Saturday, May 31, 2008

MIRLN 11-31 May 2008 (v11.07)

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by www.KnowConnect.com.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (mailto:vpolley@knowconnect.com?subject=MIRLN) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln.

**************End of Introductory Note***************

BELL ACCUSED OF PRIVACY INVASION (CBC, 12 May 2008) - The Canadian Internet Policy and Public Interest Clinic, a University of Ottawa legal clinic specializing in internet- and other technology-related law, has joined the assault on Bell Canada Inc. and its traffic-shaping practices, urging an investigation by the country’s privacy commissioner. The group says Bell has failed to obtain the consent of its retail and wholesale internet customers in applying its deep-packet inspection technology, which tells the company what subscribers are using their connections for. Bell is using DPI to find and limit the use of peer-to-peer applications such as BitTorrent, which it says are congesting its network. The CIPPIC, which is made up mainly of lawyers and law students from the University of Ottawa, says Bell has not only failed to show that its network is congested and that its actions are necessary, but it has also run afoul of the Personal Information Protection and Electronic Documents Act (PIPEDA) in doing so. “Practices [such as] those involving the collection and use of personal information are not necessary to ensure network integrity and quality of service,” wrote CIPPIC director Philippa Lawson in a letter to the commissioner dated May 9. “Moreover, subscribers whose traffic is being inspected have not consented to the inspection and use of their data for this purpose.” Bell says it is using DPI only to read the “header” on the type of traffic, which determines what kind of usage it is. But CIPPIC contends that DPI must be used to “open the envelope” on the traffic for it to be of any use to an internet service provider, thus violating the user’s privacy. http://www.cbc.ca/technology/story/2008/05/12/tech-bell.html

FEW EXPECTED TO MAKE JUNE 30 PCI DEADLINE FOR WEB APPLICATION SECURITY (Computerworld, 12 May 2008) - Retailers covered by the Payment Card Industry Data Security Standard (PCI-DSS) have just about a month and a half left to comply with new requirements for protecting Web applications. But as with previous PCI-related deadlines, this one appears destined to pass with a majority of merchants unlikely to be in full compliance. After June 30, all merchants accepting payment card transactions will be expected to either use a specialized firewall for protecting their Web applications or to have completed a Web application software code review for finding and fixing vulnerabilities in these applications. Companies that fail to implement either measure will be deemed to be out of compliance with PCI starting June 30. “Most of our clients are not going to be ready,” by that deadline, said Avivah Litan, an analyst at Stamford, Conn.-based Gartner Inc. “We are amazed at how many companies are still only learning their way around the requirements” and what they call for, Litan said. With the deadline fast approaching, though, Gartner has seen an uptick in the number of calls it is receiving from clients wanting to know more about the new controls and how to implement them, she added. Section 6.6 of the new PCI requirements basically requires merchants to ensure that all Web-facing applications are protected against known attacks by applying either an application firewall or by completing an application code review - either manually or by using application-scanning tools. The requirements have been recommended best practice for more than 18 months but are now becoming a formal mandate. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9085038&source=rss_topic17

PFIZER: PERSONAL INFORMATION ON EMPLOYEES ON STOLEN LAPTOP (Courant.com, 13 May 2008) - There has been another computer security breach at Pfizer Inc., this time it is the theft of a laptop containing information on thousands of employees, including 5,000 in Connecticut. It’s the second such breach in a month. [Editor: the 6th breach since May 2007.] Information on Pfizer employees was compromised when a company laptop and flash drive were stolen from an employee’s vehicle about a month ago, the company said Monday. The company would not identify the location of the theft. More than 65,000 data-breach notifications have been sent out by Pfizer over the past year. http://www.courant.com/news/local/statewire/hc-13082446.apds.m0488.bc-ct-pfizmay13,0,4716149.story

GOOGLE BEGINS BLURRING FACES IN STREET VIEW (CNET, 13 May 2008) - Google has begun testing face-blurring technology for its Street View service, responding to privacy concerns from the search giant’s all-seeing digital camera eye. The technology uses a computer algorithm to scour Google’s image database for faces, then blurs them, said John Hanke, director of Google Earth and Google Maps, in an interview at the Where 2.0 conference here. Google has begun testing the technology in Manhattan, the company announced on its LatLong blog. Ultimately, though, Hanke expects it to be used more broadly. Dealing with privacy-both legal requirements and social norms-is hard but necessary, Hanke said. Street View poses other privacy issues besides just faces. Some people aren’t eager to have their houses on display, for example. But much of the hubbub seems to have waned since Google launched Street View in May 2007, and indeed other companies such as Blue Dasher are working on similar technology. Street View presents a view of dozens of United States cities from a driver’s perspective. It appears Google has begun collecting imagery in Europe as well, along with detailed 3D maps, including Milan, Rome, and Paris. http://news.cnet.com/8301-10784_3-9943140-7.html

OVERSTOCK.COM THROWS NEW YORK AFFILIATES OVERBOARD TO AVOID SALES TAX (New York Times, 14 May 2008) - There were two predictable fallouts from New York State’s move to force online companies to collect state sales tax: There would be a lawsuit. And some online merchants would cut off their affiliates in the state. Amazon filed suit against the state late last month. Now Overstock.com has become the first major Internet retailer to cancel its relationship with affiliates in New York. Affiliates are Web site owners who get commissions for referring customers to an online store. They are important because New York State is requiring any company that has an affiliate in the state to collect sales taxes on its behalf. Until now, companies had to collect taxes only if they had a physical presence, such as an office or factory, in the state. “We believe the law is unconstitutional and won’t stand the test of the courts, but in the meantime we have been very careful to keep our footprint just in Utah,” said Jonathan Johnson, Overstock’s senior vice president for corporate affairs. “We can’t afford to have our New York affiliates up online if it subjects us to New York sales taxes.” Mr. Johnson said Overstock has 3,400 affiliates in New York State, though not all of them are active. The largest is NextJump, a provider of employee benefit programs. It also cut off some comparison shopping services, such as Jellyfish. http://bits.blogs.nytimes.com/2008/05/14/overstockcom-throws-new-york-affiliates-overboard-to-avoid-sales-tax/index.html?ref=technology

SEC REQUIRES XBRL FINANCIAL REPORTING BY LARGE PUBLIC FIRMS (Information Week, 14 May 2008) - The SEC on Wednesday issued rules requiring large publicly held companies to adopt XBRL, the financial reporting version of XML, by Dec. 15 to meet financial reporting requirements. XBRL is eXtensible Business Reporting Language, a set of extensions to XML that allows standardized accounting data to be tagged and retrieved easily across documents. Creating documents in XBRL allows them to be filed over the Web, exchanged with business partners, and searched for data without calling up the whole document. “XBRL is the common language of financial information exchange, much as English has become the worldwide language of business,” said Sunir Kapoor, a member of the board of directors of XBRL US, a standards group overseeing U.S. contributions to XBRL development, in a statement. XBRL is developing the definitions for tags used to identify terms used in applying U.S. generally accepted accounting principles. Kapoor is also CEO of UBmatrix, a Redwood City, Calif., firm that is a supplier of XBRL translation software. The SEC in a public meeting today adopted a mandate as of Dec. 15 to require XBRL for the reports of “large accelerated filers,” which would include most of the largest publicly held companies. Seventy-five companies already do so, includingIBM (NYSE: IBM), General Electric, United Technologies, Ford Motor Co., Pepsi, and Xerox (NYSE: XRX). The mandate is expected to be phased in for additional publicly held companies once XBRL has become a standard way of making SEC reports. The SEC is following in the footsteps of the FDIC, which has already adopted XBRL, as well as the central banks of the European Union. SEC 10Ks and other reports that are filed using XBRL can be read by computer software, screened for certain data such as “net profit,” and reorganized in new reports. Finding less common financial data, such as “assets held for sale,” or “construction in progress,” is possible quickly when they’ve been tagged by XBRL, as well as the more commonly used terms. XBRL can also be used to translate the terms used in one country’s accounting system into those used by another’s. http://www.informationweek.com/news/management/compliance/showArticle.jhtml?articleID=207800147&cid=RSSfeed_IWK_News

DON’T BLAME ME FOR ILLEGAL FILE SHARING, IT’S MY COMPUTER’S FAULT (Steptoe & Johnson’s E-Commerce Law Week, 15 May 2008) - Record companies’ suits against people that share or download music over the Internet continue to test the limits of copyright law. In Atlantic Recording Corp. v. Howell, several record companies alleged that a married couple had violated the plaintiffs’ exclusive right to distribute 54 copyrighted recordings by allowing their computer to share the songs through the KaZaA file-sharing system. Late last month, a federal court in Arizona denied the companies’ motion for summary judgment, holding that “[m]erely making an unauthorized copy of a copyrighted work available to the public does not violate a copyright holder’s exclusive right of distribution.” Rather, the plaintiffs had to show that a KaZaA user had downloaded the recording from the defendants in order to establish liability. This ruling is consistent with most district court decisions to date, but conflicts with a decision by the Fourth Circuit. The court also determined that downloads made by the record companies’ investigator could be used to establish unauthorized distribution. But the defendants’ responsibility for such downloads remained open to debate, since their testimony suggested that other users of the computer or the KaZaA program itself, rather than the defendants, may have authorized the sharing of the recordings. http://www.steptoe.com/publications-5322.html

ANOTHER COURT UPHOLDS A CLAIM FOR THE CONVERSION OF ELECTRONIC PROPERTY (Steptoe & Johnson’s E-Commerce Law Week, 15 May 2008) - Another court has ruled that the common law tort of conversion (basically, the unjustified interference with someone’s possession of his personal property) reaches electronic, as well as physical, property. In Ali v. Fasteners for Retail, Inc., a federal court in California ruled that plaintiff Al Ali had successfully stated a claim for the conversion of proprietary source code, cost data, and part numbers that various defendants had copied from his laptop and emails without his authorization. This decision follows similar rulings by the Ninth Circuit, the New York State Court of Appeals, and a Massachusetts state trial court. So, while at least one court has ruled in recent months that conversion does not apply to intangible information, the weight of precedent suggests that plaintiffs may increasingly find that electronic property can be the basis for a conversion claim. http://www.steptoe.com/publications-5322.html

INDIAN GOVT MAY GET KEYS TO YOUR BLACKBERRY MAILBOX SOON (Economic Times, 15 May 2008) - In a major change of stance, Canada-based Research In Motion (RIM) may allow the Indian government to intercept non-corporate emails sent over BlackBerrys. This is expected to solve the row between the Department of Telecom (DoT) and RIM to a large extent, since the government’s security concerns pertain more to emails from individual users than enterprise customers. At the core of the issue is the data encryption technology used in BlackBerrys. BlackBerry uses a very high level of encryption — at 256 bits — while sending data. BlackBerry scrambles messages before sending and unscrambles them at the receiver’s BlackBerry. Owing to security concerns, the government wants to be able to intercept and decode the data. However, the government’s decryption software can decode messages encrypted only up to 40 bits. India wants RIM to either hand over the decryption keys or reduce encryption to 40 bits. According to officials close to the development, Canadian High Commissioner David Malone and RIM officials met telecom secretary Siddhartha Behura on May 7 . “It was explained by RIM that it should be possible for the government to monitor emails to non-business enterprise customers,” sources told ET. “RIM is considering giving access to individual users’ email to the government. Details on this will be provided in two or three weeks,” sources said. http://economictimes.indiatimes.com/Telecom/Govt_may_get_keys_to_your_BlackBerry_mailbox_soon/articleshow/3041313.cms

- and -

BLACKBERRY SPURNS INDIAN SPY CALL (BBC, 27 May 2008) - The Canadian manufacturer of Blackberry mobile phones has rejected demands by the Indian government that it help decrypt suspicious text messages. Research in Motion says its technology does not allow any third party - even the company itself - to read information sent over its network. http://news.bbc.co.uk/2/hi/south_asia/7420911.stm

STUDY: COX, COMCAST INTERFERE WITH FILE SHARING (SiliconValley.com, 15 May 2008) - Cox Communications appears to be interfering with file-sharing by its Internet subscribers in the same manner that has landed Comcast Corp. in hot water with regulators, according to research obtained by The Associated Press. A study based on the participation of 8,175 Internet users around the world found conclusive signs of blocked file-sharing connections only at three Internet service providers: Comcast and Cox in the U.S. and StarHub in Singapore. Of the 788 Comcast subscribers who participated in the study, 491, or 62 percent, had their connections blocked. At Cox, 82 out of 151 subscribers, or 54 percent, were blocked, according to Krishna Gummadi at the Max Planck Institute for Software Systems in Saarbruecken, Germany. Philadelphia-based Comcast is the country’s second-largest ISP, with 14.1 million subscribers. Atlanta-based Cox Communications is the fourth-largest, with 3.8 million. It is part of privately held Cox Enterprises Inc. Comcast’s practice of interfering with traffic was brought to light by user reports last year and confirmed by an AP investigation in October. Consumer advocate groups and legal scholars criticized the interference, saying that letting an ISP selectively block some connections makes it a gatekeeper to the Internet. Their complaints prompted the Federal Communications Commission to launch an investigation, which is ongoing. http://www.siliconvalley.com/news/ci_9269933?nclick_check=1

NEW DETROIT POLICY: TEXTS ARE PRIVATE (Detroit News, 16 May 2008) - Mayor Kwame Kilpatrick - who could face ouster and prison time over the embarrassing text messages allegedly exchanged on city pagers - is now telling city employees their text messages are private, even though their electronic devices are funded by taxpayers. A retooled policy, which circulated among employees Thursday, appears to be an about-face of the city’s old directive. Kilpatrick signed off on the previous policy during his first term that deemed “all communications” on city equipment were public. The new rules exempt telephones, text devices and pagers, which are “given to employees for their personal and business use.” The policy is unique among governments such as Wayne, Oakland and Macomb counties. But it mirrors arguments from Kilpatrick’s legal team that federal law makes text messages private. A communications law expert from Indiana University said he was “breathless” after hearing about the policy. “I’ve never heard one do what the city of Detroit is doing,” said law professor Fred Cate. “That is completely novel. It sort of undercuts the purpose of an open records law.” The policy change, which could be challenged under the Freedom of Information Act, comes amid ongoing criminal proceedings about text messages Kilpatrick allegedly sent on his city-issued SkyTel pager. They are the linchpin of prosecutors’ claims he perjured himself during a police whistle-blower trial last year and obstructed justice afterward with an $8.4 million settlement. Text messages first published in January appear to contradict testimony from Kilpatrick and his former chief of staff, Christine Beatty, at the trial. Prosecutors claim they lied while denying a relationship and their role in firing Deputy Police Chief Gary Brown. http://www.detnews.com/apps/pbcs.dll/article?AID=/20080516/METRO/805160371/1409/METRO

MICROSOFT CONFIRMS WINDOWS ADHERES TO BROADCAST FLAG (CNET, 18 May 2008) - Microsoft has acknowledged that Windows Media Centers will block users from recording TV shows at the request of a broadcaster. “Microsoft included technologies in Windows based on rules set forth by the (Federal Communications Commission),” a Microsoft spokeswoman wrote in an e-mail to CNET News.com. “As part of these regulations, Windows Media Center fully adheres to the flags used by broadcasters and content owners to determine how their content is distributed and consumed.” The software company was responding to questions about why some users of Windows Vista Media Center were prevented from recording NBC Universal TV shows, American Gladiator and Medium on Monday night. The “rules,” in which the spokeswoman is apparently referring to are those proposed by the FCC, which would require software and hardware makers honor “broadcast flags.” The flags are code that broadcasters can insert into the data stream of TV shows that typically require restrictions on the recording of the shows. What she didn’t say is that the “rules” aren’t rules at all. The courts struck down the FCC’s proposal in 2005, saying the regulator lacked the authority to tell electronics makers how to interpret the signals they receive. Since then, Microsoft and other manufacturers have retained the option of whether to honor the flags. http://news.cnet.com/8301-10784_3-9946780-7.html?part=rss&subj=news&tag=2547-1_3-0-5

ONLINE TRAFFICKING INFLUENCES SUPREME COURT’S RULING ON CHILD PORN LAW (SiliconValley.com, 19 May 2008) - The Supreme Court says even in the no-holds-barred world of the Internet, some limits on speech are needed in the fight against online child pornography. A federal provision upheld by the court Monday imposes a mandatory five-year prison term on people convicted of promoting child porn, and it doesn’t run afoul of First Amendment free-speech rights, Justice Antonin Scalia wrote for the court. The law applies to “offers to provide or requests to obtain child pornography,” Scalia said. It does not require that someone actually possess child pornography. In their 7-2 ruling, the justices brushed aside concerns that the law, aimed at cracking down on the flourishing online exchange of illicit images of children, could sweep in mainstream movies, classic literature or even innocent e-mails that describe pictures of grandchildren. Joan Bertin, executive director of the National Coalition Against Censorship, said Scalia’s narrow reading of the law in his majority opinion should result in “considerably less damage than it might otherwise have done.” But Bertin said aggressive prosecutors still could try to punish people for innocent activity and put them “through a terrible ordeal.” Scalia, in his opinion for the court, said the law takes a reasonable approach to the issue by applying it to situations where the purveyor of the material believes or wants a listener to believe that he has actual child pornography. Likewise, he said, the law does not cover “the sorts of sex scenes found in R-rated movies.” Justice David Souter, joined by Justice Ruth Bader Ginsburg, dissented. Souter said promotion of images that are not real children engaging in pornography still could be the basis for prosecution under the law. Possession of those images, on the other hand, may not be prosecuted, he said. http://www.siliconvalley.com/news/ci_9313067

GOOGLE MAKES HEALTH SERVICE PUBLICLY AVAILABLE (SiliconValley.com, 19 May 2008) - Google is now offering the general public electronic access to their medical records and other health-related information. The Mountain View-based Web search leader announced the public launch of Google Health during a Webcast today. It lets users import records from a variety of care providers and pharmacies. Google tested the service by storing medical records for a few thousand patient volunteers at the not-for-profit Cleveland Clinic. http://www.siliconvalley.com/news/ci_9312181 [Editor: Now, I want Google to offer search for health-care providers, by cost and reputation; then, they’ll offer health care insurance coverage.]

SENATOR LIEBERMAN TRIES HUNTING DOWN TERRORIST VIDEOS ON YOUTUBE (TechDirt, 20 May 2008) - Folks in Congress sure are scared of any kind of popular new internet application being used by terrorists - quite often blaming the technology rather than looking for ways to use it to their advantage. They’ve targeted file sharing networks, Second Life and the whole internet as being terrorist havens. Now, Senator Joe Lieberman, who heads the Senate Committee on Homeland Security is upset with Google for letting terrorists post videos on YouTube. Last week he sent a note asking them to take all of the videos down. YouTube employees went through the videos and took down the ones that violated the site’s terms of service, but left most of them up, as they neither showed violence nor promoted hate speech. Lieberman is not too happy about this and has sent a second letter, asking that the videos be taken down. This seems particularly silly for a variety of reasons. First off, it’s most likely that these types of videos are preaching to the choir. It’s hard to see too many folks watching some poorly produced al-Qaeda propaganda videos and suddenly deciding to join up. But, more importantly, by leaving these videos out in the open, it allows lots of folks to respond to them, criticize them and show them up for the awful propaganda they represent. In other words, why be scared of these videos when you can actually respond? Trying to force them offline suggests that we don’t think we can win the argument (and even helps to legitimize those who put up the videos). If these videos are promoting ignorant propaganda, the best response is to rebut, refute or even ridicule them - not bury them. Finally, leaving the videos up gives the government an excellent way to track what the groups are doing, rather than having their actions hidden away on other sites. If they got taken offline by Google/YouTube it would be a matter of minutes before they showed up on other sites where it might even be more difficult for US officials to track them and see what messages terrorists are spreading. Weren’t we fighting against terrorists to stand up for principles like free speech and the belief that speech can be a weapon against propaganda? http://techdirt.com/articles/20080519/1810061172.shtml

MOODY’S ERROR GAVE TOP RATINGS TO DEBT PRODUCTS (Financial Times, 20 May 2008) - Moody’s awarded incorrect triple-A ratings to billions of dollars worth of a type of complex debt product due to a bug in its computer models, an Financial Times investigation has discovered. Internal Moody’s documents seen by the FT show that some senior staff within the credit agency knew early in 2007 that products rated the previous year had received top-notch triple A ratings and that, after a computer coding error was corrected, their ratings should have been up to four notches lower. http://us.ft.com/ftgateway/superpage.ft?news_id=fto052020081848170760

COPYRIGHT FIGHT BREWING BETWEEN TV NETWORKS AND REDLASSO (CNET, 20 May 2008) - Three of the largest broadcast TV networks have sent a cease-and-desist letter to RedLasso , a little-known but rapidly growing video syndication site. Fox News Network, NBC Universal, and CBS sent a letter on Monday, accusing the company of “building a business based on the unauthorized syndication of” the content owners’ news, sports, and entertainment shows. RedLasso records TV shows and then indexes clips so users can find, pull, and embed them on other Web sites. Reporter Liz Gannes over at Newteevee.com saw this one coming. Two weeks ago, Gannes noted that RedLasso had grown from 2 million unique users in November to 24 million in April. Gannes wrote: “Now might be a pretty good time to get permission.” She added later that RedLasso executives told her they were on good terms with broadcasters. The executives’ assertions, however, are untrue, the networks said in their letter to RedLasso. In the letter, the entertainment companies wrote that such statements “falsely convey an affiliation...when there is none.” At a time when the networks are giving their content away for free, one has to wonder why RedLasso would even get into this business. Anyone can go to Hulu and grab embed code for many NBC Universal shows without violating the law. http://news.cnet.com/8301-10784_3-9948892-7.html

FTC ADOPTS FINAL CAN-SPAM RULES (Steptoe & Johnson’s E-Commerce Law Week, 22 May 2008) - The Federal Trade Commission announced on May 12 that it had approved new rules governing the regulation of commercial email under the CAN-SPAM Act. Most notably, the rules modify the definition of “sender” to address situations where a single email message contains advertisements from multiple parties. In such a situation, if only one person is identified in the “from” line of the commercial email, then this person will generally be considered the “sole sender” of the email and will be exclusively responsible for handling opt-out requests. Moreover, the rules state that a sender may not require a recipient of a commercial email message to pay a fee, provide information other than an email address and opt-out preferences, or take any steps other than sending a reply email or visiting a single webpage in order to opt-out of future emails. The rules become effective July 7, 2008. http://www.steptoe.com/publications-5331.html New rules here: http://edocket.access.gpo.gov/2008/pdf/E8-11394.pdf EPIC writes: “The Commission stated that consumers couldn’t be charged a fee to opt out of unsolicited bulk commercial email (spam). The FTC also clarified several definitions, stating that: CAN-SPAM’s definition of a “person” is not limited to natural persons and a P.O. box qualifies as a “physical address” under CAN-SPAM. Furthermore, it clarified that third-party list brokers (companies that sell email lists to spammers), are not “senders” under CAN-SPAM, and are therefore not subject to the law’s opt-out requirements.”

RULING EXTENDS U.S. PATENT LAW TO WEBSITES OPERATING ABROAD (Steptoe & Johnson’s E-Commerce Law Week, 22 May 2008) - In order to state a patent claim for unauthorized use of an invention, a plaintiff must show, among other things, that the invention was used in the United States - seemingly a tricky proposition when the invention is part of a website maintained abroad. But, in Renhcol Inc. v. Don Best Sports, a federal court in Texas recently ruled that, where users in the United States “control and derive beneficial use from a device located overseas that infringes claimed system, those users use the infringing device in the United States and commit direct infringement.” As a result of such use by users, the website owners could be held liable for inducing the infringement. Since many of today’s highly interactive websites are controlled by and benefit users, this ruling could create liability under U.S. patent law for websites accessible in the United States, no matter where they are hosted or maintained. http://www.steptoe.com/publications-5331.html

LARGE COMPANIES PAYING WORKERS TO READ EMPLOYEE E-MAIL (CNET, 22 May 2008) - If you were thinking of using your work e-mail for job hunting or online dating, think twice. A new survey finds that 41 percent of large companies (those with 20,000 or more employees) are paying staffers to read or otherwise analyze the contents of employees’ outbound e-mail. http://news.cnet.com/8301-10784_3-9950451-7.html

FTC WANTS TO KNOW WHAT BIG BROTHER KNOWS ABOUT YOU (Washington Post, 22 May 2008) - How do you find a bride these days? One of the nation’s leading online tracking companies knows. Monitoring consumers at roughly 3,000 Web sites, Revenue Science identified brides by picking out bridal behavior it had seen: anyone who’d gone online to read about weddings in the news, entered “bridesmaid dresses” into a search engine or surfed fashion pages for wedding styles. The company found 40,000 such people, whom it knows by random number, not name, and sent them a tailored online ad. “A successful campaign,” according to company president Jeff Hirsch. The growing practice of “behavioral targeting,” or sending ads to online users based on their Internet habits, is now under scrutiny by the Federal Trade Commission, whose review could shape not only Web advertising rules but the character of the Web itself. For while public interest groups argue that compiling profiles of largely unsuspecting Internet users ought to be illegal, online advertisers and publishers respond that their ad targeting tactics protect privacy and may be essential to support the free content on the Web. Behavioral targeting allows many Web sites to raise ad prices, because advertisers will pay more when they can isolate a particular audience. Limiting behavioral targeting could “jeopardize the consumer’s ability to get free content on the Internet,” said Paul Boyle of the Newspaper Association of America, a trade group that represents the business interests of most U.S. dailies, including The Washington Post. The FTC is considering guidelines, for now voluntary, that would make it harder to target behavior. The principles were issued in December after town hall meetings, and the public comment period ended last month. As the commission’s deliberations begin, some federal and state lawmakers are weighing measures that would be mandatory. New York lawmakers, for example, are considering a law similar to the FTC guidelines. http://www.washingtonpost.com/wp-dyn/content/article/2008/05/21/AR2008052102989.html [Editor: Again, the FTC are at the forefront of an important issue. Remember their foray into the realm of “breach notification”? Their pioneering efforts help business, by bringing some order to the chaos.]

TJX EMPLOYEE FIRED FOR EXPOSING SHODDY SECURITY PRACTICES (The Register, 23 May 2008) - TJX Companies, the mammoth US retailer whose substandard security led to the world’s biggest credit card heist, has fired an employee after he left posts in an online forum that made disturbing claims about security practices at the store where he worked. Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas (http://www.tjx.com/contact/storemap.aspx?sid=08-624), that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards. Benson said he was fired on Wednesday after managers said he disclosed confidential company information online. Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers. He said he brought the security issues to the attention of a district loss prevention manager name Allen in late 2006, and repeatedly discussed them with store managers. Except for a stretch when IT managers temporarily tightened password policies, the problems went unfixed. http://www.theregister.co.uk/2008/05/23/tjx_fires_whistleblower/print.html

COURT SMACKS AUTODESK, AFFIRMS RIGHT TO SELL USED SOFTWARE (Ars Technica, 23 May 2008) - A federal district judge in Washington State handed down an important decision this week on shrink-wrap license agreements and the First Sale Doctrine. The case concerned an eBay merchant named Timothy Vernor who has repeatedly locked horns with Autodesk over the sale of used copies of its software. Autodesk argued that it only licenses copies of its software, rather than selling them, and that therefore any resale of the software constitutes copyright infringement. But Judge Richard A. Jones rejected that argument, holding that Vernor is entitled to sell used copies of Autodesk’s software regardless of any licensing agreement that might have bound the software’s previous owners. Jones relied on the First Sale Doctrine, which ensures the right to re-sell used copies of copyrighted works. It is the principle that makes libraries and used book stores possible. The First Sale Doctrine was first articulated by the Supreme Court in 1908 and has since been codified into statute. http://arstechnica.com/news.ars/post/20080523-court-smacks-autodesk-affirms-right-to-sell-used-software.html

NASA EMPLOYEE SUSPENDED FOR POLITICAL BLOGGING (Computerworld, 28 May 2008) - Any employee can get in trouble for personal blogging on company time, but U.S. government workers, as one NASA employee has discovered, can get into a special kind of legal trouble if they also write about politics. They risk violating a 1939 law called the Hatch Act, which requires federal employees to keep their jobs and political activities separate. A National Aeronautics and Space Administration employee was suspended for 180 days for “numerous” blog posts about politics, sending “partisan e-mails” and soliciting for political contributions, according to an announcement last week by the U.S. Office of Special Counsel (OSC). The employee wasn’t identified. The intent of the Hatch Act is to prohibit “the use of the mechanism of government from influencing the outcome of an election,” said James Mitchell, an OSC spokesman. If a person is seeking money for candidates on company time and on company equipment, “that person might as well have been soliciting within the office,” he said. The suspension was the result of agreement reached with NASA by the special counsel. The employee, whose suspension began March 30, could have been fired from his job. The OSC is investigating similar cases at other agencies, Mitchell said. In some instances, the practice may be due to intra-office e-mails about particular candidates. “We have a lot of cases open right now in this election year,” Mitchell said. The NASA case, which involved a midlevel employee at the Johnson Space Center in Houston, may be a defining one, he said. In a statement announcing the action, Special Counsel Scott Bloch said that in earlier times, a Hatch Act violation may have involved wearing a campaign button in the office. “Today, modern office technology multiplies the opportunities for employees to abuse their positions and, as in this serious case, to be penalized, even removed from their job, with just a few clicks of a mouse,” he said. Federal employees who blog while at work about their dating life, for instance, aren’t risking a Hatch Act violation unless they are dating a candidate. Whether they get in trouble for sending out personal e-mails or blogging at work depends on the policies set by government agencies and whether those agencies monitor workers. The OSC doesn’t monitor workplace Internet use, and Mitchell said the NASA case was likely the result of a complaint. NASA allows “limited personal use” of IT equipment by its employees, provided it doesn’t interfere with its missions, affect employee productivity or violate any ethical standards or law. It specifically prohibits partisan political activity. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9090178&source=NLT_PM&nlid=8

GE SUFFERS A REDACTION DISASTER (28 May 2008) - Lawyers involved in the class action sex discrimination case against Fairfield, Conn.-based General Electric in 2007 would rather you not read passages from various filings. After all, the plaintiffs’ firm, Sanford, Wittels & Heisler in Washington, D.C., took the time and effort to black out reams of pages in numerous briefs to make them inaccessible to the public - or so they thought. But as of late last week, you could download several documents through PACER’s federal court filing system, copy the black bars that cover the text on the screen and paste them into a Word document. VoilĂ . Information about the inner-workings of GE’s white, male-dominated management and their alleged discriminatory practices against women, which is supposed to be sealed by court order, appears with little technical savvy required. “I didn’t know that,” plaintiffs’ lead counsel David W. Sanford said from his office early last week. Neither did Patrick W. Shea of Paul, Hastings, Janofsky & Walker in New York, which serves as GE’s outside counsel in the case. Shea said the two sides are in mediation after Judge Peter C. Dorsey in New Haven, Conn., denied GE’s motion to dismiss on May 8. Now, the game may have changed with revelations that there’s a large leak of information in the case, though Shea never said as much. He referred all questions to GE, whose spokesman, Gary Sheffer, wouldn’t comment on how the course of the case might be altered. “All parties agreed that the documents would be filed under seal,” Sheffer said. “We acted under belief that they were filed under seal, and we’re concerned.” http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1202421717785 [Editor: this is just basic stuff; the error verges on failure to provide competent representation.]

CHINA’S ALL-SEEING EYE (Rolling Stone, 29 May 2008) - With the help of U.S. defense contractors, China is building the prototype for a high-tech police state. It is ready for export. EPIC’s Marc Rotenberg writes: “[This] is a very powerful article by Namoi Klein in the current issue of Rolling Stone on China’s Hi-Tech Police State. Klein pulls together all of the key pieces - advanced surveillance technology, corporate investment, police authority, and political impact. She calls this “Police State 2.0.” It’s worth a close read.” http://www.rollingstone.com/politics/story/20797485/chinas_allseeing_eye

CDT RELEASES PRIVACY PRINCIPLES FOR DIGITAL WATERMARKING (CDT Press Release, 29 May 2008) - The Center for Democracy & Technology today released a set of privacy principles for digital watermarking. The principles are intended to provide guidance on how those deploying the technology can and should take privacy into account. Digital watermarking technology embeds information, in machine-readable form, within the content of a digital media file (typically image, audio, or video). In some applications, watermarks signal basic identifying information about the media file itself, such as its title or author. In other applications, watermarks can provide individualized user or transaction information. CDT’s principles address privacy questions that may arise when watermarks provide information about individual consumers or users. “Watermarking seems to be getting increased attention as a tool for facilitating digital content distribution,” said David Sohn, Senior Policy Counsel for CDT. “But people are bound to wonder what it means if their media files contain embedded information that can be used to identify them. From both the consumer and content distributor perspective, it would be best to address these kinds of privacy questions in advance, on a proactive basis.” http://cdt.org/press/20080529press.php Principles here: http://www.cdt.org/copyright/20080529watermarking.pdf

LAWYER SUSPENDED FOR E-MAIL SNOOPING (ABA Journal, 29 May 2008) - A West Virginia lawyer has been suspended for two years for accessing the e-mail of his wife and eight other lawyers at least 150 times over a two-year period. The West Virginia Supreme Court of Appeals imposed the sanction against Charleston lawyer Michael Markins in an opinion issued Friday, the Legal Profession Blog reports. At first Markins accessed his wife’s e-mail account at the law firm at which she worked as an associate in an attempt to learn whether she might be having an affair, ABAJournal.com noted in an earlier post. After he figured out the firm’s uncomplicated e-mail password system, “his curiosity got the better of him” and he accessed the e-mail accounts of eight other lawyers at his wife’s firm on almost a daily basis, the opinion says. At the time, Markins worked at Huddleston Bolen and his wife worked at Offutt, Fisher and Nord. Both lost their jobs. Markins accessed personal information and viewed confidential financial information intended to be read exclusively by Offutt Fisher’s partners. He didn’t stop until he learned the firm’s computer experts were on the verge of discovering that he was behind the unauthorized e-mail intrusions. Huddleston represented co-defendants in a large mass tort case, and one of them had a claim for indemnity against an Offutt Fisher client. However, there is no evidence that information concerning the case had been compromised, according to the opinion. Nor is there any evidence that Markins misused the information he accessed, the opinion says. Still, the court said it needed to impose an effective sanction as a deterrent to other lawyers and to reassure the public. http://www.abajournal.com/weekly/lawyer_suspended_for_e_mail_snooping [Editor: I wrote about this case in MIRLN 11.03 - http://www.knowconnect.com/mirln/article/mirln_v1103_17_february_8_march_2008/ - result seems mild to me.]

WHAT TO DO WITH PRIVILEGED INFORMATION IN E-MAILS (Law.com, 30 May 2008) - E-mail reviews have become a focal point of the internal investigation. Imagine a lawyer working late into the night reviewing the e-mails of an employee of a company that the firm represents. The inventory of communications includes jokes, shopping lists and spousal reminders about soccer games and parent/teacher meetings. The reader has learned much more about the personal life of the employee than the lawyer really wants to learn. In turn, the lawyer would be right to question the propriety of this kind of voyeurism. The lawyer is reminded that the company warns its employees that their e-mails could be reviewed and monitored. Sensibilities may become anesthetized by the sheer volume of e-mails that have to be reviewed in a limited amount of time. Then, the lawyer sees it: “Privileged and Confidential, if you are not the intended recipient please notify the sender immediately.” This e-mail is not from a friend forwarding a joke. This e-mail is from a lawyer who is communicating confidentially with the employee. Under these circumstances, a lawyer might reason that, whatever privileged information may have been communicated in such an e-mail, the privilege was waived through the use of the company’s e-mail system. After all, the company has repeatedly warned its employees that they have no expectation of privacy. But is an expectation of privacy concerning Internet surfing and e-mail jokes the same as an expectation that a privileged attorney-client communication will be respected? Similarly, one might reason that not every attorney-client communication contains privileged information and one cannot argue such a point unless the contents of the e-mail are thoroughly reviewed. But may an attorney review an e-mail that, on its face, (i) is from an attorney, (ii) is directed to someone other than the attorney reviewing the e-mail, and (iii) specifically warns that the communication is privileged and confidential? This article will explore the lawyer’s professional obligation in the handling of inadvertently disclosed privileged information, the various remedies for the misappropriation of privileged information under New York law, and the manner by which the law of New York may differ from the law of other jurisdictions. http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1202421787208

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. BNA’s Internet Law News, http://ecommercecenter.bna.com.
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
7. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
8. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
9. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

Saturday, May 10, 2008

MIRLN 20 April - 10 May 2008 (v11.06)

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by www.KnowConnect.com.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (mailto:vpolley@knowconnect.com?subject=MIRLN) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln.

**************End of Introductory Note***************

**** CHANGE OF VENUE ****
Vince Polley has returned to KnowConnect.com, providing consulting services on e-policies and knowledge management. With this issue, MIRLN will be distributed by email from vpolley@knowconnect.com, and will be archived at www.knowconnect.com/mirln/.

**** NEWS ****

FIREWALL OF SILENCE - Data security breaches are rampant, and costly. So why don’t C-level executives talk about them? (CFO Magazine, 1 April 2008) - When SociĂ©tĂ© GĂ©nĂ©rale revealed in January that it had lost more than $7 billion due to fraudulent trading activity, most of the headlines focused on “rogue trader” Jerome Kerviel, framing him either as a criminal or a reckless striver. His “perp walk” was eagerly anticipated by a horde of cameramen and his image was plastered on publications and Websites around the world. Only later did questions emerge about the bank’s role as an enabler, and even then scant attention was paid to the exact manner in which the bank’s processes may have been at fault. In truth, much of the blame can be traced to poor security, and in that sense the intense coverage of SociĂ©tĂ© GĂ©nĂ©rale joins a long parade of stories devoted to identity theft, computer hacking, and data breaches of all kinds. Despite all that attention, in many respects computer security remains the corporate risk that dares not speak its name. CFOs in particular seem loath to discuss it publicly even when they admit privately that it’s a major concern. http://www.cfo.com/article.cfm/10918069?f=search

NIST SEEKS COMMENTS ON REVISION OF RISK MANAGEMENT FRAMEWORK (GCN, 16 April 2008) - The National Institute of Standards and Technology has released a second draft of Special Publication 800-39, titled “Managing Risk from Information Systems: An Organizational Perspective,” for public comment. NIST calls the document the flagship publication in the standards and guidelines it is developing under the Federal Information Security Management Act. It provides a framework for managing the risk to organizational operations and assets, individuals, other organizations, and the nation resulting from the use of information systems. It builds on a foundation of best security practices for agency leaders, chief information officers, information system designers, developers and administrators, auditors, and inspectors general. The current version of the document contains significant changes based on feedback on the first draft, released last fall. Comments on the current draft are being accepted at sec-cert@nist.gov until April 30. http://www.gcn.com/online/vol1_no1/46131-1.html?topic=security&CMP=OTC-RSS NIST draft here: http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf

PAYPAL PLANS TO BAN UNSAFE BROWSERS (eWeek, 17 April 2008) - PayPal, one of the brands most spoofed in phishing attacks, is working on a plan to block its users from making transactions from Web browsers that don’t provide anti-phishing protection. The eBay-owned company, which runs a Web-based payment system that allows the transfer of funds between bank accounts and credit cards, said browsers that do not have support for blocking identity theft-related Web sites or for EV SSL (Extended Validation Secure Sockets Layer) certificates are considered “unsafe” for financial transactions. “In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts,” said PayPal Chief Information Security Officer Michael Barrett. In a white paper that outlines a five-pronged action plan aimed at slowing the phishing epidemic, Barrett said there’s a “significant set of [PayPal customers] who use very old and vulnerable browsers” and made it clear that any browser that falls into the “unsafe” category will be banned. http://www.eweek.com/c/a/Security/PayPal-Plans-to-Ban-Unsafe-Browsers/

MPAA SUES ALLEGED MOVIE PIRATE SITE (Reuters, 19 April 2008) - The Motion Picture Association of America on Thursday sued Pullmylink.com, a Web site featuring links to free -- and allegedly pirated -- movies and TV shows, claiming the site promotes and profits from copyright infringement. The lawsuit, filed in Los Angeles federal court, is the seventh action filed by the MPAA against content aggregators in the United States since late last year and is part of a larger anti-piracy campaign that included a criminal raid on the UK headquarters of one such site, TV Links. The campaign against sites that link to, but do not host, illegal content has raised some eyebrows with critics asking why the association doesn’t go after the host sites or Internet search engines such as Google.com, which owns video sharing site YouTube.com. http://www.pcworld.com/article/id,144846-c,copyright/article.html

NEW JERSEY COURT REQUIRES SUBPOENA FOR INTERNET SUBSCRIBER RECORDS (SiliconValley.com, 21 April 2008) - Internet service providers must not release personal information about users in New Jersey without a valid subpoena, even to police, the state’s highest court ruled today. New Jersey’s Supreme Court found that the state’s constitution gives greater protection against unreasonable searches and seizures than the U.S. Constitution. The court ruled that Internet providers should not disclose private information to anyone without a subpoena. A Washington lawyer who handles Internet litigation, Megan E. Gray, said the ruling “seems to be consistent with a trend nationwide, but not a strong trend.” Grayson Barber, a lawyer representing the American Civil Liberties Union, Electronic Frontier Foundation and the Electronic Privacy Information Center, among other groups that filed friend-of-the-court briefs in the case, said it was the first ruling in the nation to recognize a reasonable expectation of privacy for Internet users. http://origin.siliconvalley.com/news/ci_9004014?nclick_check=1 Court’s ruling here: http://www.steptoe.com/assets/attachments/2823.pdf

COGECO RANKS POORLY IN INTERNET INTERFERENCE REPORT (CBC, 22 April 2008) - Cogeco Inc., Canada’s sixth largest internet service provider, has ranked second worst in the world for traffic interference in a study by Vuze, an online video company. Next to Comcast Corp., the largest U.S. ISP, Montreal-based Cogeco had the highest internet reset connection rate in a study conducted by Vuze. Internet resets are a commonly used method of traffic shaping and interference with peer-to-peer applications such as BitTorrent, Vuze said. A reset occurs naturally when a communication link between computers cannot be made. ISPs engaged in traffic shaping, however, have introduced “false resets” to purposely block or slow uses of peer-to-peer software, Vuze said. While the company said its study cannot distinguish between natural and false resets, ISPs ranking high on the list are likely using the technique to purposely interfere with peer-to-peer traffic. “We are not aware of any normal conditions that would cause the disproportionately large variances in reset activity shown in the data in the data sets of this size,” the report said. “We believe that in most cases there is sufficient data to at least raise questions about whether particular network operators are taking steps to artificially interrupt network connections.” Palo Alto, Calif.-based Vuze, which uses BitTorrent to legally distribute video and games, has written to Cogeco requesting that the company spell out how it manages its network. http://www.cbc.ca/technology/story/2008/04/22/tech-vuze.html

HANNAFORD TO SPEND ‘MILLIONS’ ON IT SECURITY UPGRADES AFTER BREACH (ComputerWorld, 22 April 2008) - Executives at Hannaford Bros. Co. said today that the grocer expects to spend “millions” of dollars on IT security upgrades in the wake of the recent network intrusion that resulted in the theft of up to 4.2 million credit and debit card numbers from its systems. The planned upgrades include the installation of new intrusion-prevention systems that will monitor activities on Hannaford’s network and the individual systems at its stores, plus the deployment of PIN pad devices featuring Triple DES encryption support in store checkout aisles. Hannaford also has signed on IBM to do around-the-clock network monitoring under a managed security services deal, according to Ron Hodge, the grocer’s president and CEO, and Bill Homa, its CIO. In addition, the Scarborough, Maine-based company had said previously that it had replaced all of the servers in its stores as part of an effort to rid its network of malware that was placed on them during the intrusion. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9079652&source=rss_topic146

NO SUSPICION NEEDED TO SEARCH LAPTOPS AT U.S. BORDERS, SAYS NINTH CIRCUIT (ComputerWorld, 22 April 2008) - In a ruling that’s likely to come as a disappointment for privacy rights advocates, the U.S. Court of Appeals for the Ninth Circuit this week held that customs officers need no reasonable suspicion to search through the contents of any individual’s laptop at the country’s borders. The ruling reversed an earlier decision by the U.S. District Court for the Central District of California, which had granted a motion seeking to suppress evidence gathered from such a search in a case involving child pornography. In arriving at that decision, the district court ruled that customs officers indeed did need to have reasonable or particularized suspicion for searching through laptops at U.S. borders. The Ninth Circuit yesterday rejected Arnold’s arguments that reasonable suspicion was needed to search a computer because of its ability to store large amounts of data, ideas, e-mail, chats and Web-surfing habits. It also rejected Arnold’s argument that a higher level of suspicion was needed for computer searches at the border because of the risk of “expressive material” being exposed in such searches. “We are satisfied that reasonable suspicion is not needed for customs officials to search a laptop or other personal electronic storage devices at the border,” noted Judge Diarmuid O’Scannlain, who wrote the opinion of the three-judge panel. In writing the opinion of the appeals court, Judge O’Scannlain cited numerous cases to show that courts have long upheld suspicion-less searches of closed containers and their contents at U.S. borders. These include searches of items such as a traveler’s briefcase, purse, wallet or pockets. Citing one such case, Judge O’Scannlain noted that generally, “searches made at the border ... are reasonable simply by virtue of the fact that they occur at the border.” http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9079738&source=rss_topic146 Opinion here: http://www.ca9.uscourts.gov/ca9/newopinions.nsf/6D5D931898D8168188257432005AC9B8/$file/0650581.pdf?openelement [Editor: good analysis by Orin Kerr here: http://volokh.com/posts/1208829306.shtml; ComputerWorld has suggested best-practices for international business travelers here: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9082318&pageNumber=2]

FRENCH COURT EVISCERATES WEBSITE IMMUNITY FOR USER-GENERATED CONTENT (Steptoe & Johnson’s E-Commerce Law Week, 24 April 2008) - In France, as in the United States, Internet companies are supposed to enjoy legal protection from suits over content provided by third parties. But, if recent U.S. decisions have chipped away at the immunity available to websites under section 230(c)(1) of the Communications Decency Act, a recent French decision has blown a gaping hole in the defenses available under French law. Article 6-I-2 of the French Law for Confidence in the Digital Economy (LCEN) (which mirrors Article 14 of the EU E-Commerce Directive) states that public providers of “communications services” cannot be held liable for “information stored at the request of a recipient of those services” if the provider “did not have actual knowledge of [the] illegal nature” of the information, or if the provider “acted expeditiously to remove the data or make access impossible” after learning of its illegality. But the Paris Court of First Instance held last month that Bloobox.net was not immune for hosting a user-submitted link on its Fuzz.fr service, and was liable as an editor for its putative involvement in the “organization and presentation” of the link and associated headline. This decision extends a trend in which European courts have increasingly been willing to find Internet companies liable for user-generated content. If this trend continues, websites and Internet providers will be looking at major legal problems in Europe. http://www.steptoe.com/publications-5275.html

COURT’S RULING COULD HELP PLAINTIFFS SHOW “INJURY-IN-FACT” IN DATA BREACH SUITS (Steptoe & Johnson’s E-Commerce Law Week, 24 April 2008) - For the plaintiffs’ bar, winning damages for those whose personal information has been compromised in a data breach has been an uphill battle. As we’ve previously reported, most courts have refused to grant plaintiffs in such cases standing without evidence that the breach has caused identity theft or financial harm, and held that allegations of emotional distress or increased risk of future harm do not sufficiently state an “injury-in-fact.” But, in American Federation of Government Employees v. Hawley, the U.S. District Court for the District of Columbia recently held that four Transportation Security Administration security officers could sue the TSA, its Administrator Kip Hawley, the Department of Homeland Security, and DHS Secretary Michael Chertoff for an alleged violation of the Privacy Act stemming from TSA’s loss of a hard drive containing personnel data for 100,000 individuals -- despite the fact that the plaintiffs alleged only a variety of emotional harms but not “current, actual, financial loss.” Although the court’s holding was limited to the Privacy Act, which applies to government agencies, the court’s rationale could be persuasive to courts hearing data breach suits against private companies. http://www.steptoe.com/publications-5275.html

- and -

COURT’S RULING COULD ENCOURAGE MORE DATA BREACH LAWSUITS (Steptoe & Johnson’s E-Commerce Law Week, 8 May 2008) - A recent ruling by a federal court in California could help plaintiffs establish standing in data breach cases based solely on a risk of future harm. In Ruiz v. Gap, Inc., the court ruled that plaintiff Joel Ruiz, by asserting that the defendant’s loss of his social security number placed him “at an increased risk of identity theft,” had pleaded an “injury in fact” sufficient to preliminarily establish standing and survive a motion to dismiss his negligence claim. As we’ve previously reported, most courts have refused to grant plaintiffs in such cases standing without evidence that the breach caused identity theft or financial harm, and have held that allegations of emotional distress or increased risk of future harm do not sufficiently state an “injury-in-fact.” The court’s ruling in Ruiz, however, would mean that plaintiffs could force defendants in simple breach cases to undergo discovery and protracted litigation, even if they never were able to prove injury in fact or damages. This increases the settlement value of such cases to the plaintiffs’ bar, making breach suits more likely even where there is not a substantial risk of identity theft. http://www.steptoe.com/publications-5309.html Ruiz decision here: http://www.steptoe.com/assets/attachments/3392.pdf

JUSTICE DEPT. SEES SURGE IN GLOBAL CRIME NETWORKS (Washington Post, 24 April 2008) - At least three times this year, from a computer station in Romania, a hacker nicknamed Vladuz posed as an eBay customer service representative in a bid to steal sensitive information from Americans who visited the popular auction Web site. The man, part of a fraud ring controlled by a foreign criminal syndicate, was captured by Romanian police last week with the help of agents from the FBI and the Secret Service. Justice Department officials cited the case of Vladuz, also known as Vlad Duiculescu, to sound an alarm yesterday about a resurgence in organized crime that recognizes no national borders. Speaking to an audience at the Center for Strategic and International Studies, Attorney General Michael B. Mukasey offered praise for the successful efforts by Robert F. Kennedy decades ago to break the back of the Italian American mafia but told listeners that the current threat from international syndicates poses even greater challenges. The new breed of criminals is “more sophisticated, they are richer, they have greater influence over government and political institutions worldwide, and they are savvier about using the latest technology, first to perpetrate and then to cover up their crimes,” Mukasey said. Justice Department officials said yesterday that criminal elements were attempting to penetrate the energy sector, furnish weapons to terrorists and wreak havoc on the U.S. economy by using computers and shell companies to launder money and peddle phony goods. They said that judgment stemmed from a classified threat assessment and data from criminal investigations. In response, the Justice Department’s Organized Crime Council has held regular briefings for the first time in 15 years to forge a new strategy. At present, 120 prosecutors and FBI agents and analysts are working on organized crime issues. Department officials say they want to leverage those resources and work more closely with foreign counterparts and their own colleagues in the ranks of such departments as Treasury, State and Labor. http://www.washingtonpost.com/wp-dyn/content/article/2008/04/23/AR2008042303624.html

FBI’S NET SURVEILLANCE PROPOSAL RAISES PRIVACY, LEGAL CONCERNS (CNET, 25 April 2008) - The FBI director and a Republican congressman sketched out a far-reaching plan this week for warrantless surveillance of the Internet. During a House of Representatives Judiciary Committee hearing, the FBI’s Robert Mueller and Rep. Darrell Issa of California talked about what amounts to a two-step approach. Step 1 involves asking Internet service providers to open their networks to the FBI voluntarily; step 2 would be a federal law forcing companies to do just that. Both have their problems, legal and practical, but let’s look at step 1 first. Issa suggested that Internet providers could get “consent from every single person who signed up to operate under their auspices” for federal police to monitor network traffic for attempts to steal personal information and national secrets. Mueller said “legislation has to be developed” for “some omnibus search capability, utilizing filters that would identify the illegal activity as it comes through and give us the ability to pre-empt” it. These are remarkable statements. The clearest reading of them points to deep packet inspection of network traffic--akin to the measures Comcast took against BitTorrent and to what Phorm in the United Kingdom has done, in terms of advertising--plus additional processing to detect and thwart any “illegal activity.” “That’s very troubling,” said Greg Nojeim, director of the project on freedom, security, and technology at the Center for Democracy and Technology. “It could be an effort to achieve, through unknowing consent, permission to monitor communications in a way that would otherwise be prohibited by law.” Unfortunately, neither Issa nor Mueller recognized that such a plan is probably illegal. California law, for instance, says anyone who “intentionally and without the consent of all parties to a confidential communication” conducts electronic surveillance shall be imprisoned for one year. (I say “probably illegal” because their exchange didn’t offer much in the way of details.) “I think there’s a substantial problem with what Mueller’s proposing,” said Al Gidari, a partner at the Perkins Coie law firm who represents telecommunications providers. “He forgets the states have the power to pass more restrictive rules, and 12 of them have. He also forgets that we live in a global world, and the rest of the world doesn’t quite see eye to eye on this issue. That consent would be of dubious validity in Europe, for instance, where many of our customers reside.” http://www.news.com/8301-13578_3-9929085-38.html

LAURA BERG’S LETTER (New York Times Editorial, 27 April 2008) - The PEN American Center, the literary organization committed to free expression, is honoring an American most people in this country have never read or even heard of: Laura Berg. She is a psychiatric nurse at a Veterans Affairs hospital who was threatened with a sedition investigation after she wrote a letter to the editor denouncing the Bush administration’s bungling of Hurricane Katrina and the Iraq war. That’s right, sedition: inciting rebellion against the government. We suppose nothing should surprise us in these days of government zealotry. But the horror and the shame of that witch hunt should shock everyone. Ms. Berg identified herself as a V.A. nurse when, soon after Katrina’s horrors, she sent her impassioned letter to The Alibi, a paper in Albuquerque. “I am furious with the tragically misplaced priorities and criminal negligence of this government,” she wrote. “We need to wake up and get real here, and act forcefully to remove a government administration playing games of smoke and mirrors and vicious deceit.” Her superiors at the hospital soon alerted the Federal Bureau of Investigation and impounded her office computer, where she keeps the case files of war-scarred veterans she treats. Then she received an official warning in which a Veterans Affairs investigator intoned that her letter “potentially represents sedition.” It took civil rights litigators and Senator Jeff Bingaman of New Mexico to “act forcefully” in reminding the government of the Constitution and her right to free speech. The Department of Veterans Affairs retreated then finally apologized to the shaken Ms. Berg. Even then, she noted, one superior told her it was preferred that she not identify herself as a V.A. nurse in any future letter writing. “And so I am saying I am a V.A. nurse,” Ms. Berg soon boomed out in a radio broadcast. “And some of my fire in writing this about Katrina and Iraq is from my experience as a V.A. nurse.” Thus declared Ms. Berg, well chosen to receive the new PEN/Katherine Anne Porter First Amendment Award. http://www.nytimes.com/2008/04/27/opinion/27sun3.html?_r=1&ref=opinion&oref=slogin

COURT REJECTS RIAA’S ‘MAKING AVAILABLE’ PIRACY ARGUMENT (CNET, 29 April 2008) - The recording industry’s music piracy fight was dealt a setback Tuesday when a federal judge rejected the RIAA’s “making available” argument in a lawsuit against a husband and wife accused of copyright infringement. In Atlantic v. Howell, Judge Neil V. Wake denied the labels’ motion for summary judgment in a 17-page decision (PDF), allowing the suit to proceed to trial. The argument--that merely the act of making music files available for download constituted copyright infringement--has been the basis for the Recording Industry Association of America’s legal battle against online music piracy. http://www.news.com/8301-10784_3-9932004-7.html Court’s ruling here: http://www.ilrweb.com/viewILRPDF.asp?filename=atlantic_howell_080429Decision

WIRETAPS UP 20 PERCENT IN 2007 (U.S. Courts, 30 April 2008) - The number of intercepted wire, oral or electronic communications — also known as wiretaps — authorized by federal and state courts in 2007 was 20 percent higher than in 2006. Courts issued 2,208 such orders in 2007, compared to 1,839 in 2006, according to The 2007 Wiretap Report. http://www.uscourts.gov/Press_Releases/2008/wiretap.cfm Report at http://www.uscourts.gov/wiretap07/2007WTText.pdf Excerpts from the report: “The number of wiretaps reported increased 20 percent in 2007. A total of 2,208 applications were reported as authorized in 2007, including 457 submitted to federal judges and 1,751 to state judges. No applications were denied. The number of applications for orders by federal authorities fell less than 1 percent to 457. The number of applications reported by state prosecuting officials grew 27 percent to 1,751, with 24 states providing reports, 1 more than in 2006. Installed wiretaps were in operation an average of 44 days per wiretap in 2007, compared to 40 days in 2006. The average number of persons whose communications were intercepted decreased from 122 per wiretap order in 2006 to 94 per wiretap order in 2007. The average percentage of intercepted communications that were incriminating was 30 percent in 2007, compared to 20 percent in 2006. In 2007, no instances were reported of encryption encountered during any federal or state wiretap.”

CYBERWARFARE: DARPA’S NEW ‘SPACE RACE’ (Wired, 1 May 2008) - The Defense Advance Research Projects Agency, or Darpa, was created 50 years ago, in response to the Soviets’ launch of Sputnik. In less than a year, Darpa put together the infrastructure that guided the American space effort for decades to come. Now, Darpa has been given new marching orders: to help America fight and win battles online. Under a directive signed by the President -- and OK’d by Congress -- nearly every arm of the government’s security apparatus is starting work on a massive national cybersecurity initiative, designed to protect the United States from electronic attack (and strike at adversaries online, as well). Darpa’s role: Create a cyberwarfare range where all these new forms of electronic combat can be tried out. According to a defense official familiar with the program: “Congress has given DARPA a direct order; that’s only happened once before -- with the Sputnik program in the ‘50s.” Danger Room’s sister blog, Threat Level, has a good writeup of the cybersecurity initiative, which has been labeled as a Manhattan Project-type effort (a similar label was used for the Pentagon’s work against IEDs, though it’s not clear the parallel is as real as some might hope). In the case of cybersecurity, there is at least talk of big money: about $30 billion, Danger Room is told. For its part, Darpa’s “National Cyber Range” would create a virtual environment where the Defense Department can mock real warfare, both defense and offense. http://blog.wired.com/defense/2008/05/the-pentagon-wa.html ThreatLevel’s write-up: http://blog.wired.com/27bstroke6/2008/04/feds-cyber-cent.html

- and -

AVATARS, VIRTUAL REALITY TECHNOLOGY, AND THE U.S. MILITARY: EMERGING POLICY ISSUES (Congressional Research Service, 9 April 2008) - This report describes virtual reality technology, which uses three-dimensional user- generated content, and its use by the U.S. military and intelligence community for training and other purposes. Both the military and private sector use this new technology, but terrorist groups may also be using it to train more realistically for future attacks, while still avoiding detection on the Internet. The issues for Congress to consider may include the cost-benefit implications of this technology, whether sufficient resources are available for the communications infrastructure needed to support expanded use of virtual reality technology, and whether there might be national security considerations if the United States falls behind other nations in developing or adopting this new technology. This report will be updated as events warrant. http://www.fas.org/sgp/crs/natsec/RS22857.pdf [Editor: the USG is beginning a detailed analysis of legal, policy, and technical implications from VR applications.]

- and -

INTERNET STRATEGY SAID NEEDED TO LIMIT TERRORISM (FCW, 8 May 2008) - The government should create a coordinated communications strategy to counter extremist groups’ growing use of the Internet to recruit, communicate and train potential terrorists, according to report released today by the Senate Committee on Homeland Security and Governmental Affairs. The report, “Violent Islamist Extremism, The Internet and The Homegrown Terrorist Threat,” said the government has not developed or implemented a plan to counter terrorist groups that increasingly rely on the Internet to further their goals. The report noted that “immense caches of information and propaganda are available online” and raised questions about what an appropriate plan to deal with the threat should entail. “The long term goal of the strategy must be to isolate and discredit the ideology as a cause worthy of support,” Sens. Joseph Lieberman (I-Conn) and Susan Collins (R-Maine) said in a statement. “Federal, state and local officials, as well as Muslin American community and religious leaders and other private sector actors, must all play a prominent role in discrediting the terrorist message.” http://www.fcw.com/online/news/152482-1.html Report at: http://hsgac.senate.gov/public/_files/IslamistReport.pdf

FEDERAL JUDGE SETS FORMULA FOR INTERNET MUSIC ROYALTIES (Wired, 1 May 2008) - A federal court on Wednesday established a formula for determining the Internet royalties owed to thousands of music composers, writers and publishers by three major online services - Yahoo Inc., AOL and RealNetworks Inc. The American Society of Composers, Authors and Publishers hailed the decision, estimating the guidelines could yield as much as $100 million in payments covering a seven-year period ending in 2009. The trade group, known as ASCAP, had contended that its 320,000 members weren’t being properly compensated for musical works that helped drive traffic and increase revenue for Yahoo, Time Warner Inc.’s AOL and RealNetworks. Wednesday’s ruling, issued by a federal judge in New York, doesn’t affect the royalties owed to record companies. A representative for the Digital Media Association, a trade group representing the Internet services, declined to comment on the ruling late Wednesday. U.S. District Judge William Conner’s 153-page decision didn’t specify the total amount owed to the ASCAP members, but he provided an example on how the formula would apply to the music royalties owed by AOL and Yahoo for 2006. Under the formula endorsed by Conner, AOL owed 2006 fees of $5.95 million and Yahoo owed $6.76 million. http://news.wired.com/dynamic/stories/O/ONLINE_MUSIC_ROYALTIES?SITE=WIRE&SECTION=HOME&TEMPLATE=DEFAULT

DO THE RICH PAY TAXES? ITALY TELLS ALL (New York Times, 2 May 2008) - Many Italians’ attitude toward taxes runs something like this: Why should I pay if no one else does? Evasion is so common that landlords often demand two leases: one private with the actual amount expected, the other far lower and submitted to the authorities. Both, bafflingly, are vetted by lawyers. But for a few hours this week, all was laid bare with a technological bluntness unaccustomed here. The departing government of Romano Prodi, the center-left prime minister, on Wednesday posted the returns for all 40 million Italians who paid taxes in 2005. The Web site was instantly jammed to the point that few could actually see the data, but enough leaked out, with people spying on their neighbors and the rich and famous alike. By some accounts, the fashion designer Giorgio Armani paid the most, 19 million euros ($29 million) on 44 million euros ($68 million) in income. Some advocacy groups praised the site as a rare exercise in transparency. But many more were outraged, and the site was closed down a few hours after it went public. Vincenzo Visco, the departing deputy finance minister, said it was all part of a government effort to crack down on tax evasion. The site was supposed to go public in January, he said, but was delayed because of elections, won last month by Silvio Berlusconi, who had twice been prime minister. Though the official tax site went dead, it lives on virtually. Italian newspapers reported Thursday that it had been copied — and posted — as grist for curiosity and the next stage for tax compliance here. http://www.nytimes.com/2008/05/02/world/europe/02italy.html?ref=world

SOLDIER IN AFGHANISTAN ACCIDENTALLY CALLS PARENTS IN THE MIDDLE OF A BATTLE (TechDirt, 7 May 2008) - Most folks have experienced “accidental” phone calls, when a poorly designed mobile phone interface leads to a phone in a pocket somewhere accidentally redialing the last number called. Every once in a while you hear stories about it happening at very inappropriate times. But Jeff Nolan points us to an extreme such a case. An American soldier in Afghanistan accidentally dialed his parents’ phone number in Oregon, just as he was in the middle of a battle. His parents weren’t home, but the message was recorded on their voicemail, including (as you might expect) guns firing, lots of swearing, and the son yelling about problems he was having with his gun as well as the need for more ammunition. Even worse, the call cut off just as another soldier yelled “Incoming! RPG!” As you might imagine, the parents were a bit freaked out, but eventually reached their son, who says he’s a bit embarrassed by the whole ordeal. Yet another reminder to make sure to “lock” the keypad on your phone. http://techdirt.com/articles/20080506/1156311045.shtml

CT RULES FILE SHARER MAY NOT RETAIN ANONYMITY ON FIRST AMENDMENT GROUNDS (BNA’s Internet Law News, 8 May 2008) - BNA’s Electronic Commerce & Law Report reports that the U.S. District Court for the District of Columbia has ruled that a student accused of copyright infringement has minimal expectation of privacy under the First Amendment when allegedly using a public online peer-to peer network to disseminate copyrighted sound recordings. Because the student did not have a legitimate expectation of privacy, the student cannot invoke his First Amendment rights to anonymous speech to quash a subpoena seeking to identify him from his IP address, Judge Colleen Kollar-Kotelly held. Case name is Arista Records LLC v. Does 1-19.

WHEN FERPA AFFECTS IT (InsideHigherEd, 8 May 2008) - In late March, when the U.S. Department of Education released its proposed changes to regulations that govern the Family Educational Rights and Privacy Act, most of the attention focused on the latitude granted (or, in some cases, reiterated post-Virginia Tech) to college officials for determining in what circumstances and to whom students’ information could be disclosed. Since then, both offline and in online list discussions, information technology and network security officers have debated the impact of the rules on more mundane — but potentially just as relevant — functions of colleges’ day-to-day operations. Those discussions shifted to a more formal venue on Wednesday at Educause’s annual policy conference on the federal information technology agenda for higher education. The nonprofit group, which supports the “intelligent use of information technology,” was finalizing its own recommendations to the Education Department, due today, that would be included along with other signatories in an umbrella document from the American Council on Education. At a morning session called “The IT Implications of Proposed FERPA Regulations,” officials from several organizations discussed an overview of the potential changes, offering in some cases minor tweaks — and in others, major criticisms — of specific rules. Much of the discussion centered on what colleges elect to publicize as directory information. As defined by current regulations, “directory information” that “would not generally be considered harmful or an invasion of privacy if disclosed” — assuming students have been notified upon enrollment and can opt out of disclosure — includes names, addresses, phone numbers, e-mail addresses and photos. Other private data, such as grades and disciplinary history, cannot be included in directory information, whether accessible freely online or not. Until now, the rules haven’t specified whether students’ Social Security numbers, and the proprietary ID numbers many colleges assign to students, fall into the “directory information” category. The proposed changes specifically bar both numbers from that designation, which many officials have called a commonsense step but that may also result in unintended effects. http://insidehighered.com/news/2008/05/08/ferpa Proposed Rule changes (from 24 March 2008): http://a257.g.akamaitech.net/7/257/2422/01jan20081800/edocket.access.gpo.gov/2008/E8-5790.htm

MYSPACE TO LET USERS SHARE PROFILE ACROSS THE NET (Reuters, 8 May 2008) - News Corp’s MySpace social network will let users choose to share their public profile information, such as pictures, videos, and text, across the Web to spread its service beyond its own borders. At launch, the new “data availability” function will let users share their information on sites owned by Yahoo Inc, eBay Inc, Twitter and its own Photobucket, MySpace Chief Operating Officer Amit Kapur told Reuters in a phone interview. “MySpace no longer operates as an isolated island on the Internet,” Kapur said. “The walls are coming down.” MySpace’s decision to makes its user data available is part of a Web-wide move to adopt open standards. Along with other big companies including Google Inc and Yahoo, MySpace has backed the OpenSocial network which aims to create a set of technological specifications that lets software developers build games, photo shows and other applications that can run on any network. MySpace users will be able to control where and what types of information will be shared, a feature that can be turned on and off at any time. MySpace is also restricting other sites from storing user data from MySpace users. People who sign up to Twitter, which lets users publish quick messages on a Web site, will not have to retype their information or upload pictures of themselves onto the new site again even if the information is changed on MySpace. The reverse won’t work however. http://news.yahoo.com/s/nm/20080508/wr_nm/newscorp_myspace_dc_5;_ylt=AmTx8QYM6.0w_fuyO2Z6o78E1vAI [Editor: This may be significant - federated identity management is increasingly important, and first-movers may occupy an important niche. See www.projectliberty.org for related ideas.]

- and -

FACEBOOK TO LET USERS CARRY PROFILES WITH THEM (AP, 9 May 2008) - Facebook Inc. is loosening its grip on millions of personal profiles to allow inhabitants of its popular Internet hangout to transplant the information and applications to other Web sites. Facebook, which has about 70 million users worldwide, unveiled its plans the day after its bigger rival, News Corp.’s MySpace, made a similar commitment. Unlike MySpace, which has about 200 million users worldwide, Palo Alto-based Facebook plans to allow users to take their personal profiles to any Web site that wants to host them. For starters, MySpace is opening user profiles only to a select group of sites, including leading destinations owned by Yahoo Inc. and eBay Inc. The transition poses a risk for Facebook and MySpace because they are effectively tearing down the barriers that sequestered the personal profiles on their sites. This so-called “walled-garden” approach kept people coming back to the sites and sticking around, creating a magnetism that appeals to advertisers. But pressure to offer portable profiles has been building as people have embraced the Internet as a convenient way to swap personal information and interests. Internet search leader Google Inc. waded into the fray last year by creating a network that’s supposed to make it easier to share music, pictures, video and other personal interests on a range of online hangouts. MySpace joined the Google system, known as OpenSocial, but Facebook hasn’t. http://news.yahoo.com/s/ap/20080509/ap_on_hi_te/open_facebook_4;_ylt=AqSJ4Z2xVJUUwCWQbrvB47IE1vAI

INTERNET ARCHIVE BEATS BACK FBI’S DEMAND FOR SUBSCRIBER DATA (Law.com, 8 May 2008) - The FBI has agreed to drop its demand that a San Francisco-based Internet library turn over subscriber information, according to court documents unsealed Monday. As part of a settlement, the FBI also agreed that its previously secret efforts could be publicized. The bureau served the Internet Archive -- whose Wayback Machine page allows viewers to see old versions of millions of Web pages -- with a national security letter in November 2007, but under the terms of a settlement reached between the two in April, the FBI has withdrawn the letter and agreed to make most of its contents public. Kurt Opsahl, a staff attorney with San Francisco’s Electronic Frontier Foundation who helped represent the archive, said he believes the victory is only the fourth successful challenge to a national security letter. The FBI said the letter to the archive was part of a national security investigation and that they “permit the FBI to gather the basic building blocks for our counterterrorism and counterintelligence investigations,” according to a statement by Assistant Director John Miller. http://www.law.com/jsp/article.jsp?id=1202421212345 Note: The Internet Archive challenged the order “based on a provision of the reauthorized USA Patriot Act, which protects libraries from such requests.”

HACKERS’ POSTS ON EPILEPSY FORUM CAUSE MIGRAINES, SEIZURES (Sydney Morning Herald, 8 May 2008) - Computer attacks typically don’t inflict physical pain on their victims. But in a rare example of an attack apparently motivated by malice rather than money, hackers recently bombarded the Epilepsy Foundation’s Web site with hundreds of pictures and links to pages with rapidly flashing images. The breach triggered severe migraines and near-seizure reactions in some site visitors who viewed the images. People with photosensitive epilepsy can get seizures when they’re exposed to flickering images, a response also caused by some video games and cartoons. “They were out to create seizures,” said Ken Lowenberg, senior director of Web and print publishing for the foundation. He said legitimate users are no longer able to post animated images to the support forum or create direct links to other sites, and it is now moderated around the clock. He said the FBI is investigating the breach. In a similar attack this year, a piece of malicious code was released that disabled software that reads text aloud from a computer screen for blind and visually impaired people. That attack appeared to have been designed to cripple the computers of people using illegal copies of the software, researchers said. http://news.smh.com.au/hackers-posts-on-epilepsy-forum-cause-migraines-seizures/20080508-2c4w.html

F.B.I. SAYS THE MILITARY HAD BOGUS COMPUTER GEAR (New York Times, 9 May 2008) - Counterfeit products are a routine threat for the electronics industry. However, the more sinister specter of an electronic Trojan horse, lurking in the circuitry of a computer or a network router and allowing attackers clandestine access or control, was raised again recently by the F.B.I. and the Pentagon. The new law enforcement and national security concerns were prompted by Operation Cisco Raider, which has led to 15 criminal cases involving counterfeit products bought in part by military agencies, military contractors and electric power companies in the United States. Over the two-year operation, 36 search warrants have been executed, resulting in the discovery of 3,500 counterfeit Cisco network components with an estimated retail value of more than $3.5 million, the F.B.I. said in a statement. The F.B.I. is still not certain whether the ring’s actions were for profit or part of a state-sponsored intelligence effort. The potential threat, according to the F.B.I. agents who gave a briefing at the Office of Management and Budget on Jan. 11, includes the remote jamming of supposedly secure computer networks and gaining access to supposedly highly secure systems. Contents of the briefing were contained in a PowerPoint presentation leaked to a Web site, Above Top Secret. http://www.nytimes.com/2008/05/09/technology/09cisco.html?_r=1&partner=rssyahoo&emc=rss&oref=slogin

**** RESOURCES ****
OPINION ON DATA PROTECTION ISSUES RELATED TO SEARCH ENGINES (EU Working Party 29, 4 April 2008) -- Search engines have become a part of the daily life of individuals using the Internet and information retrieval technologies. The Article 29 Working Party recognises the usefulness of search engines and acknowledges their importance. In this Opinion the Working Party identifies a clear set of responsibilities under the Data Protection Directive (95/46/EC) for search engine providers as controllers of user data. As providers of content data (i.e. the index of search results), European data protection law also applies to search engines in specific situations, for example if they offer a caching service or specialise in building profiles of individuals. http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2008/wp148_en.pdf

**** NOTED PODCASTS ****
THE CULTURAL COMMONS (Lewis Hyde, Harvard’s Berkman Center, 13 February 2007). Seventy minute podcast on Benjamin Franklin’s approach to learning, scientific exploration, and knowledge management. Explores “the genius for letting others inhabit your mind,” the copyright-ability of legal briefs (and Martin Luther King’s “I Have a Dream” speech), the Constitutional Convention, and communicative vs. proprietary language. Rated: 3 Stars. Podcast at: http://media-cyber.law.harvard.edu/AudioBerkman/lewis_hyde_2007-02-13.mp3

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. BNA’s Internet Law News, http://ecommercecenter.bna.com.
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
7. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
8. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
9. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.