlement sent to Computerworld by Certegy. But there are several caveats to that particular offer. For instance, Certegy has capped the total amount of money it will pay for identity theft claims to $4 million, which will be disbursed on a first-come, first-served basis. Claims have to be filed within 90 days of the discovery of an identity theft incident or before March 31, 2011 — whichever comes first. And the maximum amount that an individual can recover is $20,000. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9068678&source=rss_topic17
- and -
CREDIT CARD BREACH RAISES BROAD CONCERNS (New York Times, 23 March 2008) - When up to 4.2 million account numbers were stolen over three months by thieves who cracked computers at an Eastern supermarket chain, it at first sounded like the latest in a long line of credit card breaches. But the specifics of the crime, revealed last week, included some troubling twists that might expose big holes in the payment industry’s security standards. The supermarket chain, the Hannaford Brothers Company, said the data were exposed when shoppers swiped their cards and the information was transmitted to banks for approval. Thieves have commonly pilfered card data from databases maintained by merchants or card processors, but the Hannaford episode appears to be the first large-scale piracy of data in transit. “Catching data on the move is a bit more challenging,” said Aaron Bills, chief operating officer at 3Delta Systems Inc., a transaction processing firm in Chantilly, Va. Mr. Bills compared it to robbing a truckload of merchandise, noting that it was easier when the vehicle was parked than when it was traveling. And, even while the theft was under way last month, Hannaford was found to be in compliance with the security standards required by the Payment Card Industry, a coalition founded by credit card companies. The group sets rules on issues like screening of employees and precautions against hackers; industry standards were tightened in recent years after other significant data breaches. Outside assessors audit companies to ensure compliance. The identity of Hannaford’s auditor was not disclosed. Even though Hannaford met those security standards, the attack on its stores in the Northeast and its affiliated Sweetbay stores in Florida revealed 4.2 million card numbers from Dec. 7 to March 10. About 1,800 cards have been used fraudulently. The Secret Service is investigating. The breach has raised questions about whether other merchants are overconfident about their security. David Navetta, president of InfoSecCompliance, a Denver law firm that concentrates on computer security and regulatory compliance, said Hannaford and its assessor might have been tripped up by ambiguity in the Payment Card Industry standards about when companies must encrypt payment data to cloak it from outsiders. In particular, the standards require companies to encrypt data that travels over computer networks “that are easy and common for a hacker to intercept.” Whether internal networks are “easy and common” to crack is a matter of judgment. Mr. Navetta said Hannaford might have left data unencrypted in a spot that turned out to be vulnerable. http://www.nytimes.com/2008/03/23/us/23credit.html?ex=1363924800&en=9d6bbec83f5d3191&ei=5090&partner=rssuserland&emc=rss&pagewanted=all and http://www.siliconvalley.com/news/ci_8605003 and http://www.news.com/8301-10784_3-9896217-7.html?part=rss&subj=news&tag=2547-1_3-0-20
CRAIGSLIST GETS SEVENTH CIRCUIT 230 WIN IN FAIR HOUSING ACT CASE (Eric Goldman’s blog, 14 March 2008) - Yesterday, I declared this week “47 USC 230 Week” at the Technology & Marketing Law Blog. The Seventh Circuit helps us end 47 USC 230 Week with a bang with its Craigslist ruling, an important opinion that reinvigorates 47 USC 230 doctrine in the Seventh Circuit. Sadly, like the district court opinion, this opinion is filled with gratuitous and unfortunate dicta that dilutes the analysis. Nevertheless, on the plus side, the Seventh Circuit (like the district court) emphatically reaches the right result and grants Craigslist a solid win under 47 USC 230. Easterbrook’s opinion takes a loving and lengthy gaze at his previous Doe v. GTE opinion (including using about 20% of this opinion to quote from the prior opinion), but I don’t think there’s much value to parsing his confusing statutory analysis to figure out how the two opinions sit together. Instead, the key part of the opinion is that Easterbrook fully realizes the costs and benefits of making an intermediary filter user content. Craiglists provides an excellent test case for that because they are so leanly staffed, and the Fair Housing Act is a good test statute because of the squishy nature of making discrimination assessments. More fundamentally, Easterbrook also understands that any filtering system is imperfect: “Automated filters and human reviewers may be equally poor at sifting good from bad postings unless the discrimination is blatant; both false positives and false negatives are inevitable.” As a result, Easterbrook recognizes that turning Craiglist into a content cop may not be the best solution. I think his conclusion says it best: “Using the remarkably candid postings on craigslist, the Lawyers’ Committee can identify many targets to investigate. It can dispatch testers and collect damages from any landlord or owner who engages in discrimination....It can assemble a list of names to send to the Attorney General for prosecution. But given §230(c)(1) it cannot sue the messenger just because the message reveals a third party’s plan to engage in unlawful discrimination.” It will be interesting to see how this opinion affects the Ninth Circuit’s en banc consideration of the Roommates.com case. After all, the legal issues are identical, and Easterbrook’s Doe v. GTE ruling was a key precedent for the plaintiffs. Now, with Easterbrook having said (decisively) that 230 preempts claims for the Fair Housing Act, it seems like the Doe precedent is effectively worthless to the Roommates.com plaintiffs. As a result, the only solid way for the plaintiffs to distinguish the uniformly defense-favorable precedent is by hammering on the fact that Roommates.com provided structured categories for user content-a fact that might be enough to craft an exception to 230, though I think it shouldn’t. http://blog.ericgoldman.org/archives/2008/03/craigslist_gets.htm
STATE GOVERNMENTS RESIST ‘SUNSHINE LAWS’ (Washington Post, 15 March 2008) - In New Jersey, the governor’s e-mails might shed light on whether he inappropriately conferred with a labor leader he once dated. In Detroit, the mayor’s text messages revealed a sexually charged scandal. In California, a fight rages for access to e-mails sent by a city councilwoman about a controversial biological laboratory. Even the White House has been under pressure from Democrats in Congress over its problem-plagued e-mail system. While e-mail and text messaging has become a hugely popular way to communicate throughout society, governments at all levels are often unwilling to let the public see the e-mails of their elected officials. Officially, e-mails in all but a handful of states are treated like paper documents and subject to Freedom of Information requests. But most of these states have rules allowing them to choose which e-mails to turn over, and most decide on their own when e-mail records are deleted. “There seems to be an attitude throughout government _ at all levels _ that somehow electronic communications are of its own kind and not subject to the laws in the way that print communications are,” said Patrice McDermott, director of OpenTheGovernment.org. “So we keep hearing reports of governors and mayors who decree that their e-mail records can be destroyed, in six weeks or six months, with no appraisal for permanent value and no review by an independent body,” she said. Open records advocates contend by keeping electronic communications private, states are giving their elected officials an avenue to operate in secret _ they use taxpayer-funded computers to send and receive e-mail but with little or no obligation to make such communications public. “The public needs to realize that is their possibility for accountability and historical review that is being put through the electronic shredder,” McDermott said. http://www.washingtonpost.com/wp-dyn/content/article/2008/03/15/AR2008031501211.html
SPITZER’S CALL GIRL THREATENS PUBLICITY RIGHTS ACTION (The Reporter blog, 16 March 2008) - The high-priced escort hired by former New York Gov. Eliot Spitzer could be planning to bring a publicity rights lawsuit against media outlets that published photos of her without her consent. The NY Post - no surprise here - led the way in the “Spitzergate” press frenzy by running four photos Friday which, among other things, depict a topless Ashley Alexandra Dupré barely covering her breasts. Dupré’s court-appointed attorney Don Buchwald of Kelley Drye & Warren in New York quickly rattled off a Marty Singer-style press release in which he complained that “some publications, in violation of journalistic norms, have used the occasion of Governor Spitzer’s political misfortunes as an excuse to exploit Ms. Dupré’s persona for commercial purposes.” “In view of what happened, we feel constrained to put the media on notice that as counsel for Ms. Dupré we will take all steps that we deem necessary or appropriate to protect Ms. Dupré from any unwarranted exploitation of her name, picture, voice, or likeness for purposes of profit,” Buchwald warned. According to various media reports, the Post purchased the photos from New York-based photographer Wesley Mann, who shot them in 2007. Any claim Dupré might have against the Post could be pretty shaky if Mann had her sign a release. Some eyebrows have also been raised over the widespread media reproduction of snapshots that Dupré had posted on her MySpace page - with three attorneys interviewed by Photo Digest News suggesting those who published them “are sailing in dangerous waters,” while others believe fair use would apply. http://reporter.blogs.com/thresq/2008/03/posted-by-ma-10.html
ITALIAN FILE-SHARERS LET OFF THE HOOK (Billboard.biz, 17 March 2008) - Italian companies may not spy on individuals who engage in illegal file-sharing, according to a controversial new ruling. The ruling of Francesco Pizzetti, president of the official Italian body for Guaranteeing the Protection of Private Data, follows the attempts of a German record label, Peppermint, which last year began using the Swiss computer firm Logistep to gather the IP addresses of at least 300 Italians who were illegally sharing files. An Italian magistrate granted the companies permission to obtain the street addresses of the file-sharers from Internet service providers and send them registered letters, inviting them to destroy the files in question or else face hefty fines. Italian consumer rights groups protested against the decision and the case was brought to the attention of the Guarantor, who handed down the ruling. http://www.billboard.biz/bbbiz/content_display/industry/e3i4b1f1f7f2a01d2b3c04136a266ca9813
LAW FIRM DEVELOPS IN-HOUSE SYSTEM TO DEAL WITH DISCOVERY REQUESTS (Computerworld, 17 March 2008) - The lawyers at Fenwick & West LLP had to sort through more than 100 million files for a client facing litigation. The firm sought outside providers to handle the discovery, but the client was put off by the estimated multimillion-dollar cost. “They asked us to find another way,” says Chief Technology Officer Matt Kesner. Kesner’s team came up with a solution: a proprietary in-house process called FIND, for File Identification Narrowed by Definition, which culls through data to identify pertinent pieces of information that lawyers can then review. Since that initial innovation about five years ago, Kesner’s IT department has refined the process, making the technology-driven service an important part of what it offers to the firm’s lawyers as well as their clients. “It is a great thing for firms to be doing, because it’s just not possible to do this kind of work anymore without using software,” says Gene Koo, a fellow at Harvard Law School’s Berkman Center for Internet & Society. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=312605&source=rss_news10
COLLEGE GOSSIP SITE UNDER SCRUTINY (AP, 18 March 2008) - New Jersey prosecutors have subpoenaed records of JuicyCampus.com, a Web site that publishes anonymous, often malicious gossip about college students. Language on the site ranges from catty to hateful and offensive. One thread, for example, on the “most overrated Princeton student” quickly dissolves into name-calling, homophobia and anti-Semitism. JuicyCampus may be violating the state’s Consumer Fraud Act by suggesting that it doesn’t allow offensive material but providing no enforcement of that rule — and no way for users to report or dispute the material, New Jersey Attorney General Anne Milgram said Tuesday. The site seems designed to shield its users from the threat of libel claims. “It is not possible for anyone to use this Web site to find out who you are or where you are located,” assures a JuicyCampus privacy page. “We do not track any information that can be used by us to identify you. “ http://ap.google.com/article/ALeqM5gRNEobFaeoot6whyMYl55uGn8gwgD8VG61CG0
SCIENCE JOURNAL WON’T PUBLISH PAPERS BECAUSE AUTHORS WANT TO PUT THEM ON WIKIPEDIA (TechDirt, 19 March 2008) - Over the last few months, we’ve been hearing more and more stories concerning some of the ridiculous levels of control that academic journals exert over the copyrights on the various papers and research they publish. Since many of those journals are ridiculously expensive, much of this important research is basically locked up entirely. This is especially troublesome when it comes to publicly funded research, which you would think should be available to the taxpayers who paid for it. While we’ve definitely seen a trend towards more open rules to publishing, many journals are still behind the curve. Reader parsko writes in to alert us to the news of the American Physical Society, which withdrew the offer to publish two recent studies in the Physical Review Letters because the authors wanted to be able to publish parts of the study in Wikipedia. Since the APS requires you hand over the rights to the study, they wouldn’t allow it, and turned down the papers because of it. Not surprisingly, various scientists are upset about this, pointing out that it seems totally contrary to the purpose of the journal to hide such information using copyright claims. http://techdirt.com/articles/20080318/074802570.shtml
FBI POSTS FAKE HYPERLINKS TO SNARE CHILD PORN SUSPECTS (CNET, 20 March 2008) - The FBI has recently adopted a novel investigative technique: posting hyperlinks that purport to be illegal videos of minors having sex, and then raiding the homes of anyone willing to click on them. Undercover FBI agents used this hyperlink-enticement technique, which directed Internet users to a clandestine government server, to stage armed raids of homes in Pennsylvania, New York, and Nevada last year. The supposed video files actually were gibberish and contained no illegal images. A CNET News.com review of legal documents shows that courts have approved of this technique, even though it raises questions about entrapment, the problems of identifying who’s using an open wireless connection-and whether anyone who clicks on a FBI link that contains no child pornography should be automatically subject to a dawn raid by federal police. While it might seem that merely clicking on a link wouldn’t be enough to justify a search warrant, courts have ruled otherwise. On March 6, U.S. District Judge Roger Hunt in Nevada agreed with a magistrate judge that the hyperlink-sting operation constituted sufficient probable cause to justify giving the FBI its search warrant. But the magistrate judge ruled that even the possibilities of spoofing or other users of an open Wi-Fi connection “would not have negated a substantial basis for concluding that there was probable cause to believe that evidence of child pornography would be found on the premises to be searched.” Translated, that means the search warrant was valid.The implications of the FBI’s hyperlink-enticement technique are sweeping. Using the same logic and legal arguments, federal agents could send unsolicited e-mail messages to millions of Americans advertising illegal narcotics or child pornography-and raid people who click on the links embedded in the spam messages. The bureau could register the “unlawfulimages.com” domain name and prosecute intentional visitors. And so on. http://www.news.com/8301-13578_3-9899151-38.html?part=rss&subj=news&tag=2547-1_3-0-5
CYBER ATTACKS TARGET PRO-TIBET GROUPS (Washington Post, 21 March 2008) - Human rights and pro-democracy groups sympathetic to anti-China demonstrators in Tibet are being targeted by sophisticated cyber attacks designed to disrupt their work and steal information on their members and activitiesAlison Reynolds, director of the Tibet Support Network, said organizations affiliated with her group are receiving on average 20 e-mail virus attacks daily. Increasingly, she said, the contents of the messages suggest that someone on one or more of the member groups’ mailing lists has an e-mail account or computer that has already been compromised. Sharon Hom, executive director of the New York-based Human Rights in China, said the group’s 25 staff members have reported a marked upswing in the number and sophistication of e-mail virus attacks. In 2006, the group intercepted just two targeted e-mail attacks, and by the end of last year that number had grown to 40. In the first three months of 2008, the group has received more than 100 such targeted attacks. Experts say attributing such attacks to any one group or government is extremely difficult, as computer systems that appear to be the source of malicious activity online often are controlled by persons or groups using computers in completely different locations. But Reynolds said these types of sustained, targeted attacks suggest a level of organization, tenacity and degree of commitment not typically seen in attacks by individual hackers. A handful of recent targeted attacks shared the same Internet resources and tactics in common with those used in a spate of digital assaults against number of major U.S. defense contractors, said Maarten Van Horenbeeck, an incident handler with the SANS Internet Storm Center, Bethesda, Md.-based organization that tracks online security trends. According to a January article in Air Force Online, a series of e-mail attacks originating in China targeted 28 defense contractor locations in the United States late last year. The story named specific Beijing-based Internet addresses that the FBI later determined were the origin of the attacks. http://www.washingtonpost.com/wp-dyn/content/article/2008/03/21/AR2008032102605.html and http://www.bbc.co.uk/blogs/technology/2008/03/tibet_the_cyber_wars.html
- and -
FBI OPENS PROBE OF CHINA-BASED HACKERS (Washington Post, 21 March 2008) - The FBI has opened a preliminary investigation of a report that China-based hackers have penetrated the e-mail accounts of leaders and members of the Save Darfur Coalition, a national advocacy group pushing to end the six-year-old conflict in Sudan. The accounts of 10 members were hacked into between early February and last week, and the intruders also gained access to the group’s Web server and viewed pages from the inside, the group said yesterday. The intruders, said coalition spokesman M. Allyn Brooks-LaSure, “seemed intent on subversively monitoring, probing and disrupting coalition activities.” He said Web site logs and e-mails showed Internet protocol addresses that were traced to China. The allegation fits a near decade-old pattern of cyber-espionage and cyber-intimidation by the Chinese government against critics of its human rights practices, experts said. It comes as calls for a boycott of the 2008 Beijing Olympics have been mounting since China’s crackdown on Tibetan protesters last week. http://www.washingtonpost.com/wp-dyn/content/article/2008/03/20/AR2008032003193.html
FIVE TIPS FOR LAWYER ADVERTISING: FROM BILLBOARDS TO BLOGS (ABA Journal, 25 March 2008) - Long gone are the days when advertising in the Yellow Pages was the sole means of growing a law practice. Lawyers are now using a variety of media to advertise, including Web sites, blogs, television, billboards and direct mail. While advertising for most industries is virtually painless with few restrictions, advertising for lawyers is a more complex process that is bound by many laws, including federal and state regulations, as well as the ABA Model Rules, which offer guidance on lawyer conduct. A recent ABA teleconference, “Advertising for the Next Generation: From Billboards to Blogs,” provided an overview of some of these regulations. http://www.abanet.org/media/youraba/200803/article03.html ABA teleconference available for purchase here: http://www.abanet.org/cle/programs/t08ang1.html
IF I DON’T SEE IT, DOES IT MEAN IT’S NOT THERE? METADATA–ETHICS, TECHNOLOGY AND MORE (ABA Journal, 25 March 2008) - As much information and entertainment as the Internet may provide and as beneficial as we find e-mail and word processing, the world of technology is wrought with potential pitfalls. Metadata—data about data—is one possible source of distress. Many electronic documents contain information beyond the printable page, such as the author’s identity, the number of revisions made and even comments and redlining revealed with a few quick strokes on the keyboard. Users may unintentionally share things that they didn’t expect to. As Catherine Sanders Reach, director of the ABA Legal Technology Resource Center, outlines in her presentation, “Dangerous Curves Ahead: The Crossroads of Ethics and Technology,” metadata is coming to the forefront as technology proliferates. Because the Model Rules of Professional Conduct “do not contain any specific prohibition against a lawyer’ s reviewing and using embedded information in electronic documents, whether received from opposing counsel, an adverse party, or an agent of an adverse party,” metadata has become the basis of several ethics opinions by states and the ABA. View ABA ethics opinion 06-442, for example. http://www.abanet.org/media/youraba/200803/article05.html ABA Ethics Opinion here: http://www.abanet.org/abanet/common/login/securedarea.cfm?areaType=member&role=abanetmo&url=/cpr/mo/06_442.pdf
COURT UPHOLDS CONYERS MAN’S CRITICISMS OF WAL-MART (Atlanta Journal, 25 March 2008) - A Conyers man may continue criticizing Wal-Mart with parodies on T-shirts that compare the retail giant to the Holocaust and al-Qaida terrorists, a federal judge has ruled. Rejecting Wal-Mart’s claim of trademark infringement, U.S. District Judge Timothy Batten in Atlanta ruled that Charles Smith may maintain his Web sites, www.walocaust.com and www.walqaeda.com. Smith also may continue to sell novelty, satirical merchandise that criticizes the company, the judge said. Sharon Weber, a Wal-Mart spokeswoman, said the company is studying the decision and considering its options for appeal. “We feel we have a duty to defend our trademarks and other intellectual property,” Weber said. Smith, who runs a computer store across the street from a Wal-Mart in Covington, invented the term “Walocaust” to express his feelings about the company. He created “Walocaust” designs to call attention to his beliefs and to get others to join his cause. Once a Wal-Mart shopper, Smith said he came to believe that the company has a destructive effect on communities and treats workers badly. In July 2005, Smith began marketing T-shirts bearing “I [heart] Wal-ocaust” logos. Another reads, “Wal-Qaeda, The Dime Store From Hell.” He sold a few dozen of them through CafePress, an online retailer that imprints shirts with designs created by individuals. In late 2005 and early 2006, Wal-Mart sent letters demanding that CafePress cease selling all of Smith’s products. The retailer soon removed all of Smith’s Wal-Mart-related merchandise from its online store. Smith then filed suit against Wal-Mart to seek a judgment allowing him to continue marketing his satirical logos and designs. A month later, Wal-Mart countersued and said the “tasteless” and “repulsive” logos tarnished its trademarks and business reputation. It also objected to Smith’s registration and use of the www.walocaust.com Internet domain name. http://www.ajc.com/business/content/metro/atlanta/stories/2008/03/25/walmart_0326.html
CT RULES WEB WINE RETAILER MAY NOT DELEGATE AGE VERIFICATION DUTY TO DELIVERY COMPANY (BNA’s Internet Law News, 27 March 2008) -The Massachusetts Supreme Judicial Court has ruled that an online retailer cannot avoid liability under Massachusetts law for selling and delivering alcohol to a minor by delegating delivery duties to a third party. Although the company held a delivery contract with Federal Express, it retained affirmative age-verification duties, the court held. Case name is eVineyard Retail Sales-Massachusetts Inc. v. Alcoholic Beverages Control Comm’n.
6 BANKS ARE SUED IN CLEAR CHANNEL DEAL (New York Times, 27 March 2008) - The buyers of Clear Channel Communications received a curious e-mail message last July from Credit Suisse, one of the banks financing the radio broadcaster’s sale. But it was misdirected and not meant for their eyes. Attached to the message were confidential documents from the six banks that had agreed to finance that $19.5 billion takeover. What the prospective buyers, Bain Capital and THL Partners, found most startling was that the banks were discussing how they planned to renege on terms of the lending agreements, just two months after they had reaffirmed their commitment to financing the deal. That e-mail message has set the stage for a big and complex battle over a broken private equity deal. On Wednesday, Bain and THL filed suits against the bank consortium, naming Citigroup, Morgan Stanley, Deutsche Bank, the Royal Bank of Scotland and Wachovia, as well as Credit Suisse. http://www.nytimes.com/2008/03/27/business/media/27radio-web.html?ex=1364356800&en=c9d58cb0647216fd&ei=5090&partner=rssuserland&emc=rss&pagewanted=all
PROPOSED SEC REGULATIONS WOULD REQUIRE DATA BREACH NOTIFICATION (Steptoe & Johnson, 27 March 2008) - Citing “the increase in reported security breaches and the potential for identity theft among” brokers, dealers, investment companies, investment advisers, and transfer agents, the Securities and Exchange Commission has proposed a rule (73 Fed. Reg. 13692 (Mar. 13, 2008)) that would impose new data security requirements on those institutions. Among these requirements would be a duty to notify the Commission (or, for certain broker-dealers, their designated examining authority) “as soon as possible after [they] become aware of any incident of unauthorized access to or use of personal information in which … [t]here is a significant risk that an individual identified with the information might suffer substantial harm or inconvenience ... or [a]n unauthorized person has intentionally obtained access to or used sensitive personal information.” Covered institutions would also have to notify affected individuals if there has been unauthorized access to or use of “sensitive” personal information and “misuse of the information has occurred or is reasonably possible.” If adopted, the rule would create more consistency in the rules for financial institutions, since other financial regulators already require such breach notification. See Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (70 Fed. Reg. 15736 (Mar. 29, 2005)). (Notably, though, the SEC’s threshold for notification of regulators is higher than the other financial regulators’.) The proposed rule would also impose new record-keeping requirements and duties to protect personal data during use and disposal. Comments on the proposed rule are due by May 12, 2008. http://www.steptoe.com/publications-5215.html Proposed rule: http://a257.g.akamaitech.net/7/257/2422/01jan20081800/edocket.access.gpo.gov/2008/pdf/E8-4612.pdf; Interagency Guidance: http://www.steptoe.com/assets/attachments/1308.pdf
YOUTUBE FEATURE TELLS VIDEO CREATORS WHEN AND WHERE A CLIP IS BEING WATCHED (New York Times, 27 March 2008) - In a move to provide better data to its users, YouTube formally announced late Wednesday that it had added a free feature that will show video creators when and where viewers are watching their videos. With this, the company hopes to turn YouTube from an online video site into a place where marketers can test their messages, Tracy Chan, YouTube product manager, said. This program, called YouTube Insight, provides a detailed view of a video’s popularity, both over time and geographically, broken down by state. (Internationally, YouTube Insight is not as insightful, providing only popularity by country.) YouTube has provided basic analytical information to creators of videos since its introduction, including the number of views, the viewers’ ratings of the video, and the number of comments left. Advertisers received a slightly more sophisticated summary. With the Insight information, video creators can dig into the specifics of a video’s performance and find, for example, that it peaks on Fridays in winter months, or it has taken several weeks to get traction — information that can help better promote their work. The information, presented as a color-coded map and a graph of a video’s popularity, is accessible through a link from a video creator’s account page on YouTube. The company will update the data once a day. But it is likely that marketers rather than casual users will be clamoring for these tools the most. YouTube executives suggest that marketers can use the tools in several ways. A movie studio might run several versions of a trailer to see what is catching on where, and if a humorous spot is catching fire in Texas, might start running that trailer as a TV ad in the state. A political campaign could test spots of a candidate discussing the environment or the economy; if an environmental spot is popular in Pennsylvania, that might help decide what the candidate stumps about there. http://www.nytimes.com/2008/03/27/technology/27youtube.html?ex=1364356800&en=471c49ffcbcc0d38&ei=5090&partner=rssuserland&emc=rss&pagewanted=all
COMCAST AGREES NOT TO INTERFERE WITH FILE-SHARING (CNN, 27 March 2008) - Comcast Corp., an Internet service provider under investigation for hampering online file-sharing by its subscribers, announced Thursday an about-face in its stance and said it will treat all types of Internet traffic equally. Since user reports of interference with file-sharing traffic were confirmed by an Associated Press investigation in October, Comcast has been vigorously defending its practices, most recently at a hearing of the Federal Communications Commission in February. Consumer and “Net Neutrality” advocates have been equally vigorous in their attacks on the company, saying that by secretly blocking some connections between file-sharing computers, Comcast made itself a judge and gatekeeper for the Internet. They also accused Comcast of stifling delivery of Internet video, an emerging competitor to the cable company’s core business. Comcast has said that its practices were necessary to keep file-sharing traffic from overwhelming local cable lines, where neighbors share capacity with one another. On Thursday, Comcast said that by the end of the year, it will move to a system that manages capacity without favoring one type of traffic over another. The company initially veiled its traffic-management system in secrecy, saying openness would allow users to circumvent it. But on Thursday, Werner said the company would “publish” the new technique and take into account feedback from the Internet community. http://edition.cnn.com/2008/TECH/03/27/comcast.bittorrent/index.html
FTC SETTLES WITH TJX OVER BREACH (SC Magazine, 27 March 2008) - The Federal Trade Commission (FTC) on Thursday announced a settlement with TJX over the discount retailer’s massive breach of customer credit card records. Last year, Framingham, Mass.-based TJX, which operates more than 2,500 stores worldwide, revealed that hackers stole some 45.7 million records from its systems over a two-year period period. Court filings since the disclosure have placed the amount at twice that number. Based on its charges, the FTC painted a bleak information security picture of TJX, the parent company for Marshalls and T.J. Maxx outlets. The FTC, in a statement Thursday, said TJX lacked proper security solutions, such as firewalls and wireless defense, and failed to patch vulnerabilities and update anti-virus signatures. The company also transmitted personal information in clear text, failed to require strong passwords and lacked measures to detect and prevent unauthorized computer access, the FTC also stated. As part of the settlement, TJX must create a “comprehensive security program reasonably designed to protect the security, confidentiality and integrity of personal information it collects from or about consumers.” Specifically, the FTC ordered TJX to designate an individual responsible for information security, identify risks to personal data, deploy safeguards to mitigate that risk, work out agreements with service providers that handle customer data, and evaluate and adjust its security program to meet operation changes. In addition, TJX must submit to a third-party audit of its security program every two years for the next two decades. http://www.scmagazineus.com/FTC-settles-with-TJX-over-breach/article/108363/
**** NOTED PODCASTS ****
ONLINE ACCESS TO PUBLIC INFORMATION (IT Conversations, 18 March 2008) - Very interesting interview with Carl Malamud, a tireless crusader for online access to U.S. public information: SEC filings, patents, Congressional video, the Smithsonian’s historical photgraphy, and most recently, case law. On this edition of Interviews with Innovators, host Jon Udell asks Malamud about his strategies, accomplishments, and future plans. Malamud was responsible for the SEC’s EDGAR project, and has been involved in important sunshine projects ever since involving the FEC, the Library of Congress, C-SPAN, Congressional hearing, and the Smithsonian. More recently, he’s been providing open access to Federal case law. Rated: 3 stars. This podcast at http://itc.conversationsnetwork.org/shows/detail3590.html; the case-law project is at http://bulk.resource.org/ … click on courts.gov. Law.com ran a story about Malamud, which was reported in MIRLN 11.03 - story at http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1203075902076&rss=newswire
JUSTICE GINSBURG AND BARONESS HALE: THE BRITISH AND UNITED STATES LEGAL SYSTEMS (Georgetown Law School, 24 Jan 2008) - Editor: Interesting dialogue between the two most-senior sitting judges in the U.S. and the U.K., touching on judicial independence, the coming Supreme Court of the United Kingdom, the proper use of other nations’ judicial decisions in our own, and our common histories. Rated: 1 star. Podcast (audio and video) at: http://www.law.georgetown.edu/webcast/eventDetail.cfm?eventID=473
DANAH BOYD ON MYFRIENDS, MYSPACE (Harvard’s Berkman Center, 19 June 2007) - Editor: Fascinating discussion of the evolution of social network activities (from the Use-Net to Friendster, to MySpace, to Facebook) and the evolution of the concept of “Public Space”, with concentration on use by younger adults and analysis of the implications. I started listening closely because of my interest in Communities of Practice and Expertise-Locator systems (in the knowledge management context), but came to value the discussion for its larger implications. (The Q&A is quite good, too.) Rated: 2 stars. Podcast (audio and video) at: http://blogs.law.harvard.edu/mediaberkman/2007/06/26/danah-boyd-on-myfriends-myspace-2/
**** MISC ****
SCARY SCREENSAVER? (Google) - SurveillanceSaver is a screensaver for OS X and Windows that shows live images of over 400 network surveillance cameras worldwide. A haunting live soap opera. http://code.google.com/p/surveillancesaver/
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, email@example.com.
4. NewsScan and Innovation, http://www.newsscan.com.
5. BNA’s Internet Law News, http://ecommercecenter.bna.com.
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
7. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
8. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
9. Readers’ submissions, and the editor’s discoveries.
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.