Saturday, May 31, 2008

MIRLN 11-31 May 2008 (v11.07)

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley ( with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at

**************End of Introductory Note***************

BELL ACCUSED OF PRIVACY INVASION (CBC, 12 May 2008) - The Canadian Internet Policy and Public Interest Clinic, a University of Ottawa legal clinic specializing in internet- and other technology-related law, has joined the assault on Bell Canada Inc. and its traffic-shaping practices, urging an investigation by the country’s privacy commissioner. The group says Bell has failed to obtain the consent of its retail and wholesale internet customers in applying its deep-packet inspection technology, which tells the company what subscribers are using their connections for. Bell is using DPI to find and limit the use of peer-to-peer applications such as BitTorrent, which it says are congesting its network. The CIPPIC, which is made up mainly of lawyers and law students from the University of Ottawa, says Bell has not only failed to show that its network is congested and that its actions are necessary, but it has also run afoul of the Personal Information Protection and Electronic Documents Act (PIPEDA) in doing so. “Practices [such as] those involving the collection and use of personal information are not necessary to ensure network integrity and quality of service,” wrote CIPPIC director Philippa Lawson in a letter to the commissioner dated May 9. “Moreover, subscribers whose traffic is being inspected have not consented to the inspection and use of their data for this purpose.” Bell says it is using DPI only to read the “header” on the type of traffic, which determines what kind of usage it is. But CIPPIC contends that DPI must be used to “open the envelope” on the traffic for it to be of any use to an internet service provider, thus violating the user’s privacy.

FEW EXPECTED TO MAKE JUNE 30 PCI DEADLINE FOR WEB APPLICATION SECURITY (Computerworld, 12 May 2008) - Retailers covered by the Payment Card Industry Data Security Standard (PCI-DSS) have just about a month and a half left to comply with new requirements for protecting Web applications. But as with previous PCI-related deadlines, this one appears destined to pass with a majority of merchants unlikely to be in full compliance. After June 30, all merchants accepting payment card transactions will be expected to either use a specialized firewall for protecting their Web applications or to have completed a Web application software code review for finding and fixing vulnerabilities in these applications. Companies that fail to implement either measure will be deemed to be out of compliance with PCI starting June 30. “Most of our clients are not going to be ready,” by that deadline, said Avivah Litan, an analyst at Stamford, Conn.-based Gartner Inc. “We are amazed at how many companies are still only learning their way around the requirements” and what they call for, Litan said. With the deadline fast approaching, though, Gartner has seen an uptick in the number of calls it is receiving from clients wanting to know more about the new controls and how to implement them, she added. Section 6.6 of the new PCI requirements basically requires merchants to ensure that all Web-facing applications are protected against known attacks by applying either an application firewall or by completing an application code review - either manually or by using application-scanning tools. The requirements have been recommended best practice for more than 18 months but are now becoming a formal mandate.

PFIZER: PERSONAL INFORMATION ON EMPLOYEES ON STOLEN LAPTOP (, 13 May 2008) - There has been another computer security breach at Pfizer Inc., this time it is the theft of a laptop containing information on thousands of employees, including 5,000 in Connecticut. It’s the second such breach in a month. [Editor: the 6th breach since May 2007.] Information on Pfizer employees was compromised when a company laptop and flash drive were stolen from an employee’s vehicle about a month ago, the company said Monday. The company would not identify the location of the theft. More than 65,000 data-breach notifications have been sent out by Pfizer over the past year.,0,4716149.story

GOOGLE BEGINS BLURRING FACES IN STREET VIEW (CNET, 13 May 2008) - Google has begun testing face-blurring technology for its Street View service, responding to privacy concerns from the search giant’s all-seeing digital camera eye. The technology uses a computer algorithm to scour Google’s image database for faces, then blurs them, said John Hanke, director of Google Earth and Google Maps, in an interview at the Where 2.0 conference here. Google has begun testing the technology in Manhattan, the company announced on its LatLong blog. Ultimately, though, Hanke expects it to be used more broadly. Dealing with privacy-both legal requirements and social norms-is hard but necessary, Hanke said. Street View poses other privacy issues besides just faces. Some people aren’t eager to have their houses on display, for example. But much of the hubbub seems to have waned since Google launched Street View in May 2007, and indeed other companies such as Blue Dasher are working on similar technology. Street View presents a view of dozens of United States cities from a driver’s perspective. It appears Google has begun collecting imagery in Europe as well, along with detailed 3D maps, including Milan, Rome, and Paris.

OVERSTOCK.COM THROWS NEW YORK AFFILIATES OVERBOARD TO AVOID SALES TAX (New York Times, 14 May 2008) - There were two predictable fallouts from New York State’s move to force online companies to collect state sales tax: There would be a lawsuit. And some online merchants would cut off their affiliates in the state. Amazon filed suit against the state late last month. Now has become the first major Internet retailer to cancel its relationship with affiliates in New York. Affiliates are Web site owners who get commissions for referring customers to an online store. They are important because New York State is requiring any company that has an affiliate in the state to collect sales taxes on its behalf. Until now, companies had to collect taxes only if they had a physical presence, such as an office or factory, in the state. “We believe the law is unconstitutional and won’t stand the test of the courts, but in the meantime we have been very careful to keep our footprint just in Utah,” said Jonathan Johnson, Overstock’s senior vice president for corporate affairs. “We can’t afford to have our New York affiliates up online if it subjects us to New York sales taxes.” Mr. Johnson said Overstock has 3,400 affiliates in New York State, though not all of them are active. The largest is NextJump, a provider of employee benefit programs. It also cut off some comparison shopping services, such as Jellyfish.

SEC REQUIRES XBRL FINANCIAL REPORTING BY LARGE PUBLIC FIRMS (Information Week, 14 May 2008) - The SEC on Wednesday issued rules requiring large publicly held companies to adopt XBRL, the financial reporting version of XML, by Dec. 15 to meet financial reporting requirements. XBRL is eXtensible Business Reporting Language, a set of extensions to XML that allows standardized accounting data to be tagged and retrieved easily across documents. Creating documents in XBRL allows them to be filed over the Web, exchanged with business partners, and searched for data without calling up the whole document. “XBRL is the common language of financial information exchange, much as English has become the worldwide language of business,” said Sunir Kapoor, a member of the board of directors of XBRL US, a standards group overseeing U.S. contributions to XBRL development, in a statement. XBRL is developing the definitions for tags used to identify terms used in applying U.S. generally accepted accounting principles. Kapoor is also CEO of UBmatrix, a Redwood City, Calif., firm that is a supplier of XBRL translation software. The SEC in a public meeting today adopted a mandate as of Dec. 15 to require XBRL for the reports of “large accelerated filers,” which would include most of the largest publicly held companies. Seventy-five companies already do so, includingIBM (NYSE: IBM), General Electric, United Technologies, Ford Motor Co., Pepsi, and Xerox (NYSE: XRX). The mandate is expected to be phased in for additional publicly held companies once XBRL has become a standard way of making SEC reports. The SEC is following in the footsteps of the FDIC, which has already adopted XBRL, as well as the central banks of the European Union. SEC 10Ks and other reports that are filed using XBRL can be read by computer software, screened for certain data such as “net profit,” and reorganized in new reports. Finding less common financial data, such as “assets held for sale,” or “construction in progress,” is possible quickly when they’ve been tagged by XBRL, as well as the more commonly used terms. XBRL can also be used to translate the terms used in one country’s accounting system into those used by another’s.

DON’T BLAME ME FOR ILLEGAL FILE SHARING, IT’S MY COMPUTER’S FAULT (Steptoe & Johnson’s E-Commerce Law Week, 15 May 2008) - Record companies’ suits against people that share or download music over the Internet continue to test the limits of copyright law. In Atlantic Recording Corp. v. Howell, several record companies alleged that a married couple had violated the plaintiffs’ exclusive right to distribute 54 copyrighted recordings by allowing their computer to share the songs through the KaZaA file-sharing system. Late last month, a federal court in Arizona denied the companies’ motion for summary judgment, holding that “[m]erely making an unauthorized copy of a copyrighted work available to the public does not violate a copyright holder’s exclusive right of distribution.” Rather, the plaintiffs had to show that a KaZaA user had downloaded the recording from the defendants in order to establish liability. This ruling is consistent with most district court decisions to date, but conflicts with a decision by the Fourth Circuit. The court also determined that downloads made by the record companies’ investigator could be used to establish unauthorized distribution. But the defendants’ responsibility for such downloads remained open to debate, since their testimony suggested that other users of the computer or the KaZaA program itself, rather than the defendants, may have authorized the sharing of the recordings.

ANOTHER COURT UPHOLDS A CLAIM FOR THE CONVERSION OF ELECTRONIC PROPERTY (Steptoe & Johnson’s E-Commerce Law Week, 15 May 2008) - Another court has ruled that the common law tort of conversion (basically, the unjustified interference with someone’s possession of his personal property) reaches electronic, as well as physical, property. In Ali v. Fasteners for Retail, Inc., a federal court in California ruled that plaintiff Al Ali had successfully stated a claim for the conversion of proprietary source code, cost data, and part numbers that various defendants had copied from his laptop and emails without his authorization. This decision follows similar rulings by the Ninth Circuit, the New York State Court of Appeals, and a Massachusetts state trial court. So, while at least one court has ruled in recent months that conversion does not apply to intangible information, the weight of precedent suggests that plaintiffs may increasingly find that electronic property can be the basis for a conversion claim.

INDIAN GOVT MAY GET KEYS TO YOUR BLACKBERRY MAILBOX SOON (Economic Times, 15 May 2008) - In a major change of stance, Canada-based Research In Motion (RIM) may allow the Indian government to intercept non-corporate emails sent over BlackBerrys. This is expected to solve the row between the Department of Telecom (DoT) and RIM to a large extent, since the government’s security concerns pertain more to emails from individual users than enterprise customers. At the core of the issue is the data encryption technology used in BlackBerrys. BlackBerry uses a very high level of encryption — at 256 bits — while sending data. BlackBerry scrambles messages before sending and unscrambles them at the receiver’s BlackBerry. Owing to security concerns, the government wants to be able to intercept and decode the data. However, the government’s decryption software can decode messages encrypted only up to 40 bits. India wants RIM to either hand over the decryption keys or reduce encryption to 40 bits. According to officials close to the development, Canadian High Commissioner David Malone and RIM officials met telecom secretary Siddhartha Behura on May 7 . “It was explained by RIM that it should be possible for the government to monitor emails to non-business enterprise customers,” sources told ET. “RIM is considering giving access to individual users’ email to the government. Details on this will be provided in two or three weeks,” sources said.

- and -

BLACKBERRY SPURNS INDIAN SPY CALL (BBC, 27 May 2008) - The Canadian manufacturer of Blackberry mobile phones has rejected demands by the Indian government that it help decrypt suspicious text messages. Research in Motion says its technology does not allow any third party - even the company itself - to read information sent over its network.

STUDY: COX, COMCAST INTERFERE WITH FILE SHARING (, 15 May 2008) - Cox Communications appears to be interfering with file-sharing by its Internet subscribers in the same manner that has landed Comcast Corp. in hot water with regulators, according to research obtained by The Associated Press. A study based on the participation of 8,175 Internet users around the world found conclusive signs of blocked file-sharing connections only at three Internet service providers: Comcast and Cox in the U.S. and StarHub in Singapore. Of the 788 Comcast subscribers who participated in the study, 491, or 62 percent, had their connections blocked. At Cox, 82 out of 151 subscribers, or 54 percent, were blocked, according to Krishna Gummadi at the Max Planck Institute for Software Systems in Saarbruecken, Germany. Philadelphia-based Comcast is the country’s second-largest ISP, with 14.1 million subscribers. Atlanta-based Cox Communications is the fourth-largest, with 3.8 million. It is part of privately held Cox Enterprises Inc. Comcast’s practice of interfering with traffic was brought to light by user reports last year and confirmed by an AP investigation in October. Consumer advocate groups and legal scholars criticized the interference, saying that letting an ISP selectively block some connections makes it a gatekeeper to the Internet. Their complaints prompted the Federal Communications Commission to launch an investigation, which is ongoing.

NEW DETROIT POLICY: TEXTS ARE PRIVATE (Detroit News, 16 May 2008) - Mayor Kwame Kilpatrick - who could face ouster and prison time over the embarrassing text messages allegedly exchanged on city pagers - is now telling city employees their text messages are private, even though their electronic devices are funded by taxpayers. A retooled policy, which circulated among employees Thursday, appears to be an about-face of the city’s old directive. Kilpatrick signed off on the previous policy during his first term that deemed “all communications” on city equipment were public. The new rules exempt telephones, text devices and pagers, which are “given to employees for their personal and business use.” The policy is unique among governments such as Wayne, Oakland and Macomb counties. But it mirrors arguments from Kilpatrick’s legal team that federal law makes text messages private. A communications law expert from Indiana University said he was “breathless” after hearing about the policy. “I’ve never heard one do what the city of Detroit is doing,” said law professor Fred Cate. “That is completely novel. It sort of undercuts the purpose of an open records law.” The policy change, which could be challenged under the Freedom of Information Act, comes amid ongoing criminal proceedings about text messages Kilpatrick allegedly sent on his city-issued SkyTel pager. They are the linchpin of prosecutors’ claims he perjured himself during a police whistle-blower trial last year and obstructed justice afterward with an $8.4 million settlement. Text messages first published in January appear to contradict testimony from Kilpatrick and his former chief of staff, Christine Beatty, at the trial. Prosecutors claim they lied while denying a relationship and their role in firing Deputy Police Chief Gary Brown.

MICROSOFT CONFIRMS WINDOWS ADHERES TO BROADCAST FLAG (CNET, 18 May 2008) - Microsoft has acknowledged that Windows Media Centers will block users from recording TV shows at the request of a broadcaster. “Microsoft included technologies in Windows based on rules set forth by the (Federal Communications Commission),” a Microsoft spokeswoman wrote in an e-mail to CNET “As part of these regulations, Windows Media Center fully adheres to the flags used by broadcasters and content owners to determine how their content is distributed and consumed.” The software company was responding to questions about why some users of Windows Vista Media Center were prevented from recording NBC Universal TV shows, American Gladiator and Medium on Monday night. The “rules,” in which the spokeswoman is apparently referring to are those proposed by the FCC, which would require software and hardware makers honor “broadcast flags.” The flags are code that broadcasters can insert into the data stream of TV shows that typically require restrictions on the recording of the shows. What she didn’t say is that the “rules” aren’t rules at all. The courts struck down the FCC’s proposal in 2005, saying the regulator lacked the authority to tell electronics makers how to interpret the signals they receive. Since then, Microsoft and other manufacturers have retained the option of whether to honor the flags.

ONLINE TRAFFICKING INFLUENCES SUPREME COURT’S RULING ON CHILD PORN LAW (, 19 May 2008) - The Supreme Court says even in the no-holds-barred world of the Internet, some limits on speech are needed in the fight against online child pornography. A federal provision upheld by the court Monday imposes a mandatory five-year prison term on people convicted of promoting child porn, and it doesn’t run afoul of First Amendment free-speech rights, Justice Antonin Scalia wrote for the court. The law applies to “offers to provide or requests to obtain child pornography,” Scalia said. It does not require that someone actually possess child pornography. In their 7-2 ruling, the justices brushed aside concerns that the law, aimed at cracking down on the flourishing online exchange of illicit images of children, could sweep in mainstream movies, classic literature or even innocent e-mails that describe pictures of grandchildren. Joan Bertin, executive director of the National Coalition Against Censorship, said Scalia’s narrow reading of the law in his majority opinion should result in “considerably less damage than it might otherwise have done.” But Bertin said aggressive prosecutors still could try to punish people for innocent activity and put them “through a terrible ordeal.” Scalia, in his opinion for the court, said the law takes a reasonable approach to the issue by applying it to situations where the purveyor of the material believes or wants a listener to believe that he has actual child pornography. Likewise, he said, the law does not cover “the sorts of sex scenes found in R-rated movies.” Justice David Souter, joined by Justice Ruth Bader Ginsburg, dissented. Souter said promotion of images that are not real children engaging in pornography still could be the basis for prosecution under the law. Possession of those images, on the other hand, may not be prosecuted, he said.

GOOGLE MAKES HEALTH SERVICE PUBLICLY AVAILABLE (, 19 May 2008) - Google is now offering the general public electronic access to their medical records and other health-related information. The Mountain View-based Web search leader announced the public launch of Google Health during a Webcast today. It lets users import records from a variety of care providers and pharmacies. Google tested the service by storing medical records for a few thousand patient volunteers at the not-for-profit Cleveland Clinic. [Editor: Now, I want Google to offer search for health-care providers, by cost and reputation; then, they’ll offer health care insurance coverage.]

SENATOR LIEBERMAN TRIES HUNTING DOWN TERRORIST VIDEOS ON YOUTUBE (TechDirt, 20 May 2008) - Folks in Congress sure are scared of any kind of popular new internet application being used by terrorists - quite often blaming the technology rather than looking for ways to use it to their advantage. They’ve targeted file sharing networks, Second Life and the whole internet as being terrorist havens. Now, Senator Joe Lieberman, who heads the Senate Committee on Homeland Security is upset with Google for letting terrorists post videos on YouTube. Last week he sent a note asking them to take all of the videos down. YouTube employees went through the videos and took down the ones that violated the site’s terms of service, but left most of them up, as they neither showed violence nor promoted hate speech. Lieberman is not too happy about this and has sent a second letter, asking that the videos be taken down. This seems particularly silly for a variety of reasons. First off, it’s most likely that these types of videos are preaching to the choir. It’s hard to see too many folks watching some poorly produced al-Qaeda propaganda videos and suddenly deciding to join up. But, more importantly, by leaving these videos out in the open, it allows lots of folks to respond to them, criticize them and show them up for the awful propaganda they represent. In other words, why be scared of these videos when you can actually respond? Trying to force them offline suggests that we don’t think we can win the argument (and even helps to legitimize those who put up the videos). If these videos are promoting ignorant propaganda, the best response is to rebut, refute or even ridicule them - not bury them. Finally, leaving the videos up gives the government an excellent way to track what the groups are doing, rather than having their actions hidden away on other sites. If they got taken offline by Google/YouTube it would be a matter of minutes before they showed up on other sites where it might even be more difficult for US officials to track them and see what messages terrorists are spreading. Weren’t we fighting against terrorists to stand up for principles like free speech and the belief that speech can be a weapon against propaganda?

MOODY’S ERROR GAVE TOP RATINGS TO DEBT PRODUCTS (Financial Times, 20 May 2008) - Moody’s awarded incorrect triple-A ratings to billions of dollars worth of a type of complex debt product due to a bug in its computer models, an Financial Times investigation has discovered. Internal Moody’s documents seen by the FT show that some senior staff within the credit agency knew early in 2007 that products rated the previous year had received top-notch triple A ratings and that, after a computer coding error was corrected, their ratings should have been up to four notches lower.

COPYRIGHT FIGHT BREWING BETWEEN TV NETWORKS AND REDLASSO (CNET, 20 May 2008) - Three of the largest broadcast TV networks have sent a cease-and-desist letter to RedLasso , a little-known but rapidly growing video syndication site. Fox News Network, NBC Universal, and CBS sent a letter on Monday, accusing the company of “building a business based on the unauthorized syndication of” the content owners’ news, sports, and entertainment shows. RedLasso records TV shows and then indexes clips so users can find, pull, and embed them on other Web sites. Reporter Liz Gannes over at saw this one coming. Two weeks ago, Gannes noted that RedLasso had grown from 2 million unique users in November to 24 million in April. Gannes wrote: “Now might be a pretty good time to get permission.” She added later that RedLasso executives told her they were on good terms with broadcasters. The executives’ assertions, however, are untrue, the networks said in their letter to RedLasso. In the letter, the entertainment companies wrote that such statements “falsely convey an affiliation...when there is none.” At a time when the networks are giving their content away for free, one has to wonder why RedLasso would even get into this business. Anyone can go to Hulu and grab embed code for many NBC Universal shows without violating the law.

FTC ADOPTS FINAL CAN-SPAM RULES (Steptoe & Johnson’s E-Commerce Law Week, 22 May 2008) - The Federal Trade Commission announced on May 12 that it had approved new rules governing the regulation of commercial email under the CAN-SPAM Act. Most notably, the rules modify the definition of “sender” to address situations where a single email message contains advertisements from multiple parties. In such a situation, if only one person is identified in the “from” line of the commercial email, then this person will generally be considered the “sole sender” of the email and will be exclusively responsible for handling opt-out requests. Moreover, the rules state that a sender may not require a recipient of a commercial email message to pay a fee, provide information other than an email address and opt-out preferences, or take any steps other than sending a reply email or visiting a single webpage in order to opt-out of future emails. The rules become effective July 7, 2008. New rules here: EPIC writes: “The Commission stated that consumers couldn’t be charged a fee to opt out of unsolicited bulk commercial email (spam). The FTC also clarified several definitions, stating that: CAN-SPAM’s definition of a “person” is not limited to natural persons and a P.O. box qualifies as a “physical address” under CAN-SPAM. Furthermore, it clarified that third-party list brokers (companies that sell email lists to spammers), are not “senders” under CAN-SPAM, and are therefore not subject to the law’s opt-out requirements.”

RULING EXTENDS U.S. PATENT LAW TO WEBSITES OPERATING ABROAD (Steptoe & Johnson’s E-Commerce Law Week, 22 May 2008) - In order to state a patent claim for unauthorized use of an invention, a plaintiff must show, among other things, that the invention was used in the United States - seemingly a tricky proposition when the invention is part of a website maintained abroad. But, in Renhcol Inc. v. Don Best Sports, a federal court in Texas recently ruled that, where users in the United States “control and derive beneficial use from a device located overseas that infringes claimed system, those users use the infringing device in the United States and commit direct infringement.” As a result of such use by users, the website owners could be held liable for inducing the infringement. Since many of today’s highly interactive websites are controlled by and benefit users, this ruling could create liability under U.S. patent law for websites accessible in the United States, no matter where they are hosted or maintained.

LARGE COMPANIES PAYING WORKERS TO READ EMPLOYEE E-MAIL (CNET, 22 May 2008) - If you were thinking of using your work e-mail for job hunting or online dating, think twice. A new survey finds that 41 percent of large companies (those with 20,000 or more employees) are paying staffers to read or otherwise analyze the contents of employees’ outbound e-mail.

FTC WANTS TO KNOW WHAT BIG BROTHER KNOWS ABOUT YOU (Washington Post, 22 May 2008) - How do you find a bride these days? One of the nation’s leading online tracking companies knows. Monitoring consumers at roughly 3,000 Web sites, Revenue Science identified brides by picking out bridal behavior it had seen: anyone who’d gone online to read about weddings in the news, entered “bridesmaid dresses” into a search engine or surfed fashion pages for wedding styles. The company found 40,000 such people, whom it knows by random number, not name, and sent them a tailored online ad. “A successful campaign,” according to company president Jeff Hirsch. The growing practice of “behavioral targeting,” or sending ads to online users based on their Internet habits, is now under scrutiny by the Federal Trade Commission, whose review could shape not only Web advertising rules but the character of the Web itself. For while public interest groups argue that compiling profiles of largely unsuspecting Internet users ought to be illegal, online advertisers and publishers respond that their ad targeting tactics protect privacy and may be essential to support the free content on the Web. Behavioral targeting allows many Web sites to raise ad prices, because advertisers will pay more when they can isolate a particular audience. Limiting behavioral targeting could “jeopardize the consumer’s ability to get free content on the Internet,” said Paul Boyle of the Newspaper Association of America, a trade group that represents the business interests of most U.S. dailies, including The Washington Post. The FTC is considering guidelines, for now voluntary, that would make it harder to target behavior. The principles were issued in December after town hall meetings, and the public comment period ended last month. As the commission’s deliberations begin, some federal and state lawmakers are weighing measures that would be mandatory. New York lawmakers, for example, are considering a law similar to the FTC guidelines. [Editor: Again, the FTC are at the forefront of an important issue. Remember their foray into the realm of “breach notification”? Their pioneering efforts help business, by bringing some order to the chaos.]

TJX EMPLOYEE FIRED FOR EXPOSING SHODDY SECURITY PRACTICES (The Register, 23 May 2008) - TJX Companies, the mammoth US retailer whose substandard security led to the world’s biggest credit card heist, has fired an employee after he left posts in an online forum that made disturbing claims about security practices at the store where he worked. Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas (, that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards. Benson said he was fired on Wednesday after managers said he disclosed confidential company information online. Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers. He said he brought the security issues to the attention of a district loss prevention manager name Allen in late 2006, and repeatedly discussed them with store managers. Except for a stretch when IT managers temporarily tightened password policies, the problems went unfixed.

COURT SMACKS AUTODESK, AFFIRMS RIGHT TO SELL USED SOFTWARE (Ars Technica, 23 May 2008) - A federal district judge in Washington State handed down an important decision this week on shrink-wrap license agreements and the First Sale Doctrine. The case concerned an eBay merchant named Timothy Vernor who has repeatedly locked horns with Autodesk over the sale of used copies of its software. Autodesk argued that it only licenses copies of its software, rather than selling them, and that therefore any resale of the software constitutes copyright infringement. But Judge Richard A. Jones rejected that argument, holding that Vernor is entitled to sell used copies of Autodesk’s software regardless of any licensing agreement that might have bound the software’s previous owners. Jones relied on the First Sale Doctrine, which ensures the right to re-sell used copies of copyrighted works. It is the principle that makes libraries and used book stores possible. The First Sale Doctrine was first articulated by the Supreme Court in 1908 and has since been codified into statute.

NASA EMPLOYEE SUSPENDED FOR POLITICAL BLOGGING (Computerworld, 28 May 2008) - Any employee can get in trouble for personal blogging on company time, but U.S. government workers, as one NASA employee has discovered, can get into a special kind of legal trouble if they also write about politics. They risk violating a 1939 law called the Hatch Act, which requires federal employees to keep their jobs and political activities separate. A National Aeronautics and Space Administration employee was suspended for 180 days for “numerous” blog posts about politics, sending “partisan e-mails” and soliciting for political contributions, according to an announcement last week by the U.S. Office of Special Counsel (OSC). The employee wasn’t identified. The intent of the Hatch Act is to prohibit “the use of the mechanism of government from influencing the outcome of an election,” said James Mitchell, an OSC spokesman. If a person is seeking money for candidates on company time and on company equipment, “that person might as well have been soliciting within the office,” he said. The suspension was the result of agreement reached with NASA by the special counsel. The employee, whose suspension began March 30, could have been fired from his job. The OSC is investigating similar cases at other agencies, Mitchell said. In some instances, the practice may be due to intra-office e-mails about particular candidates. “We have a lot of cases open right now in this election year,” Mitchell said. The NASA case, which involved a midlevel employee at the Johnson Space Center in Houston, may be a defining one, he said. In a statement announcing the action, Special Counsel Scott Bloch said that in earlier times, a Hatch Act violation may have involved wearing a campaign button in the office. “Today, modern office technology multiplies the opportunities for employees to abuse their positions and, as in this serious case, to be penalized, even removed from their job, with just a few clicks of a mouse,” he said. Federal employees who blog while at work about their dating life, for instance, aren’t risking a Hatch Act violation unless they are dating a candidate. Whether they get in trouble for sending out personal e-mails or blogging at work depends on the policies set by government agencies and whether those agencies monitor workers. The OSC doesn’t monitor workplace Internet use, and Mitchell said the NASA case was likely the result of a complaint. NASA allows “limited personal use” of IT equipment by its employees, provided it doesn’t interfere with its missions, affect employee productivity or violate any ethical standards or law. It specifically prohibits partisan political activity.

GE SUFFERS A REDACTION DISASTER (28 May 2008) - Lawyers involved in the class action sex discrimination case against Fairfield, Conn.-based General Electric in 2007 would rather you not read passages from various filings. After all, the plaintiffs’ firm, Sanford, Wittels & Heisler in Washington, D.C., took the time and effort to black out reams of pages in numerous briefs to make them inaccessible to the public - or so they thought. But as of late last week, you could download several documents through PACER’s federal court filing system, copy the black bars that cover the text on the screen and paste them into a Word document. VoilĂ . Information about the inner-workings of GE’s white, male-dominated management and their alleged discriminatory practices against women, which is supposed to be sealed by court order, appears with little technical savvy required. “I didn’t know that,” plaintiffs’ lead counsel David W. Sanford said from his office early last week. Neither did Patrick W. Shea of Paul, Hastings, Janofsky & Walker in New York, which serves as GE’s outside counsel in the case. Shea said the two sides are in mediation after Judge Peter C. Dorsey in New Haven, Conn., denied GE’s motion to dismiss on May 8. Now, the game may have changed with revelations that there’s a large leak of information in the case, though Shea never said as much. He referred all questions to GE, whose spokesman, Gary Sheffer, wouldn’t comment on how the course of the case might be altered. “All parties agreed that the documents would be filed under seal,” Sheffer said. “We acted under belief that they were filed under seal, and we’re concerned.” [Editor: this is just basic stuff; the error verges on failure to provide competent representation.]

CHINA’S ALL-SEEING EYE (Rolling Stone, 29 May 2008) - With the help of U.S. defense contractors, China is building the prototype for a high-tech police state. It is ready for export. EPIC’s Marc Rotenberg writes: “[This] is a very powerful article by Namoi Klein in the current issue of Rolling Stone on China’s Hi-Tech Police State. Klein pulls together all of the key pieces - advanced surveillance technology, corporate investment, police authority, and political impact. She calls this “Police State 2.0.” It’s worth a close read.”

CDT RELEASES PRIVACY PRINCIPLES FOR DIGITAL WATERMARKING (CDT Press Release, 29 May 2008) - The Center for Democracy & Technology today released a set of privacy principles for digital watermarking. The principles are intended to provide guidance on how those deploying the technology can and should take privacy into account. Digital watermarking technology embeds information, in machine-readable form, within the content of a digital media file (typically image, audio, or video). In some applications, watermarks signal basic identifying information about the media file itself, such as its title or author. In other applications, watermarks can provide individualized user or transaction information. CDT’s principles address privacy questions that may arise when watermarks provide information about individual consumers or users. “Watermarking seems to be getting increased attention as a tool for facilitating digital content distribution,” said David Sohn, Senior Policy Counsel for CDT. “But people are bound to wonder what it means if their media files contain embedded information that can be used to identify them. From both the consumer and content distributor perspective, it would be best to address these kinds of privacy questions in advance, on a proactive basis.” Principles here:

LAWYER SUSPENDED FOR E-MAIL SNOOPING (ABA Journal, 29 May 2008) - A West Virginia lawyer has been suspended for two years for accessing the e-mail of his wife and eight other lawyers at least 150 times over a two-year period. The West Virginia Supreme Court of Appeals imposed the sanction against Charleston lawyer Michael Markins in an opinion issued Friday, the Legal Profession Blog reports. At first Markins accessed his wife’s e-mail account at the law firm at which she worked as an associate in an attempt to learn whether she might be having an affair, noted in an earlier post. After he figured out the firm’s uncomplicated e-mail password system, “his curiosity got the better of him” and he accessed the e-mail accounts of eight other lawyers at his wife’s firm on almost a daily basis, the opinion says. At the time, Markins worked at Huddleston Bolen and his wife worked at Offutt, Fisher and Nord. Both lost their jobs. Markins accessed personal information and viewed confidential financial information intended to be read exclusively by Offutt Fisher’s partners. He didn’t stop until he learned the firm’s computer experts were on the verge of discovering that he was behind the unauthorized e-mail intrusions. Huddleston represented co-defendants in a large mass tort case, and one of them had a claim for indemnity against an Offutt Fisher client. However, there is no evidence that information concerning the case had been compromised, according to the opinion. Nor is there any evidence that Markins misused the information he accessed, the opinion says. Still, the court said it needed to impose an effective sanction as a deterrent to other lawyers and to reassure the public. [Editor: I wrote about this case in MIRLN 11.03 - - result seems mild to me.]

WHAT TO DO WITH PRIVILEGED INFORMATION IN E-MAILS (, 30 May 2008) - E-mail reviews have become a focal point of the internal investigation. Imagine a lawyer working late into the night reviewing the e-mails of an employee of a company that the firm represents. The inventory of communications includes jokes, shopping lists and spousal reminders about soccer games and parent/teacher meetings. The reader has learned much more about the personal life of the employee than the lawyer really wants to learn. In turn, the lawyer would be right to question the propriety of this kind of voyeurism. The lawyer is reminded that the company warns its employees that their e-mails could be reviewed and monitored. Sensibilities may become anesthetized by the sheer volume of e-mails that have to be reviewed in a limited amount of time. Then, the lawyer sees it: “Privileged and Confidential, if you are not the intended recipient please notify the sender immediately.” This e-mail is not from a friend forwarding a joke. This e-mail is from a lawyer who is communicating confidentially with the employee. Under these circumstances, a lawyer might reason that, whatever privileged information may have been communicated in such an e-mail, the privilege was waived through the use of the company’s e-mail system. After all, the company has repeatedly warned its employees that they have no expectation of privacy. But is an expectation of privacy concerning Internet surfing and e-mail jokes the same as an expectation that a privileged attorney-client communication will be respected? Similarly, one might reason that not every attorney-client communication contains privileged information and one cannot argue such a point unless the contents of the e-mail are thoroughly reviewed. But may an attorney review an e-mail that, on its face, (i) is from an attorney, (ii) is directed to someone other than the attorney reviewing the e-mail, and (iii) specifically warns that the communication is privileged and confidential? This article will explore the lawyer’s professional obligation in the handling of inadvertently disclosed privileged information, the various remedies for the misappropriation of privileged information under New York law, and the manner by which the law of New York may differ from the law of other jurisdictions.

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School,
2. Edupage,
3. SANS Newsbites,
4. NewsScan and Innovation,
5. BNA’s Internet Law News,
6. Crypto-Gram,
7. McGuire Wood’s Technology & Business Articles of Note,
8. Steptoe & Johnson’s E-Commerce Law Week,
9. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: