Saturday, May 10, 2008

MIRLN 20 April - 10 May 2008 (v11.06)

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by www.KnowConnect.com.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (mailto:vpolley@knowconnect.com?subject=MIRLN) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln.

**************End of Introductory Note***************

**** CHANGE OF VENUE ****
Vince Polley has returned to KnowConnect.com, providing consulting services on e-policies and knowledge management. With this issue, MIRLN will be distributed by email from vpolley@knowconnect.com, and will be archived at www.knowconnect.com/mirln/.

**** NEWS ****

FIREWALL OF SILENCE - Data security breaches are rampant, and costly. So why don’t C-level executives talk about them? (CFO Magazine, 1 April 2008) - When Société Générale revealed in January that it had lost more than $7 billion due to fraudulent trading activity, most of the headlines focused on “rogue trader” Jerome Kerviel, framing him either as a criminal or a reckless striver. His “perp walk” was eagerly anticipated by a horde of cameramen and his image was plastered on publications and Websites around the world. Only later did questions emerge about the bank’s role as an enabler, and even then scant attention was paid to the exact manner in which the bank’s processes may have been at fault. In truth, much of the blame can be traced to poor security, and in that sense the intense coverage of Société Générale joins a long parade of stories devoted to identity theft, computer hacking, and data breaches of all kinds. Despite all that attention, in many respects computer security remains the corporate risk that dares not speak its name. CFOs in particular seem loath to discuss it publicly even when they admit privately that it’s a major concern. http://www.cfo.com/article.cfm/10918069?f=search

NIST SEEKS COMMENTS ON REVISION OF RISK MANAGEMENT FRAMEWORK (GCN, 16 April 2008) - The National Institute of Standards and Technology has released a second draft of Special Publication 800-39, titled “Managing Risk from Information Systems: An Organizational Perspective,” for public comment. NIST calls the document the flagship publication in the standards and guidelines it is developing under the Federal Information Security Management Act. It provides a framework for managing the risk to organizational operations and assets, individuals, other organizations, and the nation resulting from the use of information systems. It builds on a foundation of best security practices for agency leaders, chief information officers, information system designers, developers and administrators, auditors, and inspectors general. The current version of the document contains significant changes based on feedback on the first draft, released last fall. Comments on the current draft are being accepted at sec-cert@nist.gov until April 30. http://www.gcn.com/online/vol1_no1/46131-1.html?topic=security&CMP=OTC-RSS NIST draft here: http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf

PAYPAL PLANS TO BAN UNSAFE BROWSERS (eWeek, 17 April 2008) - PayPal, one of the brands most spoofed in phishing attacks, is working on a plan to block its users from making transactions from Web browsers that don’t provide anti-phishing protection. The eBay-owned company, which runs a Web-based payment system that allows the transfer of funds between bank accounts and credit cards, said browsers that do not have support for blocking identity theft-related Web sites or for EV SSL (Extended Validation Secure Sockets Layer) certificates are considered “unsafe” for financial transactions. “In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts,” said PayPal Chief Information Security Officer Michael Barrett. In a white paper that outlines a five-pronged action plan aimed at slowing the phishing epidemic, Barrett said there’s a “significant set of [PayPal customers] who use very old and vulnerable browsers” and made it clear that any browser that falls into the “unsafe” category will be banned. http://www.eweek.com/c/a/Security/PayPal-Plans-to-Ban-Unsafe-Browsers/

MPAA SUES ALLEGED MOVIE PIRATE SITE (Reuters, 19 April 2008) - The Motion Picture Association of America on Thursday sued Pullmylink.com, a Web site featuring links to free -- and allegedly pirated -- movies and TV shows, claiming the site promotes and profits from copyright infringement. The lawsuit, filed in Los Angeles federal court, is the seventh action filed by the MPAA against content aggregators in the United States since late last year and is part of a larger anti-piracy campaign that included a criminal raid on the UK headquarters of one such site, TV Links. The campaign against sites that link to, but do not host, illegal content has raised some eyebrows with critics asking why the association doesn’t go after the host sites or Internet search engines such as Google.com, which owns video sharing site YouTube.com. http://www.pcworld.com/article/id,144846-c,copyright/article.html

NEW JERSEY COURT REQUIRES SUBPOENA FOR INTERNET SUBSCRIBER RECORDS (SiliconValley.com, 21 April 2008) - Internet service providers must not release personal information about users in New Jersey without a valid subpoena, even to police, the state’s highest court ruled today. New Jersey’s Supreme Court found that the state’s constitution gives greater protection against unreasonable searches and seizures than the U.S. Constitution. The court ruled that Internet providers should not disclose private information to anyone without a subpoena. A Washington lawyer who handles Internet litigation, Megan E. Gray, said the ruling “seems to be consistent with a trend nationwide, but not a strong trend.” Grayson Barber, a lawyer representing the American Civil Liberties Union, Electronic Frontier Foundation and the Electronic Privacy Information Center, among other groups that filed friend-of-the-court briefs in the case, said it was the first ruling in the nation to recognize a reasonable expectation of privacy for Internet users. http://origin.siliconvalley.com/news/ci_9004014?nclick_check=1 Court’s ruling here: http://www.steptoe.com/assets/attachments/2823.pdf

COGECO RANKS POORLY IN INTERNET INTERFERENCE REPORT (CBC, 22 April 2008) - Cogeco Inc., Canada’s sixth largest internet service provider, has ranked second worst in the world for traffic interference in a study by Vuze, an online video company. Next to Comcast Corp., the largest U.S. ISP, Montreal-based Cogeco had the highest internet reset connection rate in a study conducted by Vuze. Internet resets are a commonly used method of traffic shaping and interference with peer-to-peer applications such as BitTorrent, Vuze said. A reset occurs naturally when a communication link between computers cannot be made. ISPs engaged in traffic shaping, however, have introduced “false resets” to purposely block or slow uses of peer-to-peer software, Vuze said. While the company said its study cannot distinguish between natural and false resets, ISPs ranking high on the list are likely using the technique to purposely interfere with peer-to-peer traffic. “We are not aware of any normal conditions that would cause the disproportionately large variances in reset activity shown in the data in the data sets of this size,” the report said. “We believe that in most cases there is sufficient data to at least raise questions about whether particular network operators are taking steps to artificially interrupt network connections.” Palo Alto, Calif.-based Vuze, which uses BitTorrent to legally distribute video and games, has written to Cogeco requesting that the company spell out how it manages its network. http://www.cbc.ca/technology/story/2008/04/22/tech-vuze.html

HANNAFORD TO SPEND ‘MILLIONS’ ON IT SECURITY UPGRADES AFTER BREACH (ComputerWorld, 22 April 2008) - Executives at Hannaford Bros. Co. said today that the grocer expects to spend “millions” of dollars on IT security upgrades in the wake of the recent network intrusion that resulted in the theft of up to 4.2 million credit and debit card numbers from its systems. The planned upgrades include the installation of new intrusion-prevention systems that will monitor activities on Hannaford’s network and the individual systems at its stores, plus the deployment of PIN pad devices featuring Triple DES encryption support in store checkout aisles. Hannaford also has signed on IBM to do around-the-clock network monitoring under a managed security services deal, according to Ron Hodge, the grocer’s president and CEO, and Bill Homa, its CIO. In addition, the Scarborough, Maine-based company had said previously that it had replaced all of the servers in its stores as part of an effort to rid its network of malware that was placed on them during the intrusion. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9079652&source=rss_topic146

NO SUSPICION NEEDED TO SEARCH LAPTOPS AT U.S. BORDERS, SAYS NINTH CIRCUIT (ComputerWorld, 22 April 2008) - In a ruling that’s likely to come as a disappointment for privacy rights advocates, the U.S. Court of Appeals for the Ninth Circuit this week held that customs officers need no reasonable suspicion to search through the contents of any individual’s laptop at the country’s borders. The ruling reversed an earlier decision by the U.S. District Court for the Central District of California, which had granted a motion seeking to suppress evidence gathered from such a search in a case involving child pornography. In arriving at that decision, the district court ruled that customs officers indeed did need to have reasonable or particularized suspicion for searching through laptops at U.S. borders. The Ninth Circuit yesterday rejected Arnold’s arguments that reasonable suspicion was needed to search a computer because of its ability to store large amounts of data, ideas, e-mail, chats and Web-surfing habits. It also rejected Arnold’s argument that a higher level of suspicion was needed for computer searches at the border because of the risk of “expressive material” being exposed in such searches. “We are satisfied that reasonable suspicion is not needed for customs officials to search a laptop or other personal electronic storage devices at the border,” noted Judge Diarmuid O’Scannlain, who wrote the opinion of the three-judge panel. In writing the opinion of the appeals court, Judge O’Scannlain cited numerous cases to show that courts have long upheld suspicion-less searches of closed containers and their contents at U.S. borders. These include searches of items such as a traveler’s briefcase, purse, wallet or pockets. Citing one such case, Judge O’Scannlain noted that generally, “searches made at the border ... are reasonable simply by virtue of the fact that they occur at the border.” http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9079738&source=rss_topic146 Opinion here: http://www.ca9.uscourts.gov/ca9/newopinions.nsf/6D5D931898D8168188257432005AC9B8/$file/0650581.pdf?openelement [Editor: good analysis by Orin Kerr here: http://volokh.com/posts/1208829306.shtml; ComputerWorld has suggested best-practices for international business travelers here: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9082318&pageNumber=2]

FRENCH COURT EVISCERATES WEBSITE IMMUNITY FOR USER-GENERATED CONTENT (Steptoe & Johnson’s E-Commerce Law Week, 24 April 2008) - In France, as in the United States, Internet companies are supposed to enjoy legal protection from suits over content provided by third parties. But, if recent U.S. decisions have chipped away at the immunity available to websites under section 230(c)(1) of the Communications Decency Act, a recent French decision has blown a gaping hole in the defenses available under French law. Article 6-I-2 of the French Law for Confidence in the Digital Economy (LCEN) (which mirrors Article 14 of the EU E-Commerce Directive) states that public providers of “communications services” cannot be held liable for “information stored at the request of a recipient of those services” if the provider “did not have actual knowledge of [the] illegal nature” of the information, or if the provider “acted expeditiously to remove the data or make access impossible” after learning of its illegality. But the Paris Court of First Instance held last month that Bloobox.net was not immune for hosting a user-submitted link on its Fuzz.fr service, and was liable as an editor for its putative involvement in the “organization and presentation” of the link and associated headline. This decision extends a trend in which European courts have increasingly been willing to find Internet companies liable for user-generated content. If this trend continues, websites and Internet providers will be looking at major legal problems in Europe. http://www.steptoe.com/publications-5275.html

COURT’S RULING COULD HELP PLAINTIFFS SHOW “INJURY-IN-FACT” IN DATA BREACH SUITS (Steptoe & Johnson’s E-Commerce Law Week, 24 April 2008) - For the plaintiffs’ bar, winning damages for those whose personal information has been compromised in a data breach has been an uphill battle. As we’ve previously reported, most courts have refused to grant plaintiffs in such cases standing without evidence that the breach has caused identity theft or financial harm, and held that allegations of emotional distress or increased risk of future harm do not sufficiently state an “injury-in-fact.” But, in American Federation of Government Employees v. Hawley, the U.S. District Court for the District of Columbia recently held that four Transportation Security Administration security officers could sue the TSA, its Administrator Kip Hawley, the Department of Homeland Security, and DHS Secretary Michael Chertoff for an alleged violation of the Privacy Act stemming from TSA’s loss of a hard drive containing personnel data for 100,000 individuals -- despite the fact that the plaintiffs alleged only a variety of emotional harms but not “current, actual, financial loss.” Although the court’s holding was limited to the Privacy Act, which applies to government agencies, the court’s rationale could be persuasive to courts hearing data breach suits against private companies. http://www.steptoe.com/publications-5275.html

- and -

COURT’S RULING COULD ENCOURAGE MORE DATA BREACH LAWSUITS (Steptoe & Johnson’s E-Commerce Law Week, 8 May 2008) - A recent ruling by a federal court in California could help plaintiffs establish standing in data breach cases based solely on a risk of future harm. In Ruiz v. Gap, Inc., the court ruled that plaintiff Joel Ruiz, by asserting that the defendant’s loss of his social security number placed him “at an increased risk of identity theft,” had pleaded an “injury in fact” sufficient to preliminarily establish standing and survive a motion to dismiss his negligence claim. As we’ve previously reported, most courts have refused to grant plaintiffs in such cases standing without evidence that the breach caused identity theft or financial harm, and have held that allegations of emotional distress or increased risk of future harm do not sufficiently state an “injury-in-fact.” The court’s ruling in Ruiz, however, would mean that plaintiffs could force defendants in simple breach cases to undergo discovery and protracted litigation, even if they never were able to prove injury in fact or damages. This increases the settlement value of such cases to the plaintiffs’ bar, making breach suits more likely even where there is not a substantial risk of identity theft. http://www.steptoe.com/publications-5309.html Ruiz decision here: http://www.steptoe.com/assets/attachments/3392.pdf

JUSTICE DEPT. SEES SURGE IN GLOBAL CRIME NETWORKS (Washington Post, 24 April 2008) - At least three times this year, from a computer station in Romania, a hacker nicknamed Vladuz posed as an eBay customer service representative in a bid to steal sensitive information from Americans who visited the popular auction Web site. The man, part of a fraud ring controlled by a foreign criminal syndicate, was captured by Romanian police last week with the help of agents from the FBI and the Secret Service. Justice Department officials cited the case of Vladuz, also known as Vlad Duiculescu, to sound an alarm yesterday about a resurgence in organized crime that recognizes no national borders. Speaking to an audience at the Center for Strategic and International Studies, Attorney General Michael B. Mukasey offered praise for the successful efforts by Robert F. Kennedy decades ago to break the back of the Italian American mafia but told listeners that the current threat from international syndicates poses even greater challenges. The new breed of criminals is “more sophisticated, they are richer, they have greater influence over government and political institutions worldwide, and they are savvier about using the latest technology, first to perpetrate and then to cover up their crimes,” Mukasey said. Justice Department officials said yesterday that criminal elements were attempting to penetrate the energy sector, furnish weapons to terrorists and wreak havoc on the U.S. economy by using computers and shell companies to launder money and peddle phony goods. They said that judgment stemmed from a classified threat assessment and data from criminal investigations. In response, the Justice Department’s Organized Crime Council has held regular briefings for the first time in 15 years to forge a new strategy. At present, 120 prosecutors and FBI agents and analysts are working on organized crime issues. Department officials say they want to leverage those resources and work more closely with foreign counterparts and their own colleagues in the ranks of such departments as Treasury, State and Labor. http://www.washingtonpost.com/wp-dyn/content/article/2008/04/23/AR2008042303624.html

FBI’S NET SURVEILLANCE PROPOSAL RAISES PRIVACY, LEGAL CONCERNS (CNET, 25 April 2008) - The FBI director and a Republican congressman sketched out a far-reaching plan this week for warrantless surveillance of the Internet. During a House of Representatives Judiciary Committee hearing, the FBI’s Robert Mueller and Rep. Darrell Issa of California talked about what amounts to a two-step approach. Step 1 involves asking Internet service providers to open their networks to the FBI voluntarily; step 2 would be a federal law forcing companies to do just that. Both have their problems, legal and practical, but let’s look at step 1 first. Issa suggested that Internet providers could get “consent from every single person who signed up to operate under their auspices” for federal police to monitor network traffic for attempts to steal personal information and national secrets. Mueller said “legislation has to be developed” for “some omnibus search capability, utilizing filters that would identify the illegal activity as it comes through and give us the ability to pre-empt” it. These are remarkable statements. The clearest reading of them points to deep packet inspection of network traffic--akin to the measures Comcast took against BitTorrent and to what Phorm in the United Kingdom has done, in terms of advertising--plus additional processing to detect and thwart any “illegal activity.” “That’s very troubling,” said Greg Nojeim, director of the project on freedom, security, and technology at the Center for Democracy and Technology. “It could be an effort to achieve, through unknowing consent, permission to monitor communications in a way that would otherwise be prohibited by law.” Unfortunately, neither Issa nor Mueller recognized that such a plan is probably illegal. California law, for instance, says anyone who “intentionally and without the consent of all parties to a confidential communication” conducts electronic surveillance shall be imprisoned for one year. (I say “probably illegal” because their exchange didn’t offer much in the way of details.) “I think there’s a substantial problem with what Mueller’s proposing,” said Al Gidari, a partner at the Perkins Coie law firm who represents telecommunications providers. “He forgets the states have the power to pass more restrictive rules, and 12 of them have. He also forgets that we live in a global world, and the rest of the world doesn’t quite see eye to eye on this issue. That consent would be of dubious validity in Europe, for instance, where many of our customers reside.” http://www.news.com/8301-13578_3-9929085-38.html

LAURA BERG’S LETTER (New York Times Editorial, 27 April 2008) - The PEN American Center, the literary organization committed to free expression, is honoring an American most people in this country have never read or even heard of: Laura Berg. She is a psychiatric nurse at a Veterans Affairs hospital who was threatened with a sedition investigation after she wrote a letter to the editor denouncing the Bush administration’s bungling of Hurricane Katrina and the Iraq war. That’s right, sedition: inciting rebellion against the government. We suppose nothing should surprise us in these days of government zealotry. But the horror and the shame of that witch hunt should shock everyone. Ms. Berg identified herself as a V.A. nurse when, soon after Katrina’s horrors, she sent her impassioned letter to The Alibi, a paper in Albuquerque. “I am furious with the tragically misplaced priorities and criminal negligence of this government,” she wrote. “We need to wake up and get real here, and act forcefully to remove a government administration playing games of smoke and mirrors and vicious deceit.” Her superiors at the hospital soon alerted the Federal Bureau of Investigation and impounded her office computer, where she keeps the case files of war-scarred veterans she treats. Then she received an official warning in which a Veterans Affairs investigator intoned that her letter “potentially represents sedition.” It took civil rights litigators and Senator Jeff Bingaman of New Mexico to “act forcefully” in reminding the government of the Constitution and her right to free speech. The Department of Veterans Affairs retreated then finally apologized to the shaken Ms. Berg. Even then, she noted, one superior told her it was preferred that she not identify herself as a V.A. nurse in any future letter writing. “And so I am saying I am a V.A. nurse,” Ms. Berg soon boomed out in a radio broadcast. “And some of my fire in writing this about Katrina and Iraq is from my experience as a V.A. nurse.” Thus declared Ms. Berg, well chosen to receive the new PEN/Katherine Anne Porter First Amendment Award. http://www.nytimes.com/2008/04/27/opinion/27sun3.html?_r=1&ref=opinion&oref=slogin

COURT REJECTS RIAA’S ‘MAKING AVAILABLE’ PIRACY ARGUMENT (CNET, 29 April 2008) - The recording industry’s music piracy fight was dealt a setback Tuesday when a federal judge rejected the RIAA’s “making available” argument in a lawsuit against a husband and wife accused of copyright infringement. In Atlantic v. Howell, Judge Neil V. Wake denied the labels’ motion for summary judgment in a 17-page decision (PDF), allowing the suit to proceed to trial. The argument--that merely the act of making music files available for download constituted copyright infringement--has been the basis for the Recording Industry Association of America’s legal battle against online music piracy. http://www.news.com/8301-10784_3-9932004-7.html Court’s ruling here: http://www.ilrweb.com/viewILRPDF.asp?filename=atlantic_howell_080429Decision

WIRETAPS UP 20 PERCENT IN 2007 (U.S. Courts, 30 April 2008) - The number of intercepted wire, oral or electronic communications — also known as wiretaps — authorized by federal and state courts in 2007 was 20 percent higher than in 2006. Courts issued 2,208 such orders in 2007, compared to 1,839 in 2006, according to The 2007 Wiretap Report. http://www.uscourts.gov/Press_Releases/2008/wiretap.cfm Report at http://www.uscourts.gov/wiretap07/2007WTText.pdf Excerpts from the report: “The number of wiretaps reported increased 20 percent in 2007. A total of 2,208 applications were reported as authorized in 2007, including 457 submitted to federal judges and 1,751 to state judges. No applications were denied. The number of applications for orders by federal authorities fell less than 1 percent to 457. The number of applications reported by state prosecuting officials grew 27 percent to 1,751, with 24 states providing reports, 1 more than in 2006. Installed wiretaps were in operation an average of 44 days per wiretap in 2007, compared to 40 days in 2006. The average number of persons whose communications were intercepted decreased from 122 per wiretap order in 2006 to 94 per wiretap order in 2007. The average percentage of intercepted communications that were incriminating was 30 percent in 2007, compared to 20 percent in 2006. In 2007, no instances were reported of encryption encountered during any federal or state wiretap.”

CYBERWARFARE: DARPA’S NEW ‘SPACE RACE’ (Wired, 1 May 2008) - The Defense Advance Research Projects Agency, or Darpa, was created 50 years ago, in response to the Soviets’ launch of Sputnik. In less than a year, Darpa put together the infrastructure that guided the American space effort for decades to come. Now, Darpa has been given new marching orders: to help America fight and win battles online. Under a directive signed by the President -- and OK’d by Congress -- nearly every arm of the government’s security apparatus is starting work on a massive national cybersecurity initiative, designed to protect the United States from electronic attack (and strike at adversaries online, as well). Darpa’s role: Create a cyberwarfare range where all these new forms of electronic combat can be tried out. According to a defense official familiar with the program: “Congress has given DARPA a direct order; that’s only happened once before -- with the Sputnik program in the ‘50s.” Danger Room’s sister blog, Threat Level, has a good writeup of the cybersecurity initiative, which has been labeled as a Manhattan Project-type effort (a similar label was used for the Pentagon’s work against IEDs, though it’s not clear the parallel is as real as some might hope). In the case of cybersecurity, there is at least talk of big money: about $30 billion, Danger Room is told. For its part, Darpa’s “National Cyber Range” would create a virtual environment where the Defense Department can mock real warfare, both defense and offense. http://blog.wired.com/defense/2008/05/the-pentagon-wa.html ThreatLevel’s write-up: http://blog.wired.com/27bstroke6/2008/04/feds-cyber-cent.html

- and -

AVATARS, VIRTUAL REALITY TECHNOLOGY, AND THE U.S. MILITARY: EMERGING POLICY ISSUES (Congressional Research Service, 9 April 2008) - This report describes virtual reality technology, which uses three-dimensional user- generated content, and its use by the U.S. military and intelligence community for training and other purposes. Both the military and private sector use this new technology, but terrorist groups may also be using it to train more realistically for future attacks, while still avoiding detection on the Internet. The issues for Congress to consider may include the cost-benefit implications of this technology, whether sufficient resources are available for the communications infrastructure needed to support expanded use of virtual reality technology, and whether there might be national security considerations if the United States falls behind other nations in developing or adopting this new technology. This report will be updated as events warrant. http://www.fas.org/sgp/crs/natsec/RS22857.pdf [Editor: the USG is beginning a detailed analysis of legal, policy, and technical implications from VR applications.]

- and -

INTERNET STRATEGY SAID NEEDED TO LIMIT TERRORISM (FCW, 8 May 2008) - The government should create a coordinated communications strategy to counter extremist groups’ growing use of the Internet to recruit, communicate and train potential terrorists, according to report released today by the Senate Committee on Homeland Security and Governmental Affairs. The report, “Violent Islamist Extremism, The Internet and The Homegrown Terrorist Threat,” said the government has not developed or implemented a plan to counter terrorist groups that increasingly rely on the Internet to further their goals. The report noted that “immense caches of information and propaganda are available online” and raised questions about what an appropriate plan to deal with the threat should entail. “The long term goal of the strategy must be to isolate and discredit the ideology as a cause worthy of support,” Sens. Joseph Lieberman (I-Conn) and Susan Collins (R-Maine) said in a statement. “Federal, state and local officials, as well as Muslin American community and religious leaders and other private sector actors, must all play a prominent role in discrediting the terrorist message.” http://www.fcw.com/online/news/152482-1.html Report at: http://hsgac.senate.gov/public/_files/IslamistReport.pdf

FEDERAL JUDGE SETS FORMULA FOR INTERNET MUSIC ROYALTIES (Wired, 1 May 2008) - A federal court on Wednesday established a formula for determining the Internet royalties owed to thousands of music composers, writers and publishers by three major online services - Yahoo Inc., AOL and RealNetworks Inc. The American Society of Composers, Authors and Publishers hailed the decision, estimating the guidelines could yield as much as $100 million in payments covering a seven-year period ending in 2009. The trade group, known as ASCAP, had contended that its 320,000 members weren’t being properly compensated for musical works that helped drive traffic and increase revenue for Yahoo, Time Warner Inc.’s AOL and RealNetworks. Wednesday’s ruling, issued by a federal judge in New York, doesn’t affect the royalties owed to record companies. A representative for the Digital Media Association, a trade group representing the Internet services, declined to comment on the ruling late Wednesday. U.S. District Judge William Conner’s 153-page decision didn’t specify the total amount owed to the ASCAP members, but he provided an example on how the formula would apply to the music royalties owed by AOL and Yahoo for 2006. Under the formula endorsed by Conner, AOL owed 2006 fees of $5.95 million and Yahoo owed $6.76 million. http://news.wired.com/dynamic/stories/O/ONLINE_MUSIC_ROYALTIES?SITE=WIRE&SECTION=HOME&TEMPLATE=DEFAULT

DO THE RICH PAY TAXES? ITALY TELLS ALL (New York Times, 2 May 2008) - Many Italians’ attitude toward taxes runs something like this: Why should I pay if no one else does? Evasion is so common that landlords often demand two leases: one private with the actual amount expected, the other far lower and submitted to the authorities. Both, bafflingly, are vetted by lawyers. But for a few hours this week, all was laid bare with a technological bluntness unaccustomed here. The departing government of Romano Prodi, the center-left prime minister, on Wednesday posted the returns for all 40 million Italians who paid taxes in 2005. The Web site was instantly jammed to the point that few could actually see the data, but enough leaked out, with people spying on their neighbors and the rich and famous alike. By some accounts, the fashion designer Giorgio Armani paid the most, 19 million euros ($29 million) on 44 million euros ($68 million) in income. Some advocacy groups praised the site as a rare exercise in transparency. But many more were outraged, and the site was closed down a few hours after it went public. Vincenzo Visco, the departing deputy finance minister, said it was all part of a government effort to crack down on tax evasion. The site was supposed to go public in January, he said, but was delayed because of elections, won last month by Silvio Berlusconi, who had twice been prime minister. Though the official tax site went dead, it lives on virtually. Italian newspapers reported Thursday that it had been copied — and posted — as grist for curiosity and the next stage for tax compliance here. http://www.nytimes.com/2008/05/02/world/europe/02italy.html?ref=world

SOLDIER IN AFGHANISTAN ACCIDENTALLY CALLS PARENTS IN THE MIDDLE OF A BATTLE (TechDirt, 7 May 2008) - Most folks have experienced “accidental” phone calls, when a poorly designed mobile phone interface leads to a phone in a pocket somewhere accidentally redialing the last number called. Every once in a while you hear stories about it happening at very inappropriate times. But Jeff Nolan points us to an extreme such a case. An American soldier in Afghanistan accidentally dialed his parents’ phone number in Oregon, just as he was in the middle of a battle. His parents weren’t home, but the message was recorded on their voicemail, including (as you might expect) guns firing, lots of swearing, and the son yelling about problems he was having with his gun as well as the need for more ammunition. Even worse, the call cut off just as another soldier yelled “Incoming! RPG!” As you might imagine, the parents were a bit freaked out, but eventually reached their son, who says he’s a bit embarrassed by the whole ordeal. Yet another reminder to make sure to “lock” the keypad on your phone. http://techdirt.com/articles/20080506/1156311045.shtml

CT RULES FILE SHARER MAY NOT RETAIN ANONYMITY ON FIRST AMENDMENT GROUNDS (BNA’s Internet Law News, 8 May 2008) - BNA’s Electronic Commerce & Law Report reports that the U.S. District Court for the District of Columbia has ruled that a student accused of copyright infringement has minimal expectation of privacy under the First Amendment when allegedly using a public online peer-to peer network to disseminate copyrighted sound recordings. Because the student did not have a legitimate expectation of privacy, the student cannot invoke his First Amendment rights to anonymous speech to quash a subpoena seeking to identify him from his IP address, Judge Colleen Kollar-Kotelly held. Case name is Arista Records LLC v. Does 1-19.

WHEN FERPA AFFECTS IT (InsideHigherEd, 8 May 2008) - In late March, when the U.S. Department of Education released its proposed changes to regulations that govern the Family Educational Rights and Privacy Act, most of the attention focused on the latitude granted (or, in some cases, reiterated post-Virginia Tech) to college officials for determining in what circumstances and to whom students’ information could be disclosed. Since then, both offline and in online list discussions, information technology and network security officers have debated the impact of the rules on more mundane — but potentially just as relevant — functions of colleges’ day-to-day operations. Those discussions shifted to a more formal venue on Wednesday at Educause’s annual policy conference on the federal information technology agenda for higher education. The nonprofit group, which supports the “intelligent use of information technology,” was finalizing its own recommendations to the Education Department, due today, that would be included along with other signatories in an umbrella document from the American Council on Education. At a morning session called “The IT Implications of Proposed FERPA Regulations,” officials from several organizations discussed an overview of the potential changes, offering in some cases minor tweaks — and in others, major criticisms — of specific rules. Much of the discussion centered on what colleges elect to publicize as directory information. As defined by current regulations, “directory information” that “would not generally be considered harmful or an invasion of privacy if disclosed” — assuming students have been notified upon enrollment and can opt out of disclosure — includes names, addresses, phone numbers, e-mail addresses and photos. Other private data, such as grades and disciplinary history, cannot be included in directory information, whether accessible freely online or not. Until now, the rules haven’t specified whether students’ Social Security numbers, and the proprietary ID numbers many colleges assign to students, fall into the “directory information” category. The proposed changes specifically bar both numbers from that designation, which many officials have called a commonsense step but that may also result in unintended effects. http://insidehighered.com/news/2008/05/08/ferpa Proposed Rule changes (from 24 March 2008): http://a257.g.akamaitech.net/7/257/2422/01jan20081800/edocket.access.gpo.gov/2008/E8-5790.htm

MYSPACE TO LET USERS SHARE PROFILE ACROSS THE NET (Reuters, 8 May 2008) - News Corp’s MySpace social network will let users choose to share their public profile information, such as pictures, videos, and text, across the Web to spread its service beyond its own borders. At launch, the new “data availability” function will let users share their information on sites owned by Yahoo Inc, eBay Inc, Twitter and its own Photobucket, MySpace Chief Operating Officer Amit Kapur told Reuters in a phone interview. “MySpace no longer operates as an isolated island on the Internet,” Kapur said. “The walls are coming down.” MySpace’s decision to makes its user data available is part of a Web-wide move to adopt open standards. Along with other big companies including Google Inc and Yahoo, MySpace has backed the OpenSocial network which aims to create a set of technological specifications that lets software developers build games, photo shows and other applications that can run on any network. MySpace users will be able to control where and what types of information will be shared, a feature that can be turned on and off at any time. MySpace is also restricting other sites from storing user data from MySpace users. People who sign up to Twitter, which lets users publish quick messages on a Web site, will not have to retype their information or upload pictures of themselves onto the new site again even if the information is changed on MySpace. The reverse won’t work however. http://news.yahoo.com/s/nm/20080508/wr_nm/newscorp_myspace_dc_5;_ylt=AmTx8QYM6.0w_fuyO2Z6o78E1vAI [Editor: This may be significant - federated identity management is increasingly important, and first-movers may occupy an important niche. See www.projectliberty.org for related ideas.]

- and -

FACEBOOK TO LET USERS CARRY PROFILES WITH THEM (AP, 9 May 2008) - Facebook Inc. is loosening its grip on millions of personal profiles to allow inhabitants of its popular Internet hangout to transplant the information and applications to other Web sites. Facebook, which has about 70 million users worldwide, unveiled its plans the day after its bigger rival, News Corp.’s MySpace, made a similar commitment. Unlike MySpace, which has about 200 million users worldwide, Palo Alto-based Facebook plans to allow users to take their personal profiles to any Web site that wants to host them. For starters, MySpace is opening user profiles only to a select group of sites, including leading destinations owned by Yahoo Inc. and eBay Inc. The transition poses a risk for Facebook and MySpace because they are effectively tearing down the barriers that sequestered the personal profiles on their sites. This so-called “walled-garden” approach kept people coming back to the sites and sticking around, creating a magnetism that appeals to advertisers. But pressure to offer portable profiles has been building as people have embraced the Internet as a convenient way to swap personal information and interests. Internet search leader Google Inc. waded into the fray last year by creating a network that’s supposed to make it easier to share music, pictures, video and other personal interests on a range of online hangouts. MySpace joined the Google system, known as OpenSocial, but Facebook hasn’t. http://news.yahoo.com/s/ap/20080509/ap_on_hi_te/open_facebook_4;_ylt=AqSJ4Z2xVJUUwCWQbrvB47IE1vAI

INTERNET ARCHIVE BEATS BACK FBI’S DEMAND FOR SUBSCRIBER DATA (Law.com, 8 May 2008) - The FBI has agreed to drop its demand that a San Francisco-based Internet library turn over subscriber information, according to court documents unsealed Monday. As part of a settlement, the FBI also agreed that its previously secret efforts could be publicized. The bureau served the Internet Archive -- whose Wayback Machine page allows viewers to see old versions of millions of Web pages -- with a national security letter in November 2007, but under the terms of a settlement reached between the two in April, the FBI has withdrawn the letter and agreed to make most of its contents public. Kurt Opsahl, a staff attorney with San Francisco’s Electronic Frontier Foundation who helped represent the archive, said he believes the victory is only the fourth successful challenge to a national security letter. The FBI said the letter to the archive was part of a national security investigation and that they “permit the FBI to gather the basic building blocks for our counterterrorism and counterintelligence investigations,” according to a statement by Assistant Director John Miller. http://www.law.com/jsp/article.jsp?id=1202421212345 Note: The Internet Archive challenged the order “based on a provision of the reauthorized USA Patriot Act, which protects libraries from such requests.”

HACKERS’ POSTS ON EPILEPSY FORUM CAUSE MIGRAINES, SEIZURES (Sydney Morning Herald, 8 May 2008) - Computer attacks typically don’t inflict physical pain on their victims. But in a rare example of an attack apparently motivated by malice rather than money, hackers recently bombarded the Epilepsy Foundation’s Web site with hundreds of pictures and links to pages with rapidly flashing images. The breach triggered severe migraines and near-seizure reactions in some site visitors who viewed the images. People with photosensitive epilepsy can get seizures when they’re exposed to flickering images, a response also caused by some video games and cartoons. “They were out to create seizures,” said Ken Lowenberg, senior director of Web and print publishing for the foundation. He said legitimate users are no longer able to post animated images to the support forum or create direct links to other sites, and it is now moderated around the clock. He said the FBI is investigating the breach. In a similar attack this year, a piece of malicious code was released that disabled software that reads text aloud from a computer screen for blind and visually impaired people. That attack appeared to have been designed to cripple the computers of people using illegal copies of the software, researchers said. http://news.smh.com.au/hackers-posts-on-epilepsy-forum-cause-migraines-seizures/20080508-2c4w.html

F.B.I. SAYS THE MILITARY HAD BOGUS COMPUTER GEAR (New York Times, 9 May 2008) - Counterfeit products are a routine threat for the electronics industry. However, the more sinister specter of an electronic Trojan horse, lurking in the circuitry of a computer or a network router and allowing attackers clandestine access or control, was raised again recently by the F.B.I. and the Pentagon. The new law enforcement and national security concerns were prompted by Operation Cisco Raider, which has led to 15 criminal cases involving counterfeit products bought in part by military agencies, military contractors and electric power companies in the United States. Over the two-year operation, 36 search warrants have been executed, resulting in the discovery of 3,500 counterfeit Cisco network components with an estimated retail value of more than $3.5 million, the F.B.I. said in a statement. The F.B.I. is still not certain whether the ring’s actions were for profit or part of a state-sponsored intelligence effort. The potential threat, according to the F.B.I. agents who gave a briefing at the Office of Management and Budget on Jan. 11, includes the remote jamming of supposedly secure computer networks and gaining access to supposedly highly secure systems. Contents of the briefing were contained in a PowerPoint presentation leaked to a Web site, Above Top Secret. http://www.nytimes.com/2008/05/09/technology/09cisco.html?_r=1&partner=rssyahoo&emc=rss&oref=slogin

**** RESOURCES ****
OPINION ON DATA PROTECTION ISSUES RELATED TO SEARCH ENGINES (EU Working Party 29, 4 April 2008) -- Search engines have become a part of the daily life of individuals using the Internet and information retrieval technologies. The Article 29 Working Party recognises the usefulness of search engines and acknowledges their importance. In this Opinion the Working Party identifies a clear set of responsibilities under the Data Protection Directive (95/46/EC) for search engine providers as controllers of user data. As providers of content data (i.e. the index of search results), European data protection law also applies to search engines in specific situations, for example if they offer a caching service or specialise in building profiles of individuals. http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2008/wp148_en.pdf

**** NOTED PODCASTS ****
THE CULTURAL COMMONS (Lewis Hyde, Harvard’s Berkman Center, 13 February 2007). Seventy minute podcast on Benjamin Franklin’s approach to learning, scientific exploration, and knowledge management. Explores “the genius for letting others inhabit your mind,” the copyright-ability of legal briefs (and Martin Luther King’s “I Have a Dream” speech), the Constitutional Convention, and communicative vs. proprietary language. Rated: 3 Stars. Podcast at: http://media-cyber.law.harvard.edu/AudioBerkman/lewis_hyde_2007-02-13.mp3

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. BNA’s Internet Law News, http://ecommercecenter.bna.com.
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
7. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
8. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
9. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

No comments: