Saturday, October 04, 2008

MIRLN 14 September – 4 October 2008 (v11.13)

**************Introductory Note**********************

MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC.

Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (mailto:vpolley@knowconnect.com?subject=MIRLN) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln.

**************End of Introductory Note***************

E-VOTING VENDOR: PROGRAMMING ERRORS CAUSED DROPPED VOTES (Network World, 22 August 2008) - An major electronic voting system vendor has changed its story in an attempt to explain how its machines dropped hundreds of votes in Ohio’s March primary elections, saying it was a programming error, not the fault of antivirus software. E-voting machines from Premier Election Solutions, formerly called Diebold Election Systems, dropped hundreds of votes in 11 Ohio counties during the primary election, as the machine’s memory cards uploaded to vote-counting servers. Premier originally blamed conflicts caused by antivirus software from McAfee, but the company this week said a logic error in the machines’ GEMS source code was responsible for the problem. “We now have reason to believe that the logic error in the GEMS code can cause this event when no such antivirus program is installed on the server,” Premier President Dave Byrd wrote in a Tuesday letter to Ohio Secretary of State Jennifer Brunner. “We are indeed distressed that our previous analysis of this issue was in error.” http://www.networkworld.com/news/2008/082208-e-voting-vendor-programming-errors-caused.html

JUDGE LIMITS SEARCHES USING CELLPHONE DATA (Washington Post, 12 Sept 2008) - The government must obtain a warrant based on probable cause of criminal activity before directing a wireless provider to turn over records that show where customers used their cellphones, a federal judge ruled Wednesday, in the first opinion by a federal district court on the issue. Judge Terrence F. McVerry of the Western District of Pennsylvania rejected the government’s argument that historical cellphone tower location data did not require probable cause. The ruling could begin to establish the standard for such requests, which industry lawyers say are routine as more people carry cellphones that reveal their locations. Around the country, magistrate judges, who handle matters such as search warrants, have expressed concern about the lack of guidance. http://www.washingtonpost.com/wp-dyn/content/article/2008/09/11/AR2008091103292.html

CONGRESS LIMITS SUBJECT MATTER AND INADVERTENT WAIVERS FOR ATTORNEY-CLIENT COMMUNICATIONS AND WORK PRODUCT (WilmerHale Alert, 12 Sept 2008) - On September 8, 2008, the House of Representatives joined the Senate in passing legislation that would create a new Rule of Evidence, Rule 502.1 The Rule will become effective upon the President’s signature. The primary purpose of the Rule is to reduce the costs of time-consuming privilege review. If enacted, the Rule will limit the consequences of both intentional and inadvertent disclosures of attorney-client communications and attorney work product; and allow the parties to create their own waiver rules that are binding on third parties. The theory behind the Rule is that (1) most documents produced in discovery have minimal value; (2) reviewing them in the modern era of email and electronic communication is enormously costly; and (3) attorneys worried about the consequences of waiver for even a single document must engage in time-consuming and costly privilege reviews and make strained privilege claims. The Rule attempts to address these concerns. http://wilmerhaleupdates.com/ve/ZZn90288979VZZ00w808

CANADIAN ELECTION OFFICIALS POKE AROUND FACEBOOK VOTE-SWAPPING GROUP (CBC, 12 Sept 2008) - Canada’s election watchdog is probing whether a vote-swapping group set up on Facebook is illegal or just strategic voting. The online group, titled “Anti-Harper Vote Swap Canada,” is trying to match Canadians who are willing to swap votes to keep the Conservatives from winning a majority in the Oct. 14 federal election. More than 1,200 people had become members of the group by early Friday evening, two days after its creation. The group lists 41 ridings likely to be tight races and encourages members to swap votes in order to stop Tories from winning those seats. http://www.cbc.ca/news/canadavotes/story/2008/09/12/facebook-vote-swap.html Later ruling says vote-swapping is not illegal, per se: http://www.cbc.ca/canada/story/2008/09/17/vote-swapping.html

PORN PASSED OVER AS WEB USERS BECOME SOCIAL (Reuters, 16 Sept 2008) - Social networking sites are the hottest attraction on the Internet, dethroning pornography and highlighting a major change in how people communicate, according to a web guru. Bill Tancer, a self-described “data geek,” has analyzed information for over 10 million web users to conclude that we are, in fact, what we click, with Internet searches giving an up-to-date view of how society and people are changing. Some of his findings are great trivia, such as the fact that elbows, belly button lint and ceiling fans are on the list of people’s top fears alongside social intimacy and rejection. Others give an indication of people’s interests or emotions, with an annual spike in searches for anti-depression drugs around Thanksgiving time in the United States. Tancer, in his new book, “Click: What Millions of People are Doing Online and Why It Matters,” said analyzing web searches did not just reflect what was happening online but gave a wider picture of society and people’s behavior. “There are some patterns to our Internet use that we tend to repeat very specifically and predictably, from diet searches, to prom dresses, to what we do around the holidays,” Tancer told Reuters in a telephone interview. Tancer, general manager of global research at Hitwise, an Internet tracking company, said one of the major shifts in Internet use in the past decade had been the fall off in interest in pornography or adult entertainment sites. He said surfing for porn had dropped to about 10 percent of searches from 20 percent a decade ago, and the hottest Internet searches now are for social networking sites. “As social networking traffic has increased, visits to porn sites have decreased,” said Tancer, indicated that the 18-24 year old age group particularly was searching less for porn. http://news.yahoo.com/s/nm/20080916/wr_nm/internet_book_life_dc

JUDGE: ‘HEADS WILL ROLL’ OVER WITHHELD E-MAIL (Law.com, 17 Sept 2008) - A discovery disaster threatens to derail the government’s stock options prosecution against McAfee’s former general counsel. Opening arguments had been slated for Wednesday morning in the Kent Roberts case. Instead, federal prosecutors and defense lawyers stunned the court with news that the company had just turned over highly relevant e-mails to the government the night before. Those documents should have been produced in response to a two-year old grand jury subpoena, Assistant U.S. Attorney Laurel Beeler said. Judge Marilyn Hall Patel was less than pleased. She demanded that in-house lawyers from McAfee -- along with attorneys from Howrey and Wilson Sonsini Goodrich Rosati -- show up the next day to explain why 18 pages of e-mails weren’t turned over to the government until 10:40 p.m. Tuesday night. The judge then dismissed the jury for the day so prosecutors could determine whether any other documents were withheld -- and whether the case can proceed. Wilson Sonsini represents McAfee, and Howrey conducted the company’s internal investigation. “Somewhere or another, heads will have to roll, because this is outrageous,” Patel said. http://www.law.com/jsp/article.jsp?id=1202424591001&rss=newswire

BEWARE OPEN-SOURCE VIOLATIONS LURKING IN YOUR CODE (Computerworld, 19 Sept 2008) - IT organizations that feel safe from open-source licensing violations might be wise to check their code anyway, because open-source components are rapidly seeping into applications by way of offshore and in-house developers taking shortcuts, as well as a growing population of open-source-savvy grads entering the workforce. “With all of these new aspects, open source is something companies are going to have to get their heads around,” says Anthony Armenta, vice president of engineering at Wyse Technology Inc., a maker of thin clients. It’s not just about unearthing open-source code that’s in violation of licensing, either. Open source must be managed like any other software component as security vulnerabilities arise and patches become available. Wyse has been using Palamida Inc. to track its open-source usage for the past year. Palamida checks code bases against a 6TB library of known open-source projects, fingerprints and binary files. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115183&source=rss_news

CYBER ATTACK DATA-SHARING IS LACKING, CONGRESS TOLD (Washington Post, 19 Sept 2008) - U.S. intelligence agencies are unable to share information about foreign cyber attacks against companies for fear of jeopardizing intelligence-gathering sources and methods, cyber security expert Paul B. Kurtz told lawmakers yesterday. Kurtz, who served on the National Security Council in the Clinton and Bush administrations, spoke at the first open hearing on cyber security held by the House Permanent Select Committee on Intelligence. He and other experts discussed President Bush’s Comprehensive National Cybersecurity Initiative, disclosed in January, which focuses on cyber espionage against government systems and, they said, does not adequately address the private sector. There is no coordinated strategy or mechanism for sharing intelligence about intrusions with companies, nor is there a systematic way for companies to share information with the government, said the panelists, who are members of the Center for Strategic and International Studies commission on cyber security, set up last year to advise the next administration. While certain information must remain classified, “the government needs to do better” at sharing unclassified information about cyber attacks, said Rep. Silvestre Reyes (D-Tex.), who chairs the intelligence committee. “Everyone stands to benefit from an improved two-way information flow.” http://www.washingtonpost.com/wp-dyn/content/article/2008/09/18/AR2008091803730.html

TWO-THIRDS OF FIRMS HIT BY CYBERCRIME (Security Focus, 22 Sept 2008) - The Department of Justice released data from its 2005 National Computer Security Survey last week, finding that two-thirds of firms detected at least one cybercrime during that year. More than 7,800 companies responded to the survey, which classified cybercrime into cyber attacks, cyber theft, and other incidents. The survey found that three-quarters of cyber attacks came from external sources, while insiders accounted for the same proportion of cyber thefts. More than half of companies reported a cyber theft to law-enforcement authorities, but only 6 percent of cyber attacks were reported. Computer viruses made up more than half of all cyber attacks. The survey, which was developed by the DOJ’s Bureau of Justice Statistics and the U.S. Department of Homeland Security, found that telecommunications companies and computer-system design businesses were hardest hit by cybercrime. About 90 percent of businesses that suffered an incident sustained monetary loss, and cyber theft accounted for half of the loss, according to the summary. http://www.securityfocus.com/brief/825 Survey here: http://www.ojp.usdoj.gov/bjs/pub/pdf/cb05.pdf

GOOGLE BOOK SEARCH NOW FITS ON YOUR BLOG (CNET, 22 Sept 2008) - Google has put out a cool update to its book search service that lets anyone embed entire books, or just book previews on their site. While aimed mainly at online retailers and educational institutes, it’s also a great way to drop entire public domain works onto your blog in case you want to give your visitors something more exciting to flip through than your latest ramblings. The news comes alongside some partnerships including A1Books, Books-A-Million, and The Book Depository. When you’re viewing an indexed title on any of these sites you’ll see a Google preview link that lets you peruse the innards of the book without leaving the sale page. According to a post on Google’s Book Search blog, larger retailers including Powell’s Books, Borders and Buy.com will be added “in the coming weeks.” If you’re wondering why Amazon.com is not one of the online stores to be included, it’s because it’s had this feature since late 2003. Its in-house “search inside” feature is essentially the same, although limited to titles within its catalog. Under Google’s system, any retailer would be able to get this same functionality--including the capability to let readers view the entire work with whatever titles had been indexed. Back in 2006, the two companies traded legal blows due to the suspicion that Google’s book search program was leading towards this functionality. http://news.cnet.com/8301-17939_109-10047943-2.html

MLB BACKS DOWN WHEN SOMEONE IT BULLIES EXPLAINS FAIR USE TO THEM (TechDirt, 23 Sept 2008) - For years now, Major League Baseball’s online division, MLB.com, has been over aggressive in claiming ownership and control over anything associated with Major League Baseball -- even though court after court has told them they don’t get to control everything. However, MLB just keeps on claiming ownership of things anyway, such as sending out various DMCA takedown notices to YouTube for any clip of baseball put up by anyone else. Larry Lessig has the story, though, of one fan who fought back and filed a detailed counterclaim about how his video was fair use and MLB was repeatedly abusing its power in damaging ways. Amazingly, not only did MLB relent, it featured the video it had just demanded get taken down on its own blog. To be honest, there’s a chance that the two things are unrelated, and the blogger had no idea that the parent company’s lawyers were trying to shut down the video -- but the story is a good reminder that if someone is overreaching in their takedown attempts, it can be effective to respond with a counternotice that clearly states the issues. http://techdirt.com/articles/20080922/2002012337.shtml

DHS DOCS REVEAL EXPANDED BORDER SEARCH DISCRETION (ArsTechnica, 23 Sept 2008) - Internal Department of Homeland Security Documents obtained by civil rights groups reveal that, since 2000, Customs and Border Patrol guidelines have been loosened to allow border agents significantly more latitude to question and search travelers entering the United States. Prompted by travelers’ reports of border guards increasingly probing into the political views, religious beliefs, and volunteer activities of border crossers, the Asian Law Caucus and Electronic Frontier Foundation sued the DHS in February, seeking the release of records detailing the policies that govern border searches. In June and late July, the groups obtained over 600 pages worth of documents, of which they recently issued a thorough analysis. They found that as border policies were revised in 2000 and again in 2007, restrictions on the examination, seizure, copying, and sharing of travelers’ personal effects and documents were shed. The 2007 guidelines, for example, stipulated that customs officers “may glance at documents and papers to see if they appear to be merchandise” [emphasis added], and permitted close reading only if “an officer reasonably suspects that they relate to” one of several classes of restricted materials. Probable cause, or the consent of the owner, was needed to seize or copy documents. Under the revised rules, officers may seize or copy papers or digital files for the purpose of performing a “thorough border search” without any need for individualized suspicion. The “reasonable suspicion” requirement was also dispensed with as a prerequisite for sharing seized or copied information with other agencies for translation. A memo from the Area Port of Anchorage, however, does establish that an officer who uses an imaging device to copy the contents of a digital storage medium should inform a supervisor of the “circumstances and articulable facts” justifying the copy. http://arstechnica.com/news.ars/post/20080923-dhs-docs-reveal-expanded-border-search-discretion.html

EFF: CLAIM THAT CONSENT NEEDED FOR LINKING IS “PREPOSTEROUS” (ArsTechnica, 23 Sept 2008) - Large Chicago law firm Jones Day is suing a tiny Internet startup called BlockShopper over the use of the humble hyperlink. But BlockShopper has picked up a pair of allies in the form of the EFF and Public Citizen, and the two groups jointly filed an amici curiae brief with the court that points out the obvious: “linking is what web sites do—that is, after all, why it is called the ‘World Wide Web’.” BlockShopper’s transgression, such as it is, appears to be the posting of public information. The site shows which partners, lawyers, philanthropists, and executives have purchased properties in specific city neighborhoods, and it incurred Jones Day’s legal wrath after showing the new purchases of two Jones Day lawyers. The company sued on trademark grounds, claiming that the use of its name and web link on the site were illegal. Last Friday, two public interest groups have stepped up to the plate and weighed in on the case because of its implications for the Web. The BlockShopper case has “potentially significant implications for other online speakers,” says their filing, which is putting it mildly. Should the case go in Jones Day’s favor, the entire nature of the Web could be attacked by companies looking to harass bloggers or stifle criticism. Creating a “permission-based” culture of linking would strike at the Web’s key feature. As the filing notes, “if Jones Day’s trademark theory were correct, no news site or blog could use marks to identify markholders, or links to point to further information about the markholders, without risking a lawsuit. “But,” the filing continues, “Jones Day is wrong.” http://arstechnica.com/news.ars/post/20080923-eff-claim-that-consent-needed-for-linking-is-preposterous.html

E-DISCOVERY RESPONSE REQUIRES NAVIGATION (New York Law Journal, 23 Sept 2008) - A company that responded to a discovery request by turning over more than 400,000 pages of undifferentiated documents in an electronic format must provide a “modicum” of guidance about how the material was gathered and organized, a federal magistrate judge has ruled. Magistrate Judge David E. Peebles ruled that Pass & Seymour, a Syracuse, N.Y., business, failed to either categorize the information under the document headings requested by Hubbell Incorporated, the defendant in Pass & Seymour’s copyright infringement action, or to organize the data in an intelligible way. Hubbell asked for information in what Magistrate Judge Peebles called 72 “wide-ranging and broadly worded” categories. In response, Pass & Seymour delivered the documents in 220 unlabeled computer folders -- the way the company said they were kept in “the ordinary course of business.” Peebles said that was akin to receiving 405,367 pages of documents stuffed into more than 80 bankers’ boxes. As such, the response did not meet the company’s obligation under the recently amended Rule 34(b)(2) of the Federal Rules of Civil Procedure. “A party who in response to a discovery demand has chosen to produce documents as they are ordinarily maintained must do just that - produce the documents organized as they are maintained in the ordinary course of producing party’s business, with at least some modicum of information regarding how they are ordinarily kept in order to allow the requesting party to make meaningful use of the documents,” the magistrate judge wrote in Pass & Seymour v. Hubbell Incorporated, 5:07-cv-00945. To make information meaningful, parties have to provide their adversaries with some context to help them navigate their way through it, according to the magistrate judge. http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1202424713079&rss=newswire

THOMAS VERDICT OVERTURNED, MAKING AVAILABLE THEORY REJECTED (ArsTechnica, 24 Sept 2008) - Jammie Thomas is off the hook—at least for the time being. Judge Michael J. Davis has overturned a federal jury’s copyright infringement verdict and award of $222,000 in damages to the RIAA. The verdict was handed down last October after a three-day trial and a few hours of deliberations. Judge Davis determined that he gave the jury an erroneous instruction on the question of whether making a file available for download over a P2P network violated the record labels’ distribution right under the Copyright Act. The original jury instructions said that it wasn’t, but, after a hearing outside of the presence of the jury, Judge Davis amended the instruction to follow the RIAA’s theory that making a file available equals infringement. After becoming aware of some case law in the Eighth Circuit, Judge Davis invited both parties to submit briefs on the matter, and held oral arguments in August at which he indicated he was leaning towards overturning the verdict and ordering a new trial. In a 43-page decision released late Thursday, Judge Davis wrote that the jury instruction in question was inaccurate. At issue was what he described as the “plain meaning” of distribution. “The Court’s examination of the use of the term ‘distribution’ in other provisions of the Copyright Act, as well as the evolution of liability for offers to sell in the analogous Patent Act, lead to the conclusion that the plain meaning of the term ‘distribution’ does not includ[e] making available and, instead, requires actual dissemination,” reads Judge Davis’ opinion. http://arstechnica.com/news.ars/post/20080924-thomas-verdict-overturned-making-available-theory-rejected.html Opinion here: http://arstechnica.com/news.media/thomas-ruling-1.pdf

AEROSMITH’S TYLER SUES OVER BLOG IMPERSONATIONS (Reuters, 24 Sept 2008) - Aerosmith frontman Steven Tyler on Wednesday sued unknown bloggers who the singer said impersonated him on the Web, writing about the death of his mother and other “intimate details” from his life. In a lawsuit filed in Los Angeles, Tyler, 60, said he didn’t know the real names of those who have impersonated him and girlfriend Erin Brady on the Web, but he believes the same group was responsible for similar postings in 2007. At that time, Tyler asked Google to remove the blogs, and the Internet company complied. The latest batch of impersonator blogs, which show pictures of Tyler, the lead singer for the rock group Aerosmith, were posted at Blogspot.com, the lawsuit said. One posting had 31 entries for 2008, and another written by “Brady” had seven entries in recent months, the lawsuit said. Tyler’s lawsuit accuses the bloggers of public disclosure of private facts, making false statements and misappropriation of likeness. It also seeks an injunction to have the defendants stop impersonating him online or elsewhere. On Wednesday, the blogs Tyler’s lawsuit describes as being written by impostors were unavailable for public viewing. A statement on each of the blog pages said, “This blog is under review due to possible blogger terms of service violations.” http://tech.yahoo.com/news/nm/20080925/wr_nm/us_aerosmithusnet_1

STUDY: WORK E-MAIL USE CREEPS INTO OFF HOURS (AP, 24 Sept 2008) - A study published Wednesday by the Pew Internet and American Life Project shows that workers in general have mixed feelings about the increased use of e-mail and the Internet in the last few years. In a survey of 2,134 adults in March and April, 96 percent used e-mail, the Internet or cell phones. Of them, 80 percent said these technologies have improved their ability to do their jobs, and 58 percent said these tools have given them more control over when to work. But 46 percent also said these devices increase the demands that they work more hours, and 49 percent said that the technologies make it harder to disconnect from work when they should be off. Half of the respondents who were employed and had e-mail said they check their work e-mail on weekends, and a full 22 percent said they checked office e-mail “often” on the weekends, up from 16 percent who said the same thing in 2002. For workers in general, it’s unclear whether e-mail alone is increasing the amount of work. Other studies show that people have worked roughly the same number of hours every week for the last two decades. In the Pew study, 17 percent said e-mail had increased their work hours, while 6 percent said the opposite — that e-mail reduced the time they had to work. http://news.yahoo.com/s/ap/20080924/ap_on_hi_te/tec_workers_e_mail_2

UK FIRMS KEEP SCHTUM ABOUT DATA BREACHES TO CLIENTS (CBR, 24 Sept 2008) - Most companies try to keep data breaches from their clients and half fail to report problems to the police or authorities. Only 40% of the 300 public and private firms surveyed by services organisation Logica said they had told clients of data breaches. What was particularly worrying – and baffling given the high profile data losses reported over the last year – was that 57% had “no idea” or understanding about the impact of such a breach on their company. Half the respondents wanted to pass the buck to the IT department, blaming them for any data security problems. “This complacent attitude not only increases the likelihood of financial and reputational consequences, but also highlights the inadequate security policies and protocols that UK organisations have in place,” said Tim Best, director enterprise security solutions at Logica. This complacency was further demonstrated both by respondents’ attitude to training staff – only 30% educated workers about IT security and information handling regularly – and to data compliance, as only a quarter said they complied to ISO standards for storing personal data. http://security.cbronline.com/news/firms_keep_schtum_about_data_breaches_to_clients

CDA SECTION 230 PROTECTS TICKET RESELLING SITE (BNA’s Internet Law News, 25 Sept 2008) - BNA’s Electronic Commerce & Law Report reports that an Oregon Circuit Court has ruled that Section 230 of the Communications Decency Act shields ticket re-seller StubHub Inc. and Internet auction company eBay Inc. from liability for scalped concert tickets sold by third parties on their Web sites. Case name is Fehrs v. StubHub Inc.

SEC AND HHS JOIN THE DATA SECURITY POSSE (Steptoe & Johnson’s E-Commerce Law Week, 25 Sept 2008) - No longer willing to let the Federal Trade Commission act as the Lone Ranger of federal data security enforcement, the Securities and Exchange Commission and the Department of Health and Human Services have begun taking action against companies whose data security practices violate the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), respectively. Earlier this month, LPL Financial Corporation agreed to remedy any deficiencies in its data security policies and procedures identified by an independent consultant and pay $275,000 to settle SEC charges that its failure to implement “adequate” data security allowed hackers to make unauthorized trades in the accounts of LPL’s customers, in violation of the Safeguards Rule of GLBA Regulation S-P. Meanwhile, several members of the Providence health care group agreed this July to adopt new security policies and procedures and pay $100,000 to settle HHS charges that they had failed to adequately secure patient information, in violation of the HIPAA Privacy and Security Rules. In addition to signaling an uptick in data security enforcement by federal regulators, these developments could help refine the working definition of “reasonable” data security that the FTC has adopted in its settlements with alleged violators of the “unfair or deceptive acts or practices” prong of the FTC Act. http://www.steptoe.com/publications-5571.html

SEC ADOPTS FINAL RULES MANDATING THE ELECTRONIC FILING AND REVISION OF FORM D (Duane Morris, 26 Sept 2008) - In June 2007, the SEC proposed amendments mandating the electronic filing of Form D together with substantive revisions to the form. In February of this year, those amendments were adopted almost entirely as proposed. Although these final rules embody both substantive and procedural changes, Form D retains its primary purpose as an initial notice form. On September 15, 2008, the SEC’s Form D electronic filing system went online. From that date until March 15, 2009, companies have the option of filing Form D information electronically through the EDGAR system or using a paper Form D. If using the paper form, filers have the option of using the old Form D or the new Form D, which has been revised to include the new information requirements discussed below. However, beginning on March 16, 2009, the SEC will no longer accept paper filing of the Form D, regardless of which form is used. http://www.duanemorris.com/alerts/alert2976.html

ALARM SOUNDED ON SECOND-HAND KIT (BBC, 29 Sept 2008) - For less than a pound a security expert has got front-door access to a council’s internal network. For 99p Mr Mason bought what is known as a virtual private network (VPN) server made by the firm Cisco Systems that automates all the steps needed to get remote access to a network. Many staff working overseas or off-site use a VPN to connect back to corporate systems. On powering it his new hardware Mr Mason expected that the device would need network settings to be input but, without prompting, it connected to the last place it was used [the internal network of Kirklees Council in West Yorkshire]. Kirklees council called the discovery “concerning” but said its data had not been compromised. “It is like having a long ethernet cable from the Council office to anywhere where I connected the device,” said Mr Mason. A spokesperson for Cisco Systems said that “we do provide clear guidelines that explain how to reset products to their factory default settings. “If followed correctly, these processes eliminate both the configuration and backup configuration of the product preventing subsequent users from connecting with a previous user’s configuration.” http://news.bbc.co.uk/2/hi/technology/7635622.stm

- and -

TOP SECRET MI6 CAMERA SOLD TO THE HIGHEST BIDDER ON EBAY (Washington Post, 30 Sept 2008) - A 28-year-old delivery man from the UK who bought a Nikon Coolpix camera for about $31 on eBay got more than he bargained for when the camera arrived with top secret information from the UK’s MI6 organization. Allegedly sold by one of the clandestine organization’s agents, the camera contained named al-Qaeda cells, names, images of suspected terrorists and weapons, fingerprint information, and log-in details for the Secret Service’s computer network, containing a “Top Secret” marking. Once he downloaded the contents onto his computer, he immediately went to the police to explain the situation. The police originally treated it as a joke, but within a week, anti-terror officers started investigating and demanded that he not talk to the media about the contents contained in the camera. Journalist and author Neil Doyle told The Sun that the contents are “MI6 documents relating to an operation against al-Qaeda insurgents in Iraq. It?s jaw-dropping they got into the public domain. “Not only do they divulge secrets about operations, operating systems and previously unheard-of MI6 departments, but they could put lives at risk.” http://www.washingtonpost.com/wp-dyn/content/article/2008/09/30/AR2008093000994_pf.html

UPS AND DOWNS OF DISCOVERING ONLINE DATA (Law.com, 29 Sept 2008) - One unanticipated cost of e-business is the expense of responding to subpoenas and proceedings designed to compel companies to disclose confidential data in their possession, such as private consumer information or identifying information as to anonymous posters at company blogs, bulletin boards or Web sites. In such cases, the company is not the target of the legal proceedings by private litigants or government prosecutors but the conduit for the identification of, or evidence against, the target. Under such circumstances, a business faces a Hobson’s choice. It can disclose data it may have received in exchange for a promise to keep it private or a company may try to honor anonymity and, perhaps, individual First Amendment rights by refusing to respond to legal process. Either way, there is both expense and potential exposure to the company. Courts have increasingly established guidelines that may help businesses to determine their responsibilities under these circumstances. http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1202424836222&rss=newswire

MPAA SUES REALNETWORKS OVER REALDVD RIPPER (Extreme Tech, 30 Sept 2008) - Hollywood’s leading movie studios have sued RealNetworks over its RealDVD software, arguing that the software’s ability to copy DVDs to a hard disk violates the Digital Millennium Copyright Act. The suit asks for a temporary restraining order halting sales of the software, plus damages deriving from profits lost through the sales of the RealDVD software. The lawsuit, filed today in U.S. District Court in Los Angeles, asks for damages and injunctive relief against RealNetworks for violations of the DMCA’s circumvention provisions, as well as a breach of the contract accompanying the DVD’s copy protection license. “RealNetworks’ RealDVD should be called StealDVD,” said Greg Goeckner, executive vice president and general counsel for the Motion Picture Association of America (MPAA), in a statement. “RealNetworks knows its product violates the law and undermines the hard-won trust that has been growing between America’s movie makers and the technology community.” The MPAA’s membership includes Fox, Paramount, The Walt Disney Co., and Warner Bros. RealNetworks filed its own preemptive suit on Tuesday, arguing that its software was protected under the “fair use” statutes of U.S. copyright law. A source close to the MPAA dismissed Real’s suit as a “PR stunt” designed to facilitate piracy. http://news.yahoo.com/s/zd/20080930/tc_zd/232572

FORUM-SELECTION CLAUSE LOCATED ONLINE, INCORPORATED BY REFERENCE IS ENFORCEABLE (BNA’s Internet Law News, 2 Oct 2008) - BNA’s Electronic Commerce & Law Report reports that a federal court in Pennsylvania has ruled that terms of service posted online, incorporated by reference into an online services agreement, were not unconscionable and governed a dispute about the service. Magistrate Judge Lisa Pupo Lenihan explained that forum selection clauses are enforceable unless they are invalid under contract law theories, such as fraud or unconscionability. Case name is PentecostalTempleChurch v. Streaming Faith.

SURVEILLANCE OF SKYPE MESSAGES FOUND IN CHINA (New York Times, 2 Oct 2008) - A group of Canadian human-rights activists and computer security researchers has discovered a huge surveillance system in China that monitors and archives certain Internet text conversations that include politically charged words. The system tracks text messages sent by customers of Tom-Skype, a joint venture between a Chinese wireless operator and eBay, the Web auctioneer that owns Skype, an online phone and text messaging service. The discovery draws more attention to the Chinese government’s Internet monitoring and filtering efforts, which created controversy this summer during the Beijing Olympics. Researchers in China have estimated that 30,000 or more “Internet police” monitor online traffic, Web sites and blogs for political and other offending content in what is called the Golden Shield Project or the Great Firewall of China. The activists, who are based at Citizen Lab, a research group that focuses on politics and the Internet at the University of Toronto, discovered the surveillance operation last month. They said a cluster of eight message-logging computers in China contained more than a million censored messages. They examined the text messages and reconstructed a list of restricted words. The list includes words related to the religious group Falun Gong, Taiwan independence and the Chinese Communist Party, according to the researchers. It includes not only words like democracy, but also earthquake and milk powder. (Chinese officials are facing criticism over the handling of earthquake relief and chemicals tainting milk powder.) The list also serves as a filter to restrict text conversations. The encrypted list of words inside the Tom-Skype software blocks the transmission of those words and a copy of the message is sent to a server. The Chinese servers retained personal information about the customers who sent the messages. They also recorded chat conversations between Tom-Skype users and Skype users outside China. The system recorded text messages and Skype caller identification, but did not record the content of Skype voice calls. http://www.nytimes.com/2008/10/02/technology/internet/02skype.html?ref=business

MASSACHUSETTS ISSUES SWEEPING DATA SECURITY REGULATIONS, INCLUDING MANDATORY ENCRYPTION (Steptoe & Johnson’s E-Commerce Law Week, 2 Oct 2008) - Massachusetts has issued regulations requiring businesses that own or maintain personal information about state residents to implement comprehensive data security measures. These appear to be the broadest and most detailed data security prescriptions to be imposed at the state or federal level. The regulations also specifically require businesses and other entities, “to the extent technically feasible,” to encrypt “all transmitted records and files containing personal information that will travel across public networks” and “all data to be transmitted wirelessly.” The same entities must also encrypt “all personal information stored on laptops or other portable devices.” Massachusetts thus becomes the second state, after Nevada, to require the use of encryption, and adds to a growing international trend. The regulations will take effect January 1, 2009. http://www.steptoe.com/publications-5601.html Regulations here: http://www.mass.gov/?pageID=ocamodulechunk&L=1&L0=Home&sid=Eoca&b=terminalcontent&f=idtheft_201cmr17&csid=Eoca

NIST PUBLISHES SECURITY GUIDANCE FOR WIRELESS LINKS, INDUSTRIAL CONTROLS (GCN, 2 Oct 2008) - The National Institute of Standards and Technology has released three information security documents in its 800 series of special publications; two final guidelines on information security assessment and Bluetooth security, and a draft of guidelines for security industrial control systems. SP 800-121, Guide to Bluetooth Security, has been finalized and describes the security capabilities of Bluetooth technologies and gives recommendations on security them effectively. Bluetooth is an open standards protocol for personal area wireless networking commonly used to connect peripherals with desktop or handheld computing devices. Much of SP 800-121 originally was included in a draft of NIST’s SP 800-48 Revision 1, Wireless Network Security for IEEE 802.11a/b/g and Bluetooth. But because of comments received on that publication, the Bluetooth material has been placed in a separate publication. This document and SP 800-48 Revision 1, which was released in July, replace the original SP 800-48, which dates to 2002. SP 800-115, Technical Guide to Information Security Testing and Assessment, provides guidance for planning and conducting tests, analyzing findings and developing mitigation strategies for risks that are identified. The document gives an overview of key elements of security testing, with the benefits and limitations of different technical testing techniques and recommendations for their use. It replaces SP 800-42, Guidelines on Network Security Testing, which was released in 2003. For effective testing and assessment, NIST recommends that organizations:
* Establish an information security assessment policy to identify requirements for executing assessments and provide accountability topics to address organizational requirements, roles and responsibilities, adherence to an established assessment methodology, assessment frequency and documentation requirements.
* Implement a repeatable and documented assessment methodology. This enables organizations to maximize the value of assessments while minimizing possible risks introduced by certain technical assessment techniques. Minimizing risk caused by assessment techniques requires skilled assessors, comprehensive assessment plans, logging assessor activities, performing testing off-hours and conducting tests on duplicates of production systems. Organizations need to determine the level of risk they are willing to accept for each assessment and tailor their approaches accordingly.
* Determine the objectives of each security assessment. Because no individual technique provides a comprehensive picture of an organization’s security when executed alone, organizations should use a combination of techniques. This also helps organizations to limit risk and resource usage.
* Analyze findings and develop risk mitigation techniques to address weaknesses. This includes conducting root cause analysis upon completion of an assessment to translate findings into actionable mitigation techniques.
A final draft of SP 800-82, Guide to Industrial Control Systems (ICS) Security, is being released for public comment. Its guidance includes recommendations for security Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS) and other control system configurations such as Programmable Logic Controllers. http://www.gcn.com/online/vol1_no1/47273-1.html?topic=security Standards here: http://csrc.nist.gov/publications/nistpubs/800-121/SP800-121.pdf
http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf

**** NOTED PODCASTS ****
UNDERSTANDING PRIVACY (IT Conversations, 25 August 2008) – “Privacy is one of the most important concepts of our time, yet it is also one of the most elusive. As rapidly changing technology makes information increasingly available, scholars, activists, and policymakers have struggled to define privacy, with many conceding that the task is virtually impossible. Daniel J. Solove, author of the book Understanding Privacy, joins Phil, Scott, and Ben to give an overview of the difficulties involved in discussions of privacy. He reviews topics from his book and discusses a number of real-world examples on how individuals don’t even know what privacy they may be giving up.” 63 minutes; one star; provides an interesting framework for privacy analysis along four dimensions: Collection, Processing, Dissemination, and Invasion. http://itc.conversationsnetwork.org/shows/detail3805.html

SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, sans@sans.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. BNA’s Internet Law News, http://ecommercecenter.bna.com.
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
7. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
8. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
9. Eric Goldman’s Technology and Marketing Law Blog, http://blog.ericgoldman.org/.
10. Readers’ submissions, and the editor’s discoveries.

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.

1 comment:

Anonymous said...

I had the joy of watching one of my own clients get run through the wringer of an open source checker a few months ago when they were being purchased by a (much larger) software company. It was a fascinating exercise -- And I understand that in the scheme of things our guy's shop was ultimately considered to be very clean. I'd hate to go through that in a shop where the boss hadn't done a decent job of watching what his developers were up to -- You'd either have to make some big-time arguments about why the OS is not harmful to the buyer, or entertain spending many 10s of thousands of $$ cleaning up in a 'remediation' exercise.

(Keep in mind that if you're up against somebody who starts with the suggestion that OS needs to be checked as part of the due diligence, you've essentially already conceded that OS is toxic to the deal. Consider whether that idea should be put on the table well before the checking exercise begins; maybe even prior to the LOI stage.)