Saturday, October 25, 2008

MIRLN -- 5-25 October 2008 (v11.14)

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (mailto:vpolley@knowconnect.com?subject=MIRLN) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln.

**************End of Introductory Note***************

**** ELECTION NOTES ****
Yesterday’s New York Times Editorial begins with: “Hyperbole is the currency of presidential campaigns, but this year the nation’s future truly hangs in the balance.” Of course your vote is important. AARP has produced a short video, which you can tailor for your own audience: http://aarpvote08.com/?d=VmluY2UgUG9sbGV5.

US ELECTION MAPS (going back to the year 1789): http://www.270towin.com/

VIDEOING YOUR VOTE (Harvard’s Citizen Media Law Project; 4 minutes YouTube): http://www.youtube.com/watch?v=DKhTNNXJIJQ Reference materials at http://www.citmedialaw.org/legal-guide/documenting-your-vote

**** START OF MIRLN NEWS ****
FBI Creates Knowledge Wiki (FCW, 26 Sept 2008) - The FBI is testing a new collaborative internal Web site, or wiki, called Bureaupedia that officials say will enable users to create an encyclopedia of lessons learned, best practices and subject-matter expertise. Officials see Bureaupedia as a knowledge management tool that will let agents and analysts share their experiences to ensure that their accumulated insight remains after they retire. The project is a collaborative effort between FBI’s chief knowledge officer and chief technology officer. “An agent that retires after 30 years leaves with all of that — what we call a tacit knowledge — everything leaves with him,” said Zalmai Azmi, FBI’s chief information officer, who will be retiring in October. That includes “best practices, things that he did differently, things that he wishes he had done differently.” The FBI’s new wiki uses the same open-source software as Wikipedia, and after the test period is complete, the agency will launch it on the FBI’s secure intranet, FBINet. Azmi said Bureaupedia gives the FBI a platform for capturing knowledge and information that otherwise might not be available. The information will be useful for the next administration and available through Bureaupedia, he said. An FBI spokesman said Bureaupedia will also let users link to articles in Intellipedia, the Office of the Director of National Intelligence’s wiki for the intelligence community. “The bureau has a lot of information,” Azmi said. “We have petabytes of data. Bringing all of that [onto] what we call an information grid so we can easily search is our goal for the future.” http://www.fcw.com/online/news/153926-1.html

CALIFORNIA MAKES IT A CRIME TO ‘SKIM’ RFID TAGS (ComputerWorld, 2 Oct 2008) - This week, California became the second state to enact a law making it illegal to steal data from radio frequency identification (RFID) cards. The law sets a penalty that includes a maximum fine of $1,500 and up to a year in prison for someone convicted of surreptitiously reading information from an RFID card. The California bill makes exceptions for certain emergency situations, such as permitting a health care worker to scan someone’s RFID-enabled health card in order to help the person. Also, police officers would be allowed to view information on an RFID card with a warrant. Earlier this year, Washington became the first state to pass a law against the theft of RFID data. Washington’s law makes it a class C felony to steal data from an RFID card specifically for the purpose of fraud, identity theft or other illegal purposes. If convicted under the law, a person could receive up to five years in prison and be fined as much as $10,000. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9116133&source=rss_news

CONGRESSMEN FINALLY ALLOWED ON YOUTUBE (CNET, 3 Oct 2008) - Members of Congress can finally use Web sites like YouTube, after committees in both the House and Senate adopted new rules allowing members to post content outside of the .gov domain, as long as it is for official purposes. The House Rules Committee approved the change for the House of Representatives on Thursday, while the Senate Rules and Administration Committee adopted the new rules on September 19. “In addition to their official (house.gov) Web site, a member may maintain another Web site(s), channel(s) or otherwise post material on third-party Web sites,” the new House rules read. They also allow members to provide links to or embed outside content on their official sites, provided they include an exit notice indicating the visitor is leaving the House. The Senate rules also allow for links to be added to official sites. They allow senators to use any third-party site of their choice, but the senators will have an “approved list” of sites for reference. House Speaker Nancy Pelosi (D-Calif.) called the change “a significant step forward toward bringing House rules into the multimedia age and allowing for members to effectively communicate with their constituents online.” Many members of Congress have, in spite of the rules, already been posting content to YouTube. http://news.cnet.com/8301-13578_3-10058034-38.html

HOLLYWOOD SWOOPS ON PLAYSCHOOLS (Times of London, 5 Oct 2008) - Playschools have been given an unexpected lesson on copyright law after a company representing Hollywood studios demanded that each child pay a fee of €3 plus 17.5% Vat per year to watch DVDs in their playgroup. The Motion Picture Licensing Company (MPLC), which collects royalties on behalf of companies such as Walt Disney, Universal and 20th Century Fox, wrote to 2,500 playschools last month warning that it is illegal to show copyrighted DVDs in public without the correct license. The letter was sent with the approval of the Irish Preschool Play Association (IPPA), which represents the schools and their 50,000 children. The MPLC had wanted €10, plus Vat per year for each child, but the IPPA negotiated for the lower fee. Despite the reduction, playschool managers have reacted angrily to the offer of an “umbrella license” which “gives you access to 1000s of films”. “To be honest, when I got the letter with the IPPA newsletter I laughed and binned it,” said Paula Doran, manager of Kiddies Korner, a community playschool in Shankill, south Dublin. “If we brought in something like that the parents would have to pick up the costs. But I don’t like the way they went about it — once you signed up they’d automatically take money out of your account every year.” http://www.timesonline.co.uk/tol/news/world/ireland/article4882658.ece

US NATIONAL SECURITY AGENCY RELEASES SECURE SOFTWARE PROJECT TO OPEN SOURCE COMMUNITY (EarthTimes, 6 Oct 2008) - The development of highly secure, low defect software will be dramatically helped by the release of the Tokeneer research project to the open source community by the US National Security Agency (NSA). The project materials, including requirements, security target, specifications, designs, source code, and proofs are now available at www.adacore.com/tokeneer. The Tokeneer project was commissioned by the NSA from UK-based Praxis High Integrity Systems as a demonstrator of high-assurance software engineering. Developed using Praxis’ Correctness by Construction (CbyC) methodology it uses the SPARK Ada language and AdaCore’s GNAT Pro environment. The project has demonstrated how to meet or exceed Evaluation Assurance Level (EAL) 5 in the Common Criteria thus demonstrating a path towards the highest levels of security assurance. The unprecedented release of the project into the open source community aims to demonstrate how highly secure software can be developed cost-effectively, improving industrial practice and providing a starting point for teaching and academic research. Originally showcased in a conference paper in 2006, it has the long-term aim of improving the development practices of NSA’s contractors. Tokeneer was created as a fixed-price project, taking just 260 person days to create nearly 10,000 lines of high-assurance code, achieving lower development costs than traditional methods per line of code. http://www.earthtimes.org/articles/show/us-national-security-agency-releases,567377.shtml

REPORT: DATA BREACHES EXPOSE ABOUT 30M RECORDS IN ‘08 (Washington Post, 6 Oct 2008) - U.S. corporations, governments and universities reported a record 516 consumer data breaches in the first nine months of this year, incidents prompted chiefly by hackers and employee theft, according to a report released today by a nonprofit group that works to prevent fraud. The Identity Theft Resource Center, of San Diego, found that this year’s data breach tally has easily eclipsed 2007’s 446 incidents. At an average of 57 caches of consumer data reported lost or stolen each month, U.S. organizations are on track to divulge at least 680 breaches by the end of 2008. About 80 percent of the breaches involved digital records, while the remainder stemmed from the loss, theft or exposure of paper-based records. A description of each incident is available in the Identity Theft Resource Center ‘s 2008 Breach List. Some 30 million records on consumers have been exposed so far this year. But experts say that figure almost certainly masks a much larger problem, as there is currently no federal requirement for organizations that experience a data breach or loss to acknowledge precisely how many consumers nationwide may have been affected. http://voices.washingtonpost.com/securityfix/2008/10/516_data_breaches_in_2008_expo.html

E-TEXTBOOKS FOR ALL (InsideHigherEd, 7 Oct 2008) - Many observers, both in academe and in the publishing industry, believe it’s only a matter of time before electronic textbooks become the norm in college. Some campuses in particular may already be getting a glimpse of the future through partnerships with individual publishers or with consortiums. Such deals tend to offer students a choice in addition to their current options in the hope that they’ll opt for the cheaper alternative. In contrast to that model, and through a partnership with the publisher John Wiley & Sons, an experiment soon to be underway at the University of Texas at Austin will shift certain classes entirely to e-textbooks. Beginning next semester, for the initial pilot phase of one to two years, the university will cover the electronic materials for the approximately 1,000 students enrolled in a handful of courses in largely quantitative subjects such as biochemistry and accounting. By purchasing in bulk on a subscription model, the university initially hoped for a “per student per book” cost of $25 to $45. (Wiley hasn’t publicized a final price range, so it’s unclear whether it will be that low.) The idea of the “beta test,” as the university dubs it, is to see how students and faculty respond to e-textbooks and to decide whether they could be deployed on a larger scale. http://www.insidehighered.com/news/2008/10/07/ut

SEVENTH CIRCUIT RULES THAT WARRANTS FOR ELECTRONICALLY STORED COMMUNICATIONS ARE VALID NATIONWIDE (Steptoe & Johnson’s E-Commerce Law Week, 9 Oct 2008) - The Seventh Circuit recently ruled that the broader territorial jurisdiction rules that apply to warrants for the disclosure of stored communications under the Electronic Communications Privacy Act (ECPA) override the territorial restrictions on search warrants established in the Federal Rules of Criminal Procedure. In United States v. Berkos, the court found that ECPA section 2703(a) permits a court with jurisdiction over an offense to issue a search warrant for the disclosure, in any jurisdiction, of electronic communications held in storage by a communication provider for 180 days or less -- despite the fact that Federal Rule of Criminal Procedure 41(b) authorizes search warrants only for property “within the district.” The Seventh Circuit therefore upheld a district court’s ruling that a search warrant issued by a Judge in Illinois, where an investigation into the defendant’s failure to pay child support was ongoing, was valid in Texas, where it was served on a company that hosted the defendant’s websites. Given the clear language of section 2703 and the fact that at least one other federal court has reached a similar conclusion, the Seventh Circuit’s ruling is unsurprising. Nonetheless, communications providers should be aware that they can expect to be served with warrants for stored communications from any federal court in the country. http://www.steptoe.com/publications-5616.html Ruling here: http://www.steptoe.com/attachment.html/3556/527d.pdf

CT RULES SEARCH ENGINE CACHING NOT INFRINGING WHEN SITE FAILS TO OPT-OUT (BNA’s Internet Law News, 10 Oct 2008) - BNA’s Electronic Commerce & Law Report reports that a federal court in Pennsylvania has ruled that a copyright owner who makes his works freely available online and who does not opt out of search engine caching cannot successfully argue that search engines directly infringed his copyright by displaying cached copies. The court said that a copyright owner who chose not to opt out of caching had impliedly licensed search engines to create caches. Case name is Parker v. Yahoo! Inc.

BUSH SIGNS CONTROVERSIAL ANTI-PIRACY LAW (Washington Post, 13 Oct 2008) - President George W. Bush signed into law on Monday a controversial bill that would stiffen penalties for movie and music piracy at the federal level. The law creates an intellectual property czar who will report directly to the president on how to better protect copyrights both domestically and internationally. The Justice Department had argued that the creation of this position would undermine its authority. The law also toughens criminal laws against piracy and counterfeiting, although critics have argued that the measure goes too far and risks punishing people who have not infringed. The Recording Industry Association of America and Motion Picture Association of America backed the bill, as did the U.S. Chamber of Commerce. Richard Esguerra, spokesman for the Electronic Frontier Foundation, said he was relieved to see lawmakers had stripped out a measure to have the Justice Department file civil lawsuits against pirates, which would have made the attorneys “pro bono personal lawyers for the content industry.” http://www.washingtonpost.com/wp-dyn/content/article/2008/10/13/AR2008101301551.html

GERMAN COURT: GOOGLE IMAGE THUMBNAILS INFRINGE ON COPYRIGHT (ArsTechnica, 13 Oct 2008) - As much as people complain about the challenges of balancing copyrights and fair use in the US, overseas courts have been happy to provide examples that remind us that some aspects of US copyright law are actually fairly liberal. The latest such reminder comes courtesy of a case in Germany that revisits an issue that appears settled in the US: the right of image search services to create thumbnails from copyrighted works to display with the search results. The German courts have now determined that this is not OK in Germany, where Google has just lost two copyright suits over image thumbnails. This is not the first tussle of this sort that Google has been involved with. The company had initially lost a copyright case based on its creation of thumbnails from porn site Perfect 10, but ultimately prevailed on appeal in that case. Although the appeal did not clarify all the legal issues, it did determine that the creation of thumbnails fell within the exceptions granted by US copyright law for transformative use. http://arstechnica.com/news.ars/post/20081013-german-court-google-image-thumbnails-infringe-on-copyright.html Google appeals: http://www.siliconvalley.com/news/ci_10736872

OPENOFFICE.ORG LAUNCHES FIRST NATIVE MAC OS X SUITE (Computer World, 14 Oct 2008) - OpenOffice.org yesterday released the first version of its open-source application suite written for Mac OS. OpenOffice.org issued a beta of its flagship suite five months ago, but yesterday’s release marked the first final code from the open-source project that doesn’t require Mac users to install X11, a Unix windowing environment. The new OpenOffice.org 3.0 only runs on Intel-based Macs; systems powered by the older PowerPC processors can download and run an older 2.x edition that requires X11. OpenOffice.org 3.0 includes a slew of new features and improvements to the suite’s word processing, spreadsheet, presentation and database applications. Other enhancements and additions include support for the new file formats that debuted in Microsoft Office 2007 and Microsoft Office for Mac 2008. OpenOffice.org is one of the few rivals of Microsoft Corp.’s market-leading suite, Microsoft Office. The current Mac version, Office 2008 for Mac, starts at $149. Apple Inc. also sells a suite, dubbed iWork ‘08, that offers a word processor, spreadsheet and presentation maker. iWork retails for $79 for a single-user license, $99 for a five-license family pack. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117144&source=rss_news

MASSACHUSETTS FORCES BUSINESSES TO IMPLEMENT SWEEPING INFORMATION SECURITY MEASURES BY JANUARY 1, 2009 (Duane Morris Client Alert, 14 Oct 2008) - The Commonwealth of Massachusetts recently adopted regulations requiring all businesses that own, license, store or maintain personal information about a resident of Massachusetts to adopt a comprehensive, written information security program. The security program must include a computer security system that encrypts all records and files containing personal information, including all employee and consumer information. http://www.duanemorris.com/alerts/alert3005.html

EXCEL ERROR LEAVES BARCLAYS WITH MORE LEHMAN ASSETS THAN IT BARGAINED FOR (ComputerWorld, 14 Oct 2008) - A reformatting error in an Excel spreadsheet has cropped up in the largest bankruptcy case in U.S. history, prompting a legal motion by Barclays Capital Inc. to amend its deal to buy some of the assets of Lehman Brothers Holdings Inc. The law firm representing Barclays filed the motion on Friday in U.S. Bankruptcy Court for the Southern District of New York, seeking to exclude 179 Lehman contracts that it said were mistakenly included in the asset purchase agreement. The firm — Cleary Gottlieb Steen & Hamilton LLP — said in the motion that one of its first-year law associates had unknowingly added the contracts when reformatting a spreadsheet in Excel. According to the motion, Barclays sent the spreadsheet containing the list of contracts to Cleary Gottlieb at 7:48 p.m. EDT on Sept. 18. The spreadsheet — which contained almost 1,000 rows of data with a total of more than 24,000 individual cells — needed to be reformatted and converted into a PDF file so it could be posted on the bankruptcy court’s Web site before midnight. At 11:37 p.m., Cleary Gottlieb sent the converted file to the court, the motion said. However, contracts that had been marked as “hidden” in the spreadsheet when it was received by the law firm were added to the purchase offer during the reformatting process, according to the motion. Those contracts weren’t supposed to be part of the deal; they also were marked with an “N” for “No” in the original version of the spreadsheet, Cleary Gottlieb said in the motion. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117143&source=NLT_PM&nlid=8 Clear y Gottlieb motion here: http://abovethelaw.com/Barclays%20Relief%20Motion.pdf

THE MET OPERA WILL OFFER PERFORMANCES ON THE WEB (New York Times, 14 Oct 2008) - In the Metropolitan Opera’s relentless quest to exploit all media, the company next Wednesday will start making many video and audio broadcasts available for Internet streaming on demand. Met Player, as the service is called, will be available through the Met’s Web site, metopera.org. At its inauguration, on the 125th anniversary of the Met’s first show, users will be able to choose from 13 high-definition video performances, 37 standard video recordings and 120 audio broadcasts dating to 1937. The company said it planned to add performances regularly, drawing on its vast historical archives and its continuing high-definition broadcasts. The catalog features classics like a “Lucia di Lammermoor” performance with Joan Sutherland and one with Maria Callas; a “Walküre” with Birgit Nilsson as Brünnhilde; a “Trovatore” with Leontyne Price and Franco Corelli; and a “Carmen” with Rosa Ponselle, in one of her rare full-length recorded performances. More recently, there are the “Tristan und Isolde” with Deborah Voigt and Robert Dean Smith, conducted by James Levine, and “I Puritani” with Anna Netrebko, each in high definition. For $3.99 or $4.99 per streamed opera, users will have a six-hour window in which to listen to or watch a production, once it has started. A monthly subscription for $14.99 brings unlimited streaming, while a yearly subscription costs $149.99. The technical demands are relatively substantial for the high-definition videos and what the Met calls “optimal” performance: a broadband connection, naturally, as well as a fast processor (2.0 GHz Dual Core) and one gigabyte of RAM. Computers less than two years old are recommended. http://www.nytimes.com/2008/10/15/arts/music/15met.html?_r=2&partner=rssuserland&emc=rss&oref=slogin&oref=slogin

YOUTUBE, PBS URGE PEOPLE TO RECORD VOTING (SiliconValley.com, 15 Oct 2008) - If voters see problems on Election Day, YouTube and PBS want them to whip out their video cameras and throw the footage onto a new Web site for documenting voters’ experiences on Nov. 4. But the organizations also have a stern warning for overzealous would-be documentarians: Be careful of state laws about filming in or near polling places or you might wind up tossed out or in handcuffs. PBS and YouTube, Mountain View, Calif.-based Google Inc.’s popular free video-sharing site, have rolled out a new channel on YouTube for cataloguing the short videos voters are encouraged to make about their own experiences or others’ in casting their ballots. The “Video Your Vote” site encourages voters to “document the energy and excitement, as well as any problems you may see” and upload videos between 30 seconds and three minutes long. The site also has links to PBS programs on YouTube and interviews with election experts. Some problems people are encouraged to look out for include excessively long lines, glitches with voting machines or “overly aggressive” voter identification procedures. The site also links to documents from the Citizen Media Law Project outlining problems that might come from trying to record the voting process. For example, Florida, Georgia and Michigan prohibit photos and recording equipment in polling places, while in some other states the law is unclear, according to the group. Other laws restrict activities outside the polling place in designated “buffer zones,” which are typically 100 feet from the entrance or interior voting area. http://www.siliconvalley.com/news/ci_10728274?nclick_check=1

FBI TARGETS RISE IN CYBERCRIME FROM U.S. AND ABROAD (CNET, 15 Oct 2008) - The threat of cybersecurity attacks are on the rise from organized crime, terrorists, and foreign governments, an FBI official warned on Wednesday. There are a “couple dozen” countries interested in breaching U.S. networks, said Shawn Henry, assistant director of the FBI cyber division, though he declined to list any specific countries. The attempted attacks on U.S. networks are “increasingly sophisticated” and “the amount of information that has been stolen is significant,” Henry said. In particular, the use of botnets continues to increase, he said, while companies have lost tens of millions of dollars from “pump and dump” schemes in which criminals buy and sell stocks with other people’s account information harvested online. “A lot of the financial loss we see (due to) organized (crime) has increased because of the greater sense of money to be made, the awareness of the access to a greater rewards,” Henry said. http://news.cnet.com/8301-13578_3-10067330-38.html

NEW PCI DATA SECURITY STANDARD MANDATES STRONGER WIRELESS SECURITY (Steptoe & Johnson’s E-Commerce Law Week, 16 Oct 2008) - The Payment Card Industry (PCI) Security Standards Council released version 1.2 of its Data Security Standard (DSS) on October 1. As we have previously reported, the DSS requires all participating “merchants, banks, [and] POS [point of sale] vendors” -- as well as their service providers and other contractors -- to implement six sets of security requirements: build and maintain a secure network, protect card holder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy. The new version of the DSS requires covered entities to ensure that “wireless networks transmitting cardholder data or connected to the cardholder data environment ... use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.” It also bars covered entities from using WEP security to protect wireless networks after June 30, 2010. In addition to enhancing security for wireless networks, version 1.2 provides standard “attestation of compliance” forms for merchants and service providers and clarifies many existing requirements and procedures. http://www.steptoe.com/publications-5664.html [Editor: How could WEP possibly satisfy a best-practice standard today, much less through June 2010?]

E-DECEPTIVE CAMPAIGN PRACTICES TECHNOLOGY REPORT RELEASED (BeSpacific.com, 20 Oct 2008) - “EPIC’s voting project releases the first report on the technology of deceptive campaign practices. Deceptive campaigns are attempts to misdirect voters regarding the voting process for public elections. Deceptive campaign activity can be false statements about polling times, date of the election, or voter identification rules. The EPIC report reviews the potential for abuse of Internet technology in an election context, and makes recommendations on steps that could be taken by Election Protection, Election Administrators, and voters to protect the integrity of the upcoming election. A legal and policy companion of the report was simultaneously released by Common Cause and the Lawyers Committee for Civil Rights Under Law. For more information, see EPIC’s Voting Privacy page and Voting Project.” http://www.bespacific.com/mt/archives/019596.html EPIC report at http://votingintegrity.org/pdf/edeceptive_report.pdf

AMERICAN AIRLINES SUES YAHOO OVER SEARCH TERMS (Washington Post, 21 Oct 2008) - American Airlines is suing Yahoo Inc. for trademark infringement, a case similar to one that the nation’s largest airline settled this summer against Google Inc. The airline complains that when computer users enter American’s trademark terms such as AAdvantage, the name of its frequent-flier program, in a search they can be directed to competitors who pay Yahoo for the traffic. American filed its lawsuit last week in U.S. District court in Fort Worth for unspecified damages, legal costs and money to run a “corrective” advertising campaign. Kelley Benander of Yahoo said, “We have confidence in our trademark policies and are prepared to defend them in court.” Yahoo’s policy allows advertisers to use the trademark terms of others only if it refers to the trademark “without creating a likelihood of consumer confusion.” American, a unit of Fort Worth-based AMR Corp., reached a confidential settlement of a similar lawsuit against Google this summer, also in federal court in Fort Worth. Each side agreed to pay its own legal fees, and American got nothing from Google. But Google searches for “American Airlines” or “AAdvantage” no longer produce paid ads along the right side of the portal screen. Google had prevailed in previous lawsuits filed by other companies over their paid search advertising practices using trademark terms. http://www.washingtonpost.com/wp-dyn/content/article/2008/10/21/AR2008102101649.html?sub=AR Eric Goldman’s commentary on this: http://blog.ericgoldman.org/archives/2008/10/american_airlin_2.htm

DUTCH YOUTHS CONVICTED OF VIRTUAL THEFT (Washington Post, 21 Oct 2008) - A Dutch court has convicted two youths of theft for stealing virtual items in a computer game and sentenced them to community service. Only a handful of such cases have been heard in the world, and they have reached varying conclusions about the legal status of “virtual goods.” The Leeuwarden District Court says the culprits, 15 and 14 years old, coerced a 13-year-old boy into transferring a “virtual amulet and a virtual mask” from the online adventure game RuneScape to their game accounts. “These virtual goods are goods (under Dutch law), so this is theft,” the court said Tuesday in a summary of its ruling. http://www.washingtonpost.com/wp-dyn/content/article/2008/10/21/AR2008102101209.html

- and -

ONLINE DIVORCEE JAILED AFTER KILLING VIRTUAL HUBBY (AP, 23 Oct 2008) - A 43-year-old Japanese woman whose sudden divorce in a virtual game world made her so angry that she killed her online husband’s digital persona has been arrested on suspicion of hacking, police said Thursday. The woman, who is jailed on suspicion of illegally accessing a computer and manipulating electronic data, used his identification and password to log onto popular interactive game “Maple Story” to carry out the virtual murder in mid-May, a police official in northern Sapporo said on condition of anonymity, citing department policy. The woman had not plotted any revenge in the real world, the official said. She has not yet been formally charged, but if convicted could face a prison term of up to five years or a fine up to $5,000. Players in “Maple Story” raise and manipulate digital images called “avatars” that represent themselves, while engaging in relationships, social activities and fighting against monsters and other obstacles. The woman used login information she got from the 33-year-old office worker when their characters were happily married, and killed the character. The man complained to police when he discovered that his beloved online avatar was dead. http://www.washingtonpost.com/wp-dyn/content/article/2008/10/23/AR2008102301184.html

COMPUTER KEYBOARDS BETRAY USERS’ KEYSTROKES TO RADIO EAVESDROPPERS (Information Week, 21 Oct 2008) - Two Swiss security researchers from the Security and Cryptography Laboratory at the Ecole Polytechnique Federale De Lausanne have published a video demonstrating how the electronic emanations from wired computer keyboards can be deciphered to reveal the user’s keystrokes. Using a laptop connected to a PS/2 keyboard, one of the researchers in the video typed the words, “Trust No One,” in a nod to fans of The X-Files. The video then shows a program receiving data from an eavesdropping antenna and then converting that data into the typed words. “We found four different ways (including the Kuhn attack) to fully or partially recover keystrokes from wired keyboards at a distance up to 20 meters, even through walls,” explain Martin Vuagnoux and Sylvain Pasini in an online post. The Kuhn attack refers to a computer security research paper published in 1998 by Markus G. Kuhn and Ross J. Anderson that describes the threat of a “Tempest virus” that “can attack computers not connected to any communication lines and situated in rooms from which the removal of storage media is prohibited.” http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=211300294&cid=RSSfeed_IWK_News

LEGAL P2P USES GROWING 10X FASTER THAN ILLEGAL ONES (ArsTechnica, 22 Oct 2008) - P2P is “starting to see a lot more legitimate uses,” says Frank Dickson of MultiMedia Intelligence. He’s talking about his company’s new report on P2P growth that projects a 400 percent increase in such Internet traffic over the next five years. But more surprising than the growth rate, which has been in decline now for some time, is the fact that it’s P2P’s lawful uses that are seeing the biggest growth. For small content providers, especially companies involved in video, paying for a content delivery network can eat up a significant chunk of revenue. Done right, P2P distribution can save valuable cash for these providers, which is why Dickson sees P2P’s lawful uses growing 10 times faster than its illicit uses. Some of this is no doubt due to the “law of small numbers”; P2P’s legal uses (transferring Linux ISO files, etc.) have always been dwarfed by its usefulness as a distribution mechanism for music and now video content. Thus, when legal applications begin to boom, it’s much easier for them to rack up big percentage numbers. ISPs aren’t necessarily crazy about this shifting of the video burden from company servers (or CDNs) onto a network of decentralized users, since this can strain the network, especially when it comes to upload links. But it’s not as though P2P is the only system straining ISP networks; as users hunger for their Hulu and their YouTube, streaming video has begun to consume shockingly high amounts of bandwidth, too—though almost totally downstream. http://arstechnica.com/news.ars/post/20081022-forecast-legal-p2p-uses-growing-10x-faster-than-illegal-ones.html

**** RESOURCES ****
PODCASTING LEGAL GUIDE (Wiki resource): The purpose of this Guide is to provide you with a general roadmap of some of the legal issues specific to podcasting. EFF has produced a very practical and helpful guide for issues related to blogging generally (http://www.eff.org/bloggers/). This Guide is not intended to duplicate efforts by EFF, and in many cases refers you to that guide for where crossover issues are addressed. Our goal is to complement EFF’s Bloggers FAQ and address some of the standalone issues that are of primary relevance to podcasters, as opposed to bloggers. http://wiki.creativecommons.org/Podcasting_Legal_Guide

**** NOTED PODCASTS ****
TECHNOLOGY’S POTENTIAL TO RESHAPE BUSINESS (Nicholas Carr and Chris Meyer, IT Conversations, 26 June 2008) – Very interesting assessment of how emerging processing hubs, connected by ubiquitous communications, might collapse organizational barriers. The discussion of P&G’s “Connect & Develop” initiative and the InnoCentive experience is fascinating; especially the finding that ideas that arise from outside and organization generally have 200% the ROI of internal ideas. The implications for breaking down barriers give real meat to the bare-bones references to “Web 2.0”, and offer a glimpse of what Google’s 12-year strategic vision might be. Two Stars; 63 minutes. http://itc.conversationsnetwork.org/shows/detail3443.html [Editor: re the InnoCentive reference, you might find interesting a LongNow Foundation podcast by Peter Diamandis on long-term X-Prizes: http://fora.tv/media/rss/Long_Now_Podcasts/podcast-2008-09-12-diamandis.mp3]

ENTERPRISE SOCIAL SOFTWARE (Christian Gray, Craig Honick; IT Conversations; 14 April 2008) – Very interesting discussion of current uses (and likely expansion) of various “social networking” tools in companies, and the knowledge-management/productivity implications. Discusses how tools (e.g., wikis, instant messaging, twitter, SecondLife, podcasts, blogging) can affect productivity and effect collaboration. Discusses inward-facing uses of these tools (e.g., within the enterprise’s firewall) and outward-facing uses (e.g., facilitating the emergence of customers’ communities). Discusses how some implementations may occur informally (e.g., using no-cost software within a department), and how such efforts may run afoul of company policies (e.g., on IP protection). Two Stars; 48 minutes. http://itc.conversationsnetwork.org/shows/detail3612.html

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. BNA’s Internet Law News, http://ecommercecenter.bna.com.
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
7. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
8. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
9. Eric Goldman’s Technology and Marketing Law Blog, http://blog.ericgoldman.org/.
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

Saturday, October 04, 2008

MIRLN 14 September – 4 October 2008 (v11.13)

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (mailto:vpolley@knowconnect.com?subject=MIRLN) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln.

**************End of Introductory Note***************

E-VOTING VENDOR: PROGRAMMING ERRORS CAUSED DROPPED VOTES (Network World, 22 August 2008) - An major electronic voting system vendor has changed its story in an attempt to explain how its machines dropped hundreds of votes in Ohio’s March primary elections, saying it was a programming error, not the fault of antivirus software. E-voting machines from Premier Election Solutions, formerly called Diebold Election Systems, dropped hundreds of votes in 11 Ohio counties during the primary election, as the machine’s memory cards uploaded to vote-counting servers. Premier originally blamed conflicts caused by antivirus software from McAfee, but the company this week said a logic error in the machines’ GEMS source code was responsible for the problem. “We now have reason to believe that the logic error in the GEMS code can cause this event when no such antivirus program is installed on the server,” Premier President Dave Byrd wrote in a Tuesday letter to Ohio Secretary of State Jennifer Brunner. “We are indeed distressed that our previous analysis of this issue was in error.” http://www.networkworld.com/news/2008/082208-e-voting-vendor-programming-errors-caused.html

JUDGE LIMITS SEARCHES USING CELLPHONE DATA (Washington Post, 12 Sept 2008) - The government must obtain a warrant based on probable cause of criminal activity before directing a wireless provider to turn over records that show where customers used their cellphones, a federal judge ruled Wednesday, in the first opinion by a federal district court on the issue. Judge Terrence F. McVerry of the Western District of Pennsylvania rejected the government’s argument that historical cellphone tower location data did not require probable cause. The ruling could begin to establish the standard for such requests, which industry lawyers say are routine as more people carry cellphones that reveal their locations. Around the country, magistrate judges, who handle matters such as search warrants, have expressed concern about the lack of guidance. http://www.washingtonpost.com/wp-dyn/content/article/2008/09/11/AR2008091103292.html

CONGRESS LIMITS SUBJECT MATTER AND INADVERTENT WAIVERS FOR ATTORNEY-CLIENT COMMUNICATIONS AND WORK PRODUCT (WilmerHale Alert, 12 Sept 2008) - On September 8, 2008, the House of Representatives joined the Senate in passing legislation that would create a new Rule of Evidence, Rule 502.1 The Rule will become effective upon the President’s signature. The primary purpose of the Rule is to reduce the costs of time-consuming privilege review. If enacted, the Rule will limit the consequences of both intentional and inadvertent disclosures of attorney-client communications and attorney work product; and allow the parties to create their own waiver rules that are binding on third parties. The theory behind the Rule is that (1) most documents produced in discovery have minimal value; (2) reviewing them in the modern era of email and electronic communication is enormously costly; and (3) attorneys worried about the consequences of waiver for even a single document must engage in time-consuming and costly privilege reviews and make strained privilege claims. The Rule attempts to address these concerns. http://wilmerhaleupdates.com/ve/ZZn90288979VZZ00w808

CANADIAN ELECTION OFFICIALS POKE AROUND FACEBOOK VOTE-SWAPPING GROUP (CBC, 12 Sept 2008) - Canada’s election watchdog is probing whether a vote-swapping group set up on Facebook is illegal or just strategic voting. The online group, titled “Anti-Harper Vote Swap Canada,” is trying to match Canadians who are willing to swap votes to keep the Conservatives from winning a majority in the Oct. 14 federal election. More than 1,200 people had become members of the group by early Friday evening, two days after its creation. The group lists 41 ridings likely to be tight races and encourages members to swap votes in order to stop Tories from winning those seats. http://www.cbc.ca/news/canadavotes/story/2008/09/12/facebook-vote-swap.html Later ruling says vote-swapping is not illegal, per se: http://www.cbc.ca/canada/story/2008/09/17/vote-swapping.html

PORN PASSED OVER AS WEB USERS BECOME SOCIAL (Reuters, 16 Sept 2008) - Social networking sites are the hottest attraction on the Internet, dethroning pornography and highlighting a major change in how people communicate, according to a web guru. Bill Tancer, a self-described “data geek,” has analyzed information for over 10 million web users to conclude that we are, in fact, what we click, with Internet searches giving an up-to-date view of how society and people are changing. Some of his findings are great trivia, such as the fact that elbows, belly button lint and ceiling fans are on the list of people’s top fears alongside social intimacy and rejection. Others give an indication of people’s interests or emotions, with an annual spike in searches for anti-depression drugs around Thanksgiving time in the United States. Tancer, in his new book, “Click: What Millions of People are Doing Online and Why It Matters,” said analyzing web searches did not just reflect what was happening online but gave a wider picture of society and people’s behavior. “There are some patterns to our Internet use that we tend to repeat very specifically and predictably, from diet searches, to prom dresses, to what we do around the holidays,” Tancer told Reuters in a telephone interview. Tancer, general manager of global research at Hitwise, an Internet tracking company, said one of the major shifts in Internet use in the past decade had been the fall off in interest in pornography or adult entertainment sites. He said surfing for porn had dropped to about 10 percent of searches from 20 percent a decade ago, and the hottest Internet searches now are for social networking sites. “As social networking traffic has increased, visits to porn sites have decreased,” said Tancer, indicated that the 18-24 year old age group particularly was searching less for porn. http://news.yahoo.com/s/nm/20080916/wr_nm/internet_book_life_dc

JUDGE: ‘HEADS WILL ROLL’ OVER WITHHELD E-MAIL (Law.com, 17 Sept 2008) - A discovery disaster threatens to derail the government’s stock options prosecution against McAfee’s former general counsel. Opening arguments had been slated for Wednesday morning in the Kent Roberts case. Instead, federal prosecutors and defense lawyers stunned the court with news that the company had just turned over highly relevant e-mails to the government the night before. Those documents should have been produced in response to a two-year old grand jury subpoena, Assistant U.S. Attorney Laurel Beeler said. Judge Marilyn Hall Patel was less than pleased. She demanded that in-house lawyers from McAfee -- along with attorneys from Howrey and Wilson Sonsini Goodrich Rosati -- show up the next day to explain why 18 pages of e-mails weren’t turned over to the government until 10:40 p.m. Tuesday night. The judge then dismissed the jury for the day so prosecutors could determine whether any other documents were withheld -- and whether the case can proceed. Wilson Sonsini represents McAfee, and Howrey conducted the company’s internal investigation. “Somewhere or another, heads will have to roll, because this is outrageous,” Patel said. http://www.law.com/jsp/article.jsp?id=1202424591001&rss=newswire

BEWARE OPEN-SOURCE VIOLATIONS LURKING IN YOUR CODE (Computerworld, 19 Sept 2008) - IT organizations that feel safe from open-source licensing violations might be wise to check their code anyway, because open-source components are rapidly seeping into applications by way of offshore and in-house developers taking shortcuts, as well as a growing population of open-source-savvy grads entering the workforce. “With all of these new aspects, open source is something companies are going to have to get their heads around,” says Anthony Armenta, vice president of engineering at Wyse Technology Inc., a maker of thin clients. It’s not just about unearthing open-source code that’s in violation of licensing, either. Open source must be managed like any other software component as security vulnerabilities arise and patches become available. Wyse has been using Palamida Inc. to track its open-source usage for the past year. Palamida checks code bases against a 6TB library of known open-source projects, fingerprints and binary files. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115183&source=rss_news

CYBER ATTACK DATA-SHARING IS LACKING, CONGRESS TOLD (Washington Post, 19 Sept 2008) - U.S. intelligence agencies are unable to share information about foreign cyber attacks against companies for fear of jeopardizing intelligence-gathering sources and methods, cyber security expert Paul B. Kurtz told lawmakers yesterday. Kurtz, who served on the National Security Council in the Clinton and Bush administrations, spoke at the first open hearing on cyber security held by the House Permanent Select Committee on Intelligence. He and other experts discussed President Bush’s Comprehensive National Cybersecurity Initiative, disclosed in January, which focuses on cyber espionage against government systems and, they said, does not adequately address the private sector. There is no coordinated strategy or mechanism for sharing intelligence about intrusions with companies, nor is there a systematic way for companies to share information with the government, said the panelists, who are members of the Center for Strategic and International Studies commission on cyber security, set up last year to advise the next administration. While certain information must remain classified, “the government needs to do better” at sharing unclassified information about cyber attacks, said Rep. Silvestre Reyes (D-Tex.), who chairs the intelligence committee. “Everyone stands to benefit from an improved two-way information flow.” http://www.washingtonpost.com/wp-dyn/content/article/2008/09/18/AR2008091803730.html

TWO-THIRDS OF FIRMS HIT BY CYBERCRIME (Security Focus, 22 Sept 2008) - The Department of Justice released data from its 2005 National Computer Security Survey last week, finding that two-thirds of firms detected at least one cybercrime during that year. More than 7,800 companies responded to the survey, which classified cybercrime into cyber attacks, cyber theft, and other incidents. The survey found that three-quarters of cyber attacks came from external sources, while insiders accounted for the same proportion of cyber thefts. More than half of companies reported a cyber theft to law-enforcement authorities, but only 6 percent of cyber attacks were reported. Computer viruses made up more than half of all cyber attacks. The survey, which was developed by the DOJ’s Bureau of Justice Statistics and the U.S. Department of Homeland Security, found that telecommunications companies and computer-system design businesses were hardest hit by cybercrime. About 90 percent of businesses that suffered an incident sustained monetary loss, and cyber theft accounted for half of the loss, according to the summary. http://www.securityfocus.com/brief/825 Survey here: http://www.ojp.usdoj.gov/bjs/pub/pdf/cb05.pdf

GOOGLE BOOK SEARCH NOW FITS ON YOUR BLOG (CNET, 22 Sept 2008) - Google has put out a cool update to its book search service that lets anyone embed entire books, or just book previews on their site. While aimed mainly at online retailers and educational institutes, it’s also a great way to drop entire public domain works onto your blog in case you want to give your visitors something more exciting to flip through than your latest ramblings. The news comes alongside some partnerships including A1Books, Books-A-Million, and The Book Depository. When you’re viewing an indexed title on any of these sites you’ll see a Google preview link that lets you peruse the innards of the book without leaving the sale page. According to a post on Google’s Book Search blog, larger retailers including Powell’s Books, Borders and Buy.com will be added “in the coming weeks.” If you’re wondering why Amazon.com is not one of the online stores to be included, it’s because it’s had this feature since late 2003. Its in-house “search inside” feature is essentially the same, although limited to titles within its catalog. Under Google’s system, any retailer would be able to get this same functionality--including the capability to let readers view the entire work with whatever titles had been indexed. Back in 2006, the two companies traded legal blows due to the suspicion that Google’s book search program was leading towards this functionality. http://news.cnet.com/8301-17939_109-10047943-2.html

MLB BACKS DOWN WHEN SOMEONE IT BULLIES EXPLAINS FAIR USE TO THEM (TechDirt, 23 Sept 2008) - For years now, Major League Baseball’s online division, MLB.com, has been over aggressive in claiming ownership and control over anything associated with Major League Baseball -- even though court after court has told them they don’t get to control everything. However, MLB just keeps on claiming ownership of things anyway, such as sending out various DMCA takedown notices to YouTube for any clip of baseball put up by anyone else. Larry Lessig has the story, though, of one fan who fought back and filed a detailed counterclaim about how his video was fair use and MLB was repeatedly abusing its power in damaging ways. Amazingly, not only did MLB relent, it featured the video it had just demanded get taken down on its own blog. To be honest, there’s a chance that the two things are unrelated, and the blogger had no idea that the parent company’s lawyers were trying to shut down the video -- but the story is a good reminder that if someone is overreaching in their takedown attempts, it can be effective to respond with a counternotice that clearly states the issues. http://techdirt.com/articles/20080922/2002012337.shtml

DHS DOCS REVEAL EXPANDED BORDER SEARCH DISCRETION (ArsTechnica, 23 Sept 2008) - Internal Department of Homeland Security Documents obtained by civil rights groups reveal that, since 2000, Customs and Border Patrol guidelines have been loosened to allow border agents significantly more latitude to question and search travelers entering the United States. Prompted by travelers’ reports of border guards increasingly probing into the political views, religious beliefs, and volunteer activities of border crossers, the Asian Law Caucus and Electronic Frontier Foundation sued the DHS in February, seeking the release of records detailing the policies that govern border searches. In June and late July, the groups obtained over 600 pages worth of documents, of which they recently issued a thorough analysis. They found that as border policies were revised in 2000 and again in 2007, restrictions on the examination, seizure, copying, and sharing of travelers’ personal effects and documents were shed. The 2007 guidelines, for example, stipulated that customs officers “may glance at documents and papers to see if they appear to be merchandise” [emphasis added], and permitted close reading only if “an officer reasonably suspects that they relate to” one of several classes of restricted materials. Probable cause, or the consent of the owner, was needed to seize or copy documents. Under the revised rules, officers may seize or copy papers or digital files for the purpose of performing a “thorough border search” without any need for individualized suspicion. The “reasonable suspicion” requirement was also dispensed with as a prerequisite for sharing seized or copied information with other agencies for translation. A memo from the Area Port of Anchorage, however, does establish that an officer who uses an imaging device to copy the contents of a digital storage medium should inform a supervisor of the “circumstances and articulable facts” justifying the copy. http://arstechnica.com/news.ars/post/20080923-dhs-docs-reveal-expanded-border-search-discretion.html

EFF: CLAIM THAT CONSENT NEEDED FOR LINKING IS “PREPOSTEROUS” (ArsTechnica, 23 Sept 2008) - Large Chicago law firm Jones Day is suing a tiny Internet startup called BlockShopper over the use of the humble hyperlink. But BlockShopper has picked up a pair of allies in the form of the EFF and Public Citizen, and the two groups jointly filed an amici curiae brief with the court that points out the obvious: “linking is what web sites do—that is, after all, why it is called the ‘World Wide Web’.” BlockShopper’s transgression, such as it is, appears to be the posting of public information. The site shows which partners, lawyers, philanthropists, and executives have purchased properties in specific city neighborhoods, and it incurred Jones Day’s legal wrath after showing the new purchases of two Jones Day lawyers. The company sued on trademark grounds, claiming that the use of its name and web link on the site were illegal. Last Friday, two public interest groups have stepped up to the plate and weighed in on the case because of its implications for the Web. The BlockShopper case has “potentially significant implications for other online speakers,” says their filing, which is putting it mildly. Should the case go in Jones Day’s favor, the entire nature of the Web could be attacked by companies looking to harass bloggers or stifle criticism. Creating a “permission-based” culture of linking would strike at the Web’s key feature. As the filing notes, “if Jones Day’s trademark theory were correct, no news site or blog could use marks to identify markholders, or links to point to further information about the markholders, without risking a lawsuit. “But,” the filing continues, “Jones Day is wrong.” http://arstechnica.com/news.ars/post/20080923-eff-claim-that-consent-needed-for-linking-is-preposterous.html

E-DISCOVERY RESPONSE REQUIRES NAVIGATION (New York Law Journal, 23 Sept 2008) - A company that responded to a discovery request by turning over more than 400,000 pages of undifferentiated documents in an electronic format must provide a “modicum” of guidance about how the material was gathered and organized, a federal magistrate judge has ruled. Magistrate Judge David E. Peebles ruled that Pass & Seymour, a Syracuse, N.Y., business, failed to either categorize the information under the document headings requested by Hubbell Incorporated, the defendant in Pass & Seymour’s copyright infringement action, or to organize the data in an intelligible way. Hubbell asked for information in what Magistrate Judge Peebles called 72 “wide-ranging and broadly worded” categories. In response, Pass & Seymour delivered the documents in 220 unlabeled computer folders -- the way the company said they were kept in “the ordinary course of business.” Peebles said that was akin to receiving 405,367 pages of documents stuffed into more than 80 bankers’ boxes. As such, the response did not meet the company’s obligation under the recently amended Rule 34(b)(2) of the Federal Rules of Civil Procedure. “A party who in response to a discovery demand has chosen to produce documents as they are ordinarily maintained must do just that - produce the documents organized as they are maintained in the ordinary course of producing party’s business, with at least some modicum of information regarding how they are ordinarily kept in order to allow the requesting party to make meaningful use of the documents,” the magistrate judge wrote in Pass & Seymour v. Hubbell Incorporated, 5:07-cv-00945. To make information meaningful, parties have to provide their adversaries with some context to help them navigate their way through it, according to the magistrate judge. http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1202424713079&rss=newswire

THOMAS VERDICT OVERTURNED, MAKING AVAILABLE THEORY REJECTED (ArsTechnica, 24 Sept 2008) - Jammie Thomas is off the hook—at least for the time being. Judge Michael J. Davis has overturned a federal jury’s copyright infringement verdict and award of $222,000 in damages to the RIAA. The verdict was handed down last October after a three-day trial and a few hours of deliberations. Judge Davis determined that he gave the jury an erroneous instruction on the question of whether making a file available for download over a P2P network violated the record labels’ distribution right under the Copyright Act. The original jury instructions said that it wasn’t, but, after a hearing outside of the presence of the jury, Judge Davis amended the instruction to follow the RIAA’s theory that making a file available equals infringement. After becoming aware of some case law in the Eighth Circuit, Judge Davis invited both parties to submit briefs on the matter, and held oral arguments in August at which he indicated he was leaning towards overturning the verdict and ordering a new trial. In a 43-page decision released late Thursday, Judge Davis wrote that the jury instruction in question was inaccurate. At issue was what he described as the “plain meaning” of distribution. “The Court’s examination of the use of the term ‘distribution’ in other provisions of the Copyright Act, as well as the evolution of liability for offers to sell in the analogous Patent Act, lead to the conclusion that the plain meaning of the term ‘distribution’ does not includ[e] making available and, instead, requires actual dissemination,” reads Judge Davis’ opinion. http://arstechnica.com/news.ars/post/20080924-thomas-verdict-overturned-making-available-theory-rejected.html Opinion here: http://arstechnica.com/news.media/thomas-ruling-1.pdf

AEROSMITH’S TYLER SUES OVER BLOG IMPERSONATIONS (Reuters, 24 Sept 2008) - Aerosmith frontman Steven Tyler on Wednesday sued unknown bloggers who the singer said impersonated him on the Web, writing about the death of his mother and other “intimate details” from his life. In a lawsuit filed in Los Angeles, Tyler, 60, said he didn’t know the real names of those who have impersonated him and girlfriend Erin Brady on the Web, but he believes the same group was responsible for similar postings in 2007. At that time, Tyler asked Google to remove the blogs, and the Internet company complied. The latest batch of impersonator blogs, which show pictures of Tyler, the lead singer for the rock group Aerosmith, were posted at Blogspot.com, the lawsuit said. One posting had 31 entries for 2008, and another written by “Brady” had seven entries in recent months, the lawsuit said. Tyler’s lawsuit accuses the bloggers of public disclosure of private facts, making false statements and misappropriation of likeness. It also seeks an injunction to have the defendants stop impersonating him online or elsewhere. On Wednesday, the blogs Tyler’s lawsuit describes as being written by impostors were unavailable for public viewing. A statement on each of the blog pages said, “This blog is under review due to possible blogger terms of service violations.” http://tech.yahoo.com/news/nm/20080925/wr_nm/us_aerosmithusnet_1

STUDY: WORK E-MAIL USE CREEPS INTO OFF HOURS (AP, 24 Sept 2008) - A study published Wednesday by the Pew Internet and American Life Project shows that workers in general have mixed feelings about the increased use of e-mail and the Internet in the last few years. In a survey of 2,134 adults in March and April, 96 percent used e-mail, the Internet or cell phones. Of them, 80 percent said these technologies have improved their ability to do their jobs, and 58 percent said these tools have given them more control over when to work. But 46 percent also said these devices increase the demands that they work more hours, and 49 percent said that the technologies make it harder to disconnect from work when they should be off. Half of the respondents who were employed and had e-mail said they check their work e-mail on weekends, and a full 22 percent said they checked office e-mail “often” on the weekends, up from 16 percent who said the same thing in 2002. For workers in general, it’s unclear whether e-mail alone is increasing the amount of work. Other studies show that people have worked roughly the same number of hours every week for the last two decades. In the Pew study, 17 percent said e-mail had increased their work hours, while 6 percent said the opposite — that e-mail reduced the time they had to work. http://news.yahoo.com/s/ap/20080924/ap_on_hi_te/tec_workers_e_mail_2

UK FIRMS KEEP SCHTUM ABOUT DATA BREACHES TO CLIENTS (CBR, 24 Sept 2008) - Most companies try to keep data breaches from their clients and half fail to report problems to the police or authorities. Only 40% of the 300 public and private firms surveyed by services organisation Logica said they had told clients of data breaches. What was particularly worrying – and baffling given the high profile data losses reported over the last year – was that 57% had “no idea” or understanding about the impact of such a breach on their company. Half the respondents wanted to pass the buck to the IT department, blaming them for any data security problems. “This complacent attitude not only increases the likelihood of financial and reputational consequences, but also highlights the inadequate security policies and protocols that UK organisations have in place,” said Tim Best, director enterprise security solutions at Logica. This complacency was further demonstrated both by respondents’ attitude to training staff – only 30% educated workers about IT security and information handling regularly – and to data compliance, as only a quarter said they complied to ISO standards for storing personal data. http://security.cbronline.com/news/firms_keep_schtum_about_data_breaches_to_clients

CDA SECTION 230 PROTECTS TICKET RESELLING SITE (BNA’s Internet Law News, 25 Sept 2008) - BNA’s Electronic Commerce & Law Report reports that an Oregon Circuit Court has ruled that Section 230 of the Communications Decency Act shields ticket re-seller StubHub Inc. and Internet auction company eBay Inc. from liability for scalped concert tickets sold by third parties on their Web sites. Case name is Fehrs v. StubHub Inc.

SEC AND HHS JOIN THE DATA SECURITY POSSE (Steptoe & Johnson’s E-Commerce Law Week, 25 Sept 2008) - No longer willing to let the Federal Trade Commission act as the Lone Ranger of federal data security enforcement, the Securities and Exchange Commission and the Department of Health and Human Services have begun taking action against companies whose data security practices violate the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), respectively. Earlier this month, LPL Financial Corporation agreed to remedy any deficiencies in its data security policies and procedures identified by an independent consultant and pay $275,000 to settle SEC charges that its failure to implement “adequate” data security allowed hackers to make unauthorized trades in the accounts of LPL’s customers, in violation of the Safeguards Rule of GLBA Regulation S-P. Meanwhile, several members of the Providence health care group agreed this July to adopt new security policies and procedures and pay $100,000 to settle HHS charges that they had failed to adequately secure patient information, in violation of the HIPAA Privacy and Security Rules. In addition to signaling an uptick in data security enforcement by federal regulators, these developments could help refine the working definition of “reasonable” data security that the FTC has adopted in its settlements with alleged violators of the “unfair or deceptive acts or practices” prong of the FTC Act. http://www.steptoe.com/publications-5571.html

SEC ADOPTS FINAL RULES MANDATING THE ELECTRONIC FILING AND REVISION OF FORM D (Duane Morris, 26 Sept 2008) - In June 2007, the SEC proposed amendments mandating the electronic filing of Form D together with substantive revisions to the form. In February of this year, those amendments were adopted almost entirely as proposed. Although these final rules embody both substantive and procedural changes, Form D retains its primary purpose as an initial notice form. On September 15, 2008, the SEC’s Form D electronic filing system went online. From that date until March 15, 2009, companies have the option of filing Form D information electronically through the EDGAR system or using a paper Form D. If using the paper form, filers have the option of using the old Form D or the new Form D, which has been revised to include the new information requirements discussed below. However, beginning on March 16, 2009, the SEC will no longer accept paper filing of the Form D, regardless of which form is used. http://www.duanemorris.com/alerts/alert2976.html

ALARM SOUNDED ON SECOND-HAND KIT (BBC, 29 Sept 2008) - For less than a pound a security expert has got front-door access to a council’s internal network. For 99p Mr Mason bought what is known as a virtual private network (VPN) server made by the firm Cisco Systems that automates all the steps needed to get remote access to a network. Many staff working overseas or off-site use a VPN to connect back to corporate systems. On powering it his new hardware Mr Mason expected that the device would need network settings to be input but, without prompting, it connected to the last place it was used [the internal network of Kirklees Council in West Yorkshire]. Kirklees council called the discovery “concerning” but said its data had not been compromised. “It is like having a long ethernet cable from the Council office to anywhere where I connected the device,” said Mr Mason. A spokesperson for Cisco Systems said that “we do provide clear guidelines that explain how to reset products to their factory default settings. “If followed correctly, these processes eliminate both the configuration and backup configuration of the product preventing subsequent users from connecting with a previous user’s configuration.” http://news.bbc.co.uk/2/hi/technology/7635622.stm

- and -

TOP SECRET MI6 CAMERA SOLD TO THE HIGHEST BIDDER ON EBAY (Washington Post, 30 Sept 2008) - A 28-year-old delivery man from the UK who bought a Nikon Coolpix camera for about $31 on eBay got more than he bargained for when the camera arrived with top secret information from the UK’s MI6 organization. Allegedly sold by one of the clandestine organization’s agents, the camera contained named al-Qaeda cells, names, images of suspected terrorists and weapons, fingerprint information, and log-in details for the Secret Service’s computer network, containing a “Top Secret” marking. Once he downloaded the contents onto his computer, he immediately went to the police to explain the situation. The police originally treated it as a joke, but within a week, anti-terror officers started investigating and demanded that he not talk to the media about the contents contained in the camera. Journalist and author Neil Doyle told The Sun that the contents are “MI6 documents relating to an operation against al-Qaeda insurgents in Iraq. It?s jaw-dropping they got into the public domain. “Not only do they divulge secrets about operations, operating systems and previously unheard-of MI6 departments, but they could put lives at risk.” http://www.washingtonpost.com/wp-dyn/content/article/2008/09/30/AR2008093000994_pf.html

UPS AND DOWNS OF DISCOVERING ONLINE DATA (Law.com, 29 Sept 2008) - One unanticipated cost of e-business is the expense of responding to subpoenas and proceedings designed to compel companies to disclose confidential data in their possession, such as private consumer information or identifying information as to anonymous posters at company blogs, bulletin boards or Web sites. In such cases, the company is not the target of the legal proceedings by private litigants or government prosecutors but the conduit for the identification of, or evidence against, the target. Under such circumstances, a business faces a Hobson’s choice. It can disclose data it may have received in exchange for a promise to keep it private or a company may try to honor anonymity and, perhaps, individual First Amendment rights by refusing to respond to legal process. Either way, there is both expense and potential exposure to the company. Courts have increasingly established guidelines that may help businesses to determine their responsibilities under these circumstances. http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1202424836222&rss=newswire

MPAA SUES REALNETWORKS OVER REALDVD RIPPER (Extreme Tech, 30 Sept 2008) - Hollywood’s leading movie studios have sued RealNetworks over its RealDVD software, arguing that the software’s ability to copy DVDs to a hard disk violates the Digital Millennium Copyright Act. The suit asks for a temporary restraining order halting sales of the software, plus damages deriving from profits lost through the sales of the RealDVD software. The lawsuit, filed today in U.S. District Court in Los Angeles, asks for damages and injunctive relief against RealNetworks for violations of the DMCA’s circumvention provisions, as well as a breach of the contract accompanying the DVD’s copy protection license. “RealNetworks’ RealDVD should be called StealDVD,” said Greg Goeckner, executive vice president and general counsel for the Motion Picture Association of America (MPAA), in a statement. “RealNetworks knows its product violates the law and undermines the hard-won trust that has been growing between America’s movie makers and the technology community.” The MPAA’s membership includes Fox, Paramount, The Walt Disney Co., and Warner Bros. RealNetworks filed its own preemptive suit on Tuesday, arguing that its software was protected under the “fair use” statutes of U.S. copyright law. A source close to the MPAA dismissed Real’s suit as a “PR stunt” designed to facilitate piracy. http://news.yahoo.com/s/zd/20080930/tc_zd/232572

FORUM-SELECTION CLAUSE LOCATED ONLINE, INCORPORATED BY REFERENCE IS ENFORCEABLE (BNA’s Internet Law News, 2 Oct 2008) - BNA’s Electronic Commerce & Law Report reports that a federal court in Pennsylvania has ruled that terms of service posted online, incorporated by reference into an online services agreement, were not unconscionable and governed a dispute about the service. Magistrate Judge Lisa Pupo Lenihan explained that forum selection clauses are enforceable unless they are invalid under contract law theories, such as fraud or unconscionability. Case name is PentecostalTempleChurch v. Streaming Faith.

SURVEILLANCE OF SKYPE MESSAGES FOUND IN CHINA (New York Times, 2 Oct 2008) - A group of Canadian human-rights activists and computer security researchers has discovered a huge surveillance system in China that monitors and archives certain Internet text conversations that include politically charged words. The system tracks text messages sent by customers of Tom-Skype, a joint venture between a Chinese wireless operator and eBay, the Web auctioneer that owns Skype, an online phone and text messaging service. The discovery draws more attention to the Chinese government’s Internet monitoring and filtering efforts, which created controversy this summer during the Beijing Olympics. Researchers in China have estimated that 30,000 or more “Internet police” monitor online traffic, Web sites and blogs for political and other offending content in what is called the Golden Shield Project or the Great Firewall of China. The activists, who are based at Citizen Lab, a research group that focuses on politics and the Internet at the University of Toronto, discovered the surveillance operation last month. They said a cluster of eight message-logging computers in China contained more than a million censored messages. They examined the text messages and reconstructed a list of restricted words. The list includes words related to the religious group Falun Gong, Taiwan independence and the Chinese Communist Party, according to the researchers. It includes not only words like democracy, but also earthquake and milk powder. (Chinese officials are facing criticism over the handling of earthquake relief and chemicals tainting milk powder.) The list also serves as a filter to restrict text conversations. The encrypted list of words inside the Tom-Skype software blocks the transmission of those words and a copy of the message is sent to a server. The Chinese servers retained personal information about the customers who sent the messages. They also recorded chat conversations between Tom-Skype users and Skype users outside China. The system recorded text messages and Skype caller identification, but did not record the content of Skype voice calls. http://www.nytimes.com/2008/10/02/technology/internet/02skype.html?ref=business

MASSACHUSETTS ISSUES SWEEPING DATA SECURITY REGULATIONS, INCLUDING MANDATORY ENCRYPTION (Steptoe & Johnson’s E-Commerce Law Week, 2 Oct 2008) - Massachusetts has issued regulations requiring businesses that own or maintain personal information about state residents to implement comprehensive data security measures. These appear to be the broadest and most detailed data security prescriptions to be imposed at the state or federal level. The regulations also specifically require businesses and other entities, “to the extent technically feasible,” to encrypt “all transmitted records and files containing personal information that will travel across public networks” and “all data to be transmitted wirelessly.” The same entities must also encrypt “all personal information stored on laptops or other portable devices.” Massachusetts thus becomes the second state, after Nevada, to require the use of encryption, and adds to a growing international trend. The regulations will take effect January 1, 2009. http://www.steptoe.com/publications-5601.html Regulations here: http://www.mass.gov/?pageID=ocamodulechunk&L=1&L0=Home&sid=Eoca&b=terminalcontent&f=idtheft_201cmr17&csid=Eoca

NIST PUBLISHES SECURITY GUIDANCE FOR WIRELESS LINKS, INDUSTRIAL CONTROLS (GCN, 2 Oct 2008) - The National Institute of Standards and Technology has released three information security documents in its 800 series of special publications; two final guidelines on information security assessment and Bluetooth security, and a draft of guidelines for security industrial control systems. SP 800-121, Guide to Bluetooth Security, has been finalized and describes the security capabilities of Bluetooth technologies and gives recommendations on security them effectively. Bluetooth is an open standards protocol for personal area wireless networking commonly used to connect peripherals with desktop or handheld computing devices. Much of SP 800-121 originally was included in a draft of NIST’s SP 800-48 Revision 1, Wireless Network Security for IEEE 802.11a/b/g and Bluetooth. But because of comments received on that publication, the Bluetooth material has been placed in a separate publication. This document and SP 800-48 Revision 1, which was released in July, replace the original SP 800-48, which dates to 2002. SP 800-115, Technical Guide to Information Security Testing and Assessment, provides guidance for planning and conducting tests, analyzing findings and developing mitigation strategies for risks that are identified. The document gives an overview of key elements of security testing, with the benefits and limitations of different technical testing techniques and recommendations for their use. It replaces SP 800-42, Guidelines on Network Security Testing, which was released in 2003. For effective testing and assessment, NIST recommends that organizations:
* Establish an information security assessment policy to identify requirements for executing assessments and provide accountability topics to address organizational requirements, roles and responsibilities, adherence to an established assessment methodology, assessment frequency and documentation requirements.
* Implement a repeatable and documented assessment methodology. This enables organizations to maximize the value of assessments while minimizing possible risks introduced by certain technical assessment techniques. Minimizing risk caused by assessment techniques requires skilled assessors, comprehensive assessment plans, logging assessor activities, performing testing off-hours and conducting tests on duplicates of production systems. Organizations need to determine the level of risk they are willing to accept for each assessment and tailor their approaches accordingly.
* Determine the objectives of each security assessment. Because no individual technique provides a comprehensive picture of an organization’s security when executed alone, organizations should use a combination of techniques. This also helps organizations to limit risk and resource usage.
* Analyze findings and develop risk mitigation techniques to address weaknesses. This includes conducting root cause analysis upon completion of an assessment to translate findings into actionable mitigation techniques.
A final draft of SP 800-82, Guide to Industrial Control Systems (ICS) Security, is being released for public comment. Its guidance includes recommendations for security Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS) and other control system configurations such as Programmable Logic Controllers. http://www.gcn.com/online/vol1_no1/47273-1.html?topic=security Standards here: http://csrc.nist.gov/publications/nistpubs/800-121/SP800-121.pdf
http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf

**** NOTED PODCASTS ****
UNDERSTANDING PRIVACY (IT Conversations, 25 August 2008) – “Privacy is one of the most important concepts of our time, yet it is also one of the most elusive. As rapidly changing technology makes information increasingly available, scholars, activists, and policymakers have struggled to define privacy, with many conceding that the task is virtually impossible. Daniel J. Solove, author of the book Understanding Privacy, joins Phil, Scott, and Ben to give an overview of the difficulties involved in discussions of privacy. He reviews topics from his book and discusses a number of real-world examples on how individuals don’t even know what privacy they may be giving up.” 63 minutes; one star; provides an interesting framework for privacy analysis along four dimensions: Collection, Processing, Dissemination, and Invasion. http://itc.conversationsnetwork.org/shows/detail3805.html

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. BNA’s Internet Law News, http://ecommercecenter.bna.com.
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
7. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
8. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
9. Eric Goldman’s Technology and Marketing Law Blog, http://blog.ericgoldman.org/.
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.