MIRLN (Misc. IT Related Legal News) is a free product for members of the American Bar Association’s Cyberspace Law Committee, et al., and is produced by KnowConnect PLLC.
Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions at http://www.abanet.org/dch/committee.cfm?com=CL320000 (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve). Others who wish to be added to the MIRLN distribution list should send email to Vince Polley (mailto:email@example.com?subject=MIRLN) with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line.
Recent MIRLN issues are archived at www.knowconnect.com/mirln.
**************End of Introductory Note***************
**** MEETINGS ****
ABA CYBERSPACE COMMITTEE WINTER WORKING MEETING - The Committee on Cyberspace Law invites you to join all of your fellow members for its annual Winter Working Meeting, January 30th through the 31st, 2009 on the campus of Santa Clara University in Santa Clara, California (just adjacent to San Jose). Don’t miss this great opportunity to exchange views, explore issues, identify emerging practices and interact with other Committee members. The “WWM” is meant just as much for persons new to the Committee as it is for those of long-standing membership, so please do not hesitate to join us if you are looking for a place and project to get involved with the Committee’s work! Information here: http://www.abanet.org/buslaw/committees/CL320000pub/meetings.shtml
**** NEWS ****
U.S. COURT RULES THAT HASHING = SEARCHING (Schneier on Security, 5 Nov 2008) - Really interesting post by Orin Kerr on whether, by taking hash values of someone’s hard drive, the police conducted a “search”: District Court Holds that Running Hash Values on Computer Is A Search: The case is United States v. Crist, 2008 WL 4682806 (M.D.Pa. October 22 2008) (Kane, C.J.). It’s a child pornography case involving a warrantless search that raises a very interesting and important question of first impression: Is running a hash a Fourth Amendment search? First, the facts. Crist is behind on his rent payments, and his landlord starts to evict him by hiring Sell to remove Crist’s belongings and throw them away. Sell comes a cross Crist’s computer, and he hands over the computer to his friend Hipple who he knows is looking for a computer. Hipple starts to look through the files, and he comes across child pornography: Hipple freaks out and calls the police. The police then conduct a warrantless forensic examination of the computer. In the forensic examination, Agent Buckwash used the following procedure. First, Agent Buckwash created an “MD5 hash value” of Crist’s hard drive. An MD5 hash value is a unique alphanumeric representation of the data, a sort of “fingerprint” or “digital DNA.” When creating the hash value, Agent Buckwash used a “software write protect” in order to ensure that “nothing can be written to that hard drive.” [Then] Agent Buckwash ran a “hash value and signature analysis on all of the files on the hard drive.” Supp. Tr. 89. In doing so, he was able to “[f]ingerprint” each file in the computer. Once he generated hash values of the files, he compared those hash values to the hash values of files that are known or suspected to contain child pornography. Agent Buckwash discovered five videos containing known child pornography. The Court concluded that [running the file hash was a Fourth Amendment search], and that the evidence of child pornography discovered had to be suppressed. http://www.schneier.com/blog/archives/2008/11/us_court_rules.html
FOIA DOCS SHOW FEDS CAN LOJACK MOBILES WITHOUT TELCO HELP (ArsTechnica, 16 Nov 2008) - Courts in recent years have been raising the evidentiary bar law enforcement agents must meet in order to obtain historical cell phone records that reveal information about a target’s location. But documents obtained by civil liberties groups under a Freedom of Information Act request suggest that “triggerfish” technology can be used to pinpoint cell phones without involving cell phone providers at all. Triggerfish, also known as cell-site simulators or digital analyzers, are nothing new: the technology was used in the 1990s to hunt down renowned hacker Kevin Mitnick. By posing as a cell tower, triggerfish trick nearby cell phones into transmitting their serial numbers, phone numbers, and other data to law enforcement. Most previous descriptions of the technology, however, suggested that because of range limitations, triggerfish were only useful for zeroing in on a phone’s precise location once cooperative cell providers had given a general location. This summer, however, the American Civil Liberties Union and Electronic Frontier Foundation sued the Justice Department, seeking documents related to the FBI’s cell-phone tracking practices. Since August, they’ve received a stream of documents—the most recent batch on November 6—that were posted on the Internet last week. In a post on the progressive blog Daily Kos, ACLU spokesperson Rachel Myers drew attention to language in several of those documents implying that triggerfish have broader application than previously believed. As one of the documents intended to provide guidance for DOJ employees explains, triggerfish can be deployed “without the user knowing about it, and without involving the cell phone provider.” That may be significant because the legal rulings requiring law enforcement to meet a high “probable cause” standard before acquiring cell location records have, thus far, pertained to requests for information from providers, pursuant to statutes such as the Communications Assistance for Law Enforcement Act (CALEA) and the Stored Communications Act. The Justice Department’s electronic surveillance manual explicitly suggests that triggerfish may be used to avoid restrictions in statutes like CALEA that bar the use of pen register or trap-and-trace devices—which allow tracking of incoming and outgoing calls from a phone subject to much less stringent evidentiary standards—to gather location data. “By its very terms,” according to the manual, “this prohibition applies only to information collected by a provider and not to information collected directly by law enforcement authorities.Thus, CALEA does not bar the use of pen/trap orders to authorize the use of cell phone tracking devices used to locate targeted cell phones.” http://arstechnica.com/news.ars/post/20081116-foia-docs-show-feds-can-lojack-mobiles-without-telco-help.html
GARTNER: 85 PERCENT OF COMPANIES USING OPEN SOURCE (ZDNet, 17 Nov 2008) - Eighty-five percent of companies are already using open-source software, with most of the remaining 15 percent expecting to do so within the next year, according to analysts at Gartner. However, only 31 percent of companies surveyed by the analyst house had formal policies for evaluating and procuring open-source software (OSS). Gartner conducted its survey of 274 end-user organizations across the Asia/Pacific, Europe and North American markets in May and June, and announced the results on Monday. Respondents to the survey consistently pointed to cost as a prime motivator for their adoption of open source, with some also suggesting OSS provided some protection against single-vendor lock-in. Other reasons for adoption included fast time to market and the avoidance of complex procurement rules and procedures, Gartner said. However, according to Gartner, a lack of formal policies could open companies up to intellectual-property violations. The analyst house’s survey put governance issues at the top of the list for barriers to OSS adoption. http://news.zdnet.com/2424-9595_22-249842.html
DISTRICT COURT HALTS KEYLOGGER SPYWARE SALES (CNET, 17 Nov 2008) - A U.S. District Court has temporarily halted the sale of RemoteSpy keylogger spyware at the request of the Federal Trade Commission, which claims the software violates the FTC Act. The FTC filed a complaint (PDF) against Florida-based CyberSpy Software on November 5, alleging the company has violated the FTC Act by selling software that can be deployed remotely by someone other than the owner or authorized user of a computer, can be installed without the owner’s knowledge, and can used to surreptitiously collect and disclose personal information. The FTC also claims CyberSpy unfairly collected and stored personal information gathered with RemoteSpy. In its complaint, the FTC asked the U.S. District Court for the Middle District of Florida, Orlando Division, to issue a temporary restraining order halting the sale of RemoteSpy while its case is pending, permanently ban the sale of RemoteSpy, and require CyberSpy to pay restitution for any injury to consumers resulting from its violations of the FTC Act. The court, in its temporary restraining order filed November 6 against CyberSpy, said there is a “substantial likelihood” that the FTC will be able to prove the spyware maker violated the FTC Act. http://news.cnet.com/8301-13578_3-10099123-38.html [Editor: EPIC was instrumental in the FTC’s decision to bring this case; see EPIC’s filing with the FTC here: http://epic.org/privacy/dv/spy_software.pdf]
RIAA WIN: TENNESSEE TO POLICE CAMPUS NETWORKS (CNET, 18 Nov 2008) - Tennessee has agreed to filter computer networks for unauthorized music downloads at the state’s colleges and universities. Tennessee Gov. Phil Bredesen signed into law a bill designed to thwart music piracy at the state’s campuses, the Recording Industry Association of America said on its Web site. The bill requires Tennessee public and private schools exercise “appropriate means” to ensure that campus computer networks aren’t being used to download copyright material via peer-to-peer file-sharing programs, the RIAA said. “Upon a proper analysis of the network,” the RIAA continued, “those institutions are required to implement technological support and develop and enforce a computer network usage policy to effectively limit the number of unauthorized transmissions of copyrighted works.” The Electronic Frontier Foundation, an Internet-user advocacy group, called the law “ridiculous,” and said the costs of enforcing it would top $9 million. “The entertainment industry lobby seems to be succeeding, bit-by-bit in persuading legislators to coerce universities into buying ‘infringement suppression’ technologies,” the EFF said in a blog post, adding that these technologies are expensive and “won’t stop file sharing on campus networks.” The RIAA said that a 2007 Student Monitor survey found that more than half of college students download music and movies illegally. http://news.cnet.com/8301-1023_3-10101840-93.html
NEW STUDY FINDS TIME SPENT ONLINE IMPORTANT FOR TEEN DEVELOPMENT (MacArthur Foundation, 18 Nov 2008) - The most extensive U.S. study on teens and their use of digital media finds that America’s youth are developing important social and technical skills online – often in ways adults do not understand or value. “It might surprise parents to learn that it is not a waste of time for their teens to hang out online,” said Mizuko Ito, University of California, Irvine researcher and the report’s lead author. “There are myths about kids spending time online – that it is dangerous or making them lazy. But we found that spending time online is essential for young people to pick up the social and technical skills they need to be competent citizens in the digital age.” The study was supported by the MacArthur Foundation’s $50-million digital media and learning initiative, which is exploring how digital media are changing how young people learn, play, socialize, and participate in civic life. Over three years, Ito’s team of 28 researchers interviewed over 800 young people and their parents, both one-on-one and in focus groups; spent more than 5,000 hours observing teens on sites such as MySpace, Facebook, YouTube, and other networked communities; and conducted diary studies to document how, and to what end, young people engage with digital media. The researchers identified two distinct categories of teen engagement with digital media: friendship-driven and interest-driven. While friendship-driven participation centered on “hanging out” with existing friends, interest-driven participation involved accessing online information and communities that may not be present in the teen’s local peer group. The study also finds that young people are learning basic social and technical skills through their use of digital media that they need to participate fully in contemporary society. The social worlds that youth are negotiating offer new dynamics, as online socializing is permanent and public, involves managing elaborate networks of friends and acquaintances, and is always on. http://www.macfound.org/site/apps/nlnet/content2.aspx?c=lkLXJ8MQKrH&b=2024163&content_id=%7B3A699BFD-3FA0-4793-8328-9E542E5280C9%7D¬oc=1 White paper here: http://digitalyouth.ischool.berkeley.edu/files/report/digitalyouth-WhitePaper.pdf New York Times story: http://www.nytimes.com/2008/11/20/us/20internet.html?_r=1&partner=rss&emc=rss
HOW MUCH DOES SPAM COST YOU? GOOGLE WILL CALCULATE (Computerworld, 19 Nov 2008) - How much is spam costing your company? Google Inc. unveiled a nifty little calculator on Wednesday to help you add it up. It’s part of a marketing campaign for Google Message Security, the online spam-filtering service based on the Postini technology Google acquired last year. “We know in these tougher economic times that companies are trying to figure out how they can save,” said Adam Dawes, a Google product manager. To figure out the cost of spam, you enter things like the number of workers at your company, how much you pay them and how much spam they have to deal with, and presto: Google figures out how many days (and dollars) in lost productivity this represents. Of course, it also tells you how long it would take for Google’s service to pay for itself at your shop. For companies doing their spam-fighting in-house, there’s also a “total cost of ownership” calculator to show how inexpensive Google thinks its service really is. Last year, Nucleus Research Inc. reported that spam costs U.S. companies $712 per employee each year. A $31,000-per-year employee spending 16 seconds each on 21 spam messages per day would cost about this much, according to Google’s calculator. That adds up to about $70 billion per year in lost productivity, Nucleus said. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9120872&source=NLT_SEC&nlid=38
MANY WORKING MILLENNIALS ARE UNAWARE OF OR IGNORING CORPORATE IT RULES (Computerworld, 19 Nov 2008) - More than half of the working millennials polled for an Accenture Ltd. study said that they were either unaware of their companies’ IT policies or unwilling to follow them. Accenture surveyed 400 members of the millennial generation - those aged 14 to 27 - to determine their technology needs and desires. Of the 169 college graduates who were working full- or part-time, 40% said that their employer has detailed policies on posting work or client information online. Of those, 6% said that they post such information despite rules prohibiting it. About 31% of working millennials said they are unaware whether their companies have policies prohibiting the posting of such information, and 17% said their employer has no such policy. Accenture noted that both working and student members of the millennial generation said that they expect to use their personal technology and mobile devices for work assignments. Many said that a company’s willingness to accommodate those desires is a key factor in accepting a job offer, Accenture noted. The large number of respondents who are either unaware of or unwilling to follow their companies’ IT policies has “profound implications,” noted Gary Curtis, Accenture’s chief technology strategist. Many of the working millennials listed several unsupported technologies that they use for job-related activities, such as mobile phones (39%), social networking sites (28%), instant messaging products (27%), open-source technology (19%) and online applications (12%), according to Accenture. In addition, many of those surveyed reported that they regularly download nonstandard technology from free public Web sites, like open-source communities and mashup and widget providers. Three quarters of those surveyed said that they have accessed online collaborative tools, and 71% said they have accessed online applications from free public Web sites when those technologies were not available at work, Accenture said. In almost every category of technology in the workplace, at least 20% of millennials said that products provided by their companies did not meet their needs. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9120871&source=NLT_AM&nlid=1
- and -
MOST EMPLOYERS RESTRICT STAFF TIME ON INTERNET, SAYS SURVEY (The Guardian, 2 Dec 2008) - Two-thirds of employers monitor staff use of the internet during working hours and block access to sites deemed irrelevant to the job, a survey of managers revealed yesterday. The Chartered Management Institute said the censoring of employees’ web browsing was an example of old-fashioned thinking in boardrooms where senior executives have not caught up with the business benefits of exploiting new technology. The institute interviewed 1,000 managers aged 35 and under, working in industry, commerce, local government and the police. Their most common complaint was that older bosses regarded the internet as “a massive timewaster”. Half said their organisations did not take up web-based technology until it was tried and tested, and 16% described their employers as “dinosaurs”. The survey found most young managers wanted to use the internet for research, professional development and other aspects of getting the job done. But employers treated it with suspicion. The survey found 65% of organisations monitored usage, rising to 86% in local government and 88% in the police. This led 65% of employers to block access to “inappropriate” sites, rising to 89% in local government and 90% in the utilities. Eighteen per cent of employers limited internet access to certain times of day, rising to 38% in the insurance industry. The survey, published in association with Ordnance Survey, found a generation gap in the use of internet technology. Jan Hutchinson, human resources director at Ordnance Survey, said: “The low-level adoption of new technology runs in tandem with employers’ belief that internet usage is a timewaster. The longer this situation is allowed to remain unchallenged, the greater the likelihood UK employers will fall behind their international competitors.” http://www.guardian.co.uk/technology/2008/dec/02/workplace-internet-monitoring-blocked-access
- and -
YOUNG WORKERS’ USE OF SOCIAL NETWORKING SITES CONCERNS IT STAFFS (SiliconValley.com, 4 Dec 2008) - Social-networking sites such as Facebook and MySpace are being targeted so often by cybercrooks and other mischief-makers that half of the information-technology specialists surveyed recently by Intel expressed concern about workers under 30, who disproportionately use such sites. Of the 200 corporate and government IT professionals in the United States and Canada who were surveyed, 13 percent said they regard so-called Generation Y employees as “a major security concern,” and 37 percent tagged them as “somewhat of a security concern.” The biggest worry they mentioned was the tendency of many Gen Yers to frequent social-networking sites like Facebook and MySpace. Among other problems, the IT executives said employees using such sites may download viruses that wind up on their employer’s computers or reveal information about themselves on the networking sites that compromises their employer’s business secrets. To prevent such problems, some companies, including Intel, ban their workers’ access to social networking sites. “Their wide-ranging use of the Internet can expose the company to malicious software attacks,” said Mike Ferron-Jones, who directs an Intel program that monitors new computing trends. “This is a big deal now, and it’s going to get bigger as more Gen Yers come into the workforce.” On the positive side, the IT executives noted that Gen Yers tend to be computer savvy and are brimming with new ideas, which are highly desirable corporate qualities. http://www.siliconvalley.com/news/ci_11138550?nclick_check=1
UNDER WORM ASSAULT, MILITARY BANS DISKS, USB DRIVES (Wired, 19 Nov 2008) - The Defense Department’s geeks are spooked by a rapidly spreading worm crawling across their networks. So they’ve suspended the use of so-called thumb drives, CDs, flash media cards, and all other removable data storage devices from their nets, to try to keep the worm from multiplying any further. The ban comes from the commander of U.S. Strategic Command, according to an internal Army e-mail. It applies to both the secret SIPR and unclassified NIPR nets. The suspension, which includes everything from external hard drives to “floppy disks,” is supposed to take effect “immediately.” Similar notices went out to the other military services. In some organizations, the ban would be only a minor inconvenience. But the military relies heavily on such drives to store information. Bandwidth is often scarce out in the field. Networks are often considered unreliable. Takeaway storage is used constantly as a substitute. The problem, according to a second Army e-mail, was prompted by a “virus called Agent.btz.” That’s a variation of the “SillyFDC” worm, which spreads by copying itself to thumb drives and the like. When that drive or disk is plugged into a second computer, the worm replicates itself again — this time on the PC. “From there, it automatically downloads code from another location. And that code could be pretty much anything,” says Ryan Olson, director of rapid response for the iDefense computer security firm. SillyFDC has been around, in various forms, since July 2005. Worms that use a similar method of infection go back even further — to the early ‘90s. “But at that time they relied on infecting floppy disks rather than USB drives,” Olson adds. Servicemembers are supposed to “cease usage of all USB storage media until the USB devices are properly scanned and determined to be free of malware,” one e-mail notes. Eventually, some government-approved drives will be allowed back under certain “mission-critical,” but unclassified, circumstances. “Personally owned or non-authorized devices” are “prohibited” from here on out. To make sure troops and military civilians are observing the suspension, government security teams “will be conducting daily scans and running custom scripts on NIPRNET and SIPRNET to ensure the commercial malware has not been introduced,” an e-mail says. “Any discovery of malware will result in the opening of a security incident report and will be referred to the appropriate security officer for action.” http://blog.wired.com/defense/2008/11/army-bans-usb-d.html NASA’s policy isn’t as strict: http://www.nextgov.com/nextgov/ng_20081124_5509.php
- and -
CLASSIFIED US SYSTEMS BREACHED: ATTACKS ON US WAR ZONE COMPUTERS PROMPTS SECURITY CRACKDOWN (SANS Newsbytes, 2 December 2008) - The Los Angeles Times is reporting that the US Department of Defense’s decision to ban the use of USB drives and other removable data storage devices was prompted by a significant attack on combat zone computers and the US Central Command that oversees Iraq and Afghanistan. The attack is believed to have originated in Russia. While no specific details about the attack were provided, it is known that at least one highly protected classified network was affected.
MICROSOFT LETS ZUNE MUSIC SUBSCRIBERS KEEP TUNES (AP, 20 Nov 2008) - Microsoft Corp. is giving an early holiday gift to people who pay for all-you-can-listen access to the Zune digital music store: 10 songs to keep each month, included in the $14.99 monthly subscription fee. The decision may appeal to people who have been reluctant to test out the subscription model, preferring to own their music instead of rent it. Microsoft’s Zune Pass, RealNetworks Inc.’s Rhapsody and others give users unlimited access to millions of songs in exchange for a monthly fee. But as soon as the user stops paying, the music stops playing unless he or she forks over extra money to buy each track. With the new Zune Pass perk, subscribers can use the Zune desktop software as usual to buy individual songs, and the service keeps track of how many free ones remain for the month. In most cases, the song will come in the MP3 format, which can be freely copied to multiple devices and computers. “I think the 10 free tracks is going to be a huge accelerant” to subscriber numbers, said Adam Sohn, Zune’s marketing director. “People will enjoy owning that music, and I think they’ll be more apt to transact more in the store.” The company did not disclose how many subscribers it has. http://www.myfoxchicago.com/myfox/pages/Business/Detail?contentId=7913207&version=1&locale=EN-US&layoutCode=TSTY&pageId=4.8.1
CANADIAN REGULATORS OK BELL CANADA’S P2P THROTTLING (PC Magazine, 20 Nov 2008) - Though U.S. regulators cracked down on Comcast several months ago for what they considered to be unreasonable network management practices, Canadian regulators this week found that similar practices employed by Bell Canada are perfectly acceptable. In April, the Canadian Association of Internet Providers (CAIP) filed a complaint with the Canadian Radio-television and Telecommunications Commission (CRTC) that asked CRTC to stop Bell Canada from throttling traffic generated by P2P file-sharing sites. Bell Canada admitted to using deep-packet inspection, a technique that allows for the detailed inspection of data as it travels across the Internet. ISPs can use it to filter out the illegal transfer of copyrighted material or harmful viruses and spam, but detractors argue that it can be used to block certain file-sharing applications. When network traffic is heavy, usually between 4:30pm and 2am on any given night, Bell Canada admitted to delaying traffic on file-sharing sites, a practice that did not raise any concerns at the CRTC. “CAIP has not demonstrated that Bell Canada’s methodology for determining congestion in the network is inappropriate,” according to the CRTC decision. http://www.pcmag.com/article2/0,2817,2335133,00.asp [Editor: see EPIC’s page on deep packet inspection: http://epic.org/privacy/dpi/]
EHARMONY TO OFFER SAME-SEX MATCHES AFTER NEW JERSEY SETTLEMENT (LA Times, 20 Nov 2008) - The Pasadena-based dating website, heavily promoted by Christian evangelical leaders when it was founded, has agreed in a civil rights settlement to give up its heterosexuals-only policy and offer same-sex matches. EHarmony - known for the mild-mannered television and radio advertisements by its founder, psychologist Neil Clark Warren - not only must implement the new policy by March 31 but also must give the first 10,000 same-sex registrants a free six-month subscription. The company said that Warren wasn’t giving interviews on the settlement. But attorney Theodore Olson, who issued a statement on EHarmony’s behalf, made clear that the company didn’t agree to offer gay matches willingly. “Even though we believed that the complaint resulted from an unfair characterization of our business,” Olson said, “we ultimately decided it was best to settle this case with the attorney general since litigation outcomes can be unpredictable.” The settlement, which didn’t find that EHarmony broke any laws, called for the company to either offer the gay matches on its current venue or create a new site for them. EHarmony has opted to create a site called Compatible Partners. http://www.latimes.com/business/la-fi-eharmony20-2008nov20,0,1772906.story
GOOGLE EMPOWERS USERS TO EDIT SEARCH RESULTS (AP, 20 Nov 2008) - If Google delivers useless search results, just erase them and you won’t see them again. That’s possible under a new system Google Inc. unveiled Thursday. Hoping to give its search engine a more personal touch, Google now lets users reshuffle results so their favorite Web sites get top billing and disliked destinations get discarded the next time they enter the same request. It marks the first time that the Internet’s most popular search engine has allowed its audience to alter the order of search results. Although the revisions won’t affect Google’s closely guarded formulas for ranking Web sites, the Mountain View-based company isn’t ruling out eventually tapping into collective wisdom of the crowds to tweak its Internet-searching algorithms. For now, Google simply wants to make specific sets of results more useful to each individual that comes to its search engine, said Marissa Mayer, who oversees the company’s search products. Users will have to have a personal login to take advantage of the editing feature. http://tech.yahoo.com/news/ap/20081121/ap_on_hi_te/tec_editing_google_1
BUSH’S EXIT TO PUT NEW E-RECORDS SYSTEM TO THE TEST (Computerworld, 21 Nov 2008) - For members of the Bush administration, Jan. 20, 2009, marks the end of a job. However, for the staff of the National Archives and Records Administration (NARA), it’s just the beginning of a project unprecedented in size and scope: sorting, indexing, preserving and ensuring access to all the records, both paper and electronic, created by the administration over the past eight years. In some ways, this is nothing new. Since 1978, when the Presidential Records Act was established, NARA has been tasked with taking custody of, controlling, preserving and providing access to all presidential and vice presidential records that have administrative, historical, informational or evidentiary value. The act requires that the day the president leaves office, presidential records become the legal responsibility of the archivist of the U.S. However, given the rise in electronic communications, the volume of electronic records has exploded. Consider that NARA received only a few hundred thousand e-mail messages from the first Bush presidency and 32 million from the Clinton White House, according to Ken Thibodeau, director of NARA’s Electronic Records Archives (ERA) Program, whose mission is to meet the many challenges stemming from increasing use of computers in government, including building a new archiving system, scheduled for completion in 2011. In comparison, it expects a whopping 140TB of data from the current Bush administration, more than 50 times what it received from the Clinton years. About 20TB of that is e-mail, Thibodeau says. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9120859&source=rss_news
MICROSOFT TO AID IN WAR ON TERROR, BUILDS SOFTWARE FOR DHS (ArsTechnica, 21 Nov 2008) - Microsoft and GIS vendor ESRI have announced that they are constructing a suite of collaboration tools for intelligence gathering and processing, intended for deployment at the Department of Homeland Security’s national fusion centers. The software is built on top of Microsoft’s SharePoint server platform and ESRI’s ArcGIS Advanced Enterprise server. The software will include a “situational awareness portal” with location-based RSS feeds and XML map overlay data. The information that is managed by the system will be made accessible to intelligence analysts through SharePoint. Microsoft says that the framework will be extensible and can be customized to meet additional, unforeseen needs. The bundle also includes terabytes of prerendered satellite imagery that can be used with mapping software. Microsoft plans to expand the scope of the system and use its components to provide a broader and more comprehensive technology solution for security applications. http://arstechnica.com/news.ars/post/20081121-microsoft-to-aid-in-war-on-terror-builds-software-for-dhs.html
NEW IPHONE APPS HELP DRIVERS BEAT SPEED TRAPS (New York Times, 21 Nov 2008) - Apple’s iPhone has been used for everything from following the 2008 election to deciding where to grab a bite on the go. Now, it’s helping lead-footed drivers avoid costly speeding tickets. NMobile and Trapster are two mobile applications that provide up-to-date, detailed maps of speed-enforcement zones with live police traps, speed cameras or red-light cameras. After launching, each application pulls up a map pinpointing the locations of speed traps within driving distance. An audio alert will sound as vehicles approach an area tagged as harboring a speed trap. Both applications rely on the wisdom of the crowds for their data. Users can report camera-rigged stop lights and areas heavily populated with radar-toting police officers through the application or on each company’s Web site. Eagle-eyed motorists using either application can also contribute information on the location of newly spotted speed traps from the road with a couple of taps on the iPhone. Then, using the iPhone’s GPS location detection, the applications warn drivers when they are approaching known or reported traps. http://bits.blogs.nytimes.com/2008/11/20/new-iphone-apps-help-drivers-beat-speed-traps/
ONLINE PUSH IN MINNESOTA (InsideHigherEd, 21 Nov 2008) - Minnesota Gov. Tim Pawlenty and leaders of the Minnesota State Colleges and Universities on Thursday announced a goal of shifting 25 percent of credits to online courses by 2015. In the last academic year, just over 9 percent of credits were delivered online. But about 66,000 credit students — or 26 percent of all credit students — took at least one online course. The plan includes a mix of incentives for students (such as a scholarship bonus) and improvements in student services for online courses. http://www.insidehighered.com/news/2008/11/21/qt
UK JUROR SHARES TRIAL DETAILS ON FACEBOOK (The Guardian, 24 Nov 2008) - A female juror was dismissed from a trial after posting details of the case on Facebook and asking friends whether they thought the defendants were guilty. The woman went against strict rules forbidding jurors from discussing cases with family and friends by posting details of the sexual assault and child abduction trial on the social networking site. http://www.guardian.co.uk/uk/2008/nov/24/ukcrime1
SYMANTEC: UNDERGROUND CYBERCRIME ECONOMY BOOMING (ArsTechnica, 25 Nov 2008) - The underground cybercrime economy is a self-sustaining market that is thriving despite the current economic downturn, according to security company Symantec. The company published an extensive 99-page whitepaper on its findings yesterday; it discusses activity on underground economy servers between July of 2007 and the end of June 2008. Symantec estimates that the total value of advertised goods in this economy added up to $276 million over the 12-month period. Credit card information was by far the most popular advertised and requested “product” during the study’s time period. Symantec notes that credit cards are popular due to the many different ways they can be obtained and used for fraud, and because it’s difficult for merchants to identify fraudulent transactions before a sale is completed. Bank account data was the second-most popular category of advertised goods; Symantec says this is popular because of the potential for high payouts and the speed at which money can be transferred. The company pointed out one example in which the balances of certain accounts were transferred online to “untraceable locations” less than 15 minutes after the information was obtained. Unsurprisingly, all of this information is obtained and distributed through the use of phishing services, keyloggers, bank exploits, and botnets. Symantec noted that botnets were one of the most expensive attack tools during the observation period, where their services went for an average of $225. Phishing scam hosting services were pretty affordable, with prices ranging from $2 to $80, and the average price of a keylogger was $23. However, bank vulnerabilities at financial websites were definitely the “highest-ranked,” with the services ranging from $100 to $2,999. Of course, this is also the highest risk, so it comes as no surprise that this method is expensive. http://arstechnica.com/news.ars/post/20081125-symantec-underground-cybercrime-economy-booming.html Symantec white paper here: http://www.symantec.com/business/theme.jsp?themeid=threatreport
REUTERS BAILS ON SECOND LIFE AFTER FIGURING OUT IT’S REALLY NOT THAT INTERESTING (TechDirt, 25 Nov 2008) - One of the sillier attempts by businesses to look cool by setting up shop in Second Life was that of Reuters, which assigned a reporter to hang out in the virtual world full-time and report on it as if it were any other economy. While we noted at the time there might be some interesting stories in Second Life, that seemed to be taking a back seat to the publicity value of the stunt. It was surprising to learn that the Reuters reporter was still there until recently, when he finally gave up the beat, calling it “about as fun as watching paint dry.” With 9 out of 10 efforts by businesses going into Second Life ending in failure, perhaps there wasn’t much for a business reporter to cover any longer. For what it’s worth, the reporter says Linden Labs should give up on the idea that Second Life is a business application - not because of its shaky in-game economics, or because there’s no value for there for most businesses, but because of technical problems. http://techdirt.com/articles/20081125/0750352944.shtml
LAWYER AD RULES MAY BAR BLOGGING, LA. LAW FIRM SAYS IN SUIT AND BLOG (ABA Journal, 25 Nov 2008) – A law firm contends new Louisiana lawyer advertising rules slated to take effect in April will restrict its right to comment on Twitter, Facebook, online bulletin boards and blogs. The Wolfe Law Group filed a federal suit today challenging the rules, claiming they would subject each of the firm’s online posts to an evaluation and a $175 fee, according to a press release. The construction law firm says in the suit that its own blog may qualify for an exemption for law firm websites, but its comments on other blogs would not. The firm claims the rules would restrict its First Amendment right to speak freely about its trade. To make its point, the law firm has launched a blog called Blog No Evil: Blogging is Speaking. The suit also says the requirements for online ads would restrict the firm’s ability to advertise on Google and other online outfits that often limit size and character count of ads. “Businesses that do not advertise through online medias will be at a competitive disadvantage,” the suit says. The suit is the second that seeks to overturn the rules. Public Citizen and two personal injury lawyers have also challenged the rules as a First Amendment violation, the Associated Press reports. The lawyers say the new rules are considered the most restrictive in the nation, the New Orleans Times-Picayune reports. They bar lawyers from referring to “past successes” and from using nicknames or mottos that imply an ability to get results. They also ban client testimonials, actors’ endorsements and re-enactments. http://www.abajournal.com/weekly/la._lawyer_ad_rules_may_bar_blogging_law_firm_says_in_suit_and_blog; Complaint here: http://images.wolfelaw.com/files/complaint.pdf
GUILTY VERDICT IN CYBERBULLYING CASE PROVOKES MANY QUESTIONS OVER ONLINE IDENTITY (New York Times, 27 Nov 2008) - Is lying about one’s identity on the Internet now a crime? The verdict Wednesday in the MySpace cyberbullying case raised a variety of questions about the terms that users agree to when they log on to Web sites. The defendant in the case, a Missouri woman, was convicted by a federal jury in Los Angeles on three misdemeanor counts of computer fraud for having misrepresented herself on the popular social network MySpace. The woman, Lori Drew, posed as a teenage boy in using the account to send first friendly and then menacing messages to Megan Meier, 13, who killed herself shortly after receiving a message in October 2006 that said in part, “The world would be a better place without you.” MySpace’s terms of service require users to submit “truthful and accurate” registration information. Ms. Drew’s creation of a phony profile amounted to “unauthorized access” to the site, prosecutors said, a violation of the Computer Fraud and Abuse Act of 1986, which until now has been used almost exclusively to prosecute hacker crimes. While the Internet’s anonymity was used in this case as a cloak to bully Megan, other users say they have perfectly good reasons to construct false identities online, if only to help protect against the theft of personal information, for example. Andrew M. Grossman, senior legal policy analyst for the Heritage Foundation, said the possibility of being prosecuted for online misrepresentation, while remote, should worry users nonetheless. “If this verdict stands,” Mr. Grossman said, “it means that every site on the Internet gets to define the criminal law. That’s a radical change. What used to be small-stakes contracts become high-stakes criminal prohibitions.” http://www.nytimes.com/2008/11/28/us/28internet.html?_r=1&scp=1&sq=cyberbullying&st=cse [Editor: Eric Goldman has a thoughtful posting about this case and faulty factual underpinnings—e.g., the defendant did *NOT* accept the MySpace terms/conditions—here: http://blog.ericgoldman.org/archives/2008/11/lori_drew_guilt.htm]
IN LEAN TIMES, ONLINE COUPONS ARE CATCHING ON (New York Times, 27 Nov 2008) - On the Internet, nothing travels faster than a tip on how to score a bargain. Especially in an economic downturn. With online retail sales falling this month for the first time, Internet merchants are offering steep discounts to anyone willing to punch in a secret coupon code or visit a rebate site for a “referral” before loading up their virtual cart. Shoppers obsessed with finding these bargains share the latest intelligence on dozens of sites with quirky names like RetailMeNot.com, FatWallet.com and the Budget Fashionista. And more consumers than ever are scanning the listings before making a purchase at their favorite Web site. Some online shoppers are so good at this game that they almost never buy anything at full price, making them the digital era’s version of bargain hunters who used to spend hours clipping coupons to shrink their grocery bills. Tavon Ferguson, a 25-year-old graduate student in Atlanta, became obsessed with finding online deals last spring, while planning her July wedding. She scoured the Web for coupons and got free save-the-date cards, $8 bracelets for her bridesmaids and free shipping on flash-frozen steaks for the rehearsal dinner. In October, 27 million people visited a coupon site, according to comScore Media Metrix, up 33 percent from a year earlier. “Coupons had never been a big factor online the way they are offline. This is something new,” said Gian Fulgoni, chairman of comScore. “It’s taken pricing power away from the retailers and given it to the consumers, because the consumer is totally up to speed on what the prices are.” Retailers have mixed feelings about this shift. Generally, companies prefer limited discounts, e-mailed to a select group of customers or sent inside packages with a purchase. When the coupons get wider exposure, retailers lose control, potentially costing them more money than they expected. Two years ago, Sierra Trading Post, a site that sells overstock outdoor gear, sent a coupon code with 1,000 of its 50 million catalogs, expecting to generate $2,000 in sales. Instead, it led to $300,000 in sales after a customer posted it online. Some retailers try to battle the coupon sites. Harry & David, a seller of fruit baskets, threatened legal action against RetailMeNot.com this spring for publishing its discounts, prompting the coupon site to steer visitors to other gift-basket companies. William Ihle, a spokesman for Harry & David, said that all of its deals were available on its own site and the coupon sites “disingenuously mislead the consumer” by posting expired or unverified discounts. http://www.nytimes.com/2008/11/27/technology/internet/27coupon.html?partner=rss&emc=rss
BLACK FRIDAY TRAFFIC TAKES DOWN SEARS.COM (AP, 28 Nov 2008) - Sears.com was inaccessible to U.S. shoppers for two hours on Friday in what was the most notable Web hiccup of the holiday gift-buying season’s official start.
Other sites, including Amazon.com Inc., experienced minor slowdowns, according to Shawn White, director of external operations at Keynote Systems Inc., a San Mateo, Calif.-based research group. Starting a week and a half ago, Keynote began tracking the performance of about 30 big online retailers, logging the time it took to find a product and start checking out. Keynote’s list includes Wal-Mart Stores Inc., Macy’s Inc., Circuit City and others; the system takes measurements every 15 minutes from computers in 10 major U.S. cities. Sears Holdings Corp.’s site started to crawl at around 9:30 a.m. Eastern time on Friday, when loading a page on the site topped one minute. From about 10:30 to 12:30, Sears posted a message asking shoppers to try again in a few minutes.
White said Sears was among the retailers that stumbled last year on Black Friday.
But while Sears’ problems returned this year, others including Neiman Marcus and Buy.com Inc. seem to have resolved past issues. Amazon and Target Inc., which uses Amazon’s e-commerce technology, were slower Friday than in recent days, but not unbearably so, White said. At the slowest point, a transaction that took 25 seconds last week required about 40 seconds Friday morning. Kohl’s Corp. and Saks Inc. also had performance problems, according to Keynote data. White said he expects some sites will slow down or shut down on Monday, too, as workers, back in the office after the holiday weekend, start clicking. http://tech.yahoo.com/news/ap/20081128/ap_on_hi_te/tec_holiday_shopping_web_sites_1 [Editor: this kind of site-responsiveness-measurement technique is interesting.]
YOU’RE LEAVING A DIGITAL TRAIL (New York Times, 30 Nov 2008) – Harrison Brown, an 18-year-old freshman majoring in mathematics at M.I.T., didn’t need to do complex calculations to figure out he liked this deal: in exchange for letting researchers track his every move, he receives a free smartphone. Now, when he dials another student, researchers know. When he sends an e-mail or text message, they also know. When he listens to music, they know the song. Every moment he has his Windows Mobile smartphone with him, they know where he is, and who’s nearby. Mr. Brown and about 100 other students living in Random Hall at M.I.T. have agreed to swap their privacy for smartphones that generate digital trails to be beamed to a central computer. Beyond individual actions, the devices capture a moving picture of the dorm’s social network. The students’ data is but a bubble in a vast sea of digital information being recorded by an ever thicker web of sensors, from phones to GPS units to the tags in office ID badges, that capture our movements and interactions. Coupled with information already gathered from sources like Web surfing and credit cards, the data is the basis for an emerging field called collective intelligence. Propelled by new technologies and the Internet’s steady incursion into every nook and cranny of life, collective intelligence offers powerful capabilities, from improving the efficiency of advertising to giving community groups new ways to organize. Collective intelligence could make it possible for insurance companies, for example, to use behavioral data to covertly identify people suffering from a particular disease and deny them insurance coverage. Similarly, the government or law enforcement agencies could identify members of a protest group by tracking social networks revealed by the new technology. “There are so many uses for this technology — from marketing to war fighting — that I can’t imagine it not pervading our lives in just the next few years,” says Steve Steinberg, a computer scientist who works for an investment firm in New York. In 2006, Sense Networks, based in New York, proved that there was a wealth of useful information hidden in a digital archive of GPS data generated by tens of thousands of taxi rides in San Francisco. It could see, for example, that people who worked in the city’s financial district would tend to go to work early when the market was booming, but later when it was down. It also noticed that middle-income people — as determined by ZIP code data — tended to order cabs more often just before market downturns. Sense has developed two applications, one for consumers to use on smartphones like the BlackBerry and the iPhone, and the other for companies interested in forecasting social trends and financial behavior. The consumer application, Citysense, identifies entertainment hot spots in a city. It connects information from Yelp and Google about nightclubs and music clubs with data generated by tracking locations of anonymous cellphone users. The second application, Macrosense, is intended to give businesses insight into human activities. It uses a vast database that merges GPS, Wi-Fi positioning, cell-tower triangulation, radio frequency identification chips and other sensors. “There is a whole new set of metrics that no one has ever measured,” said Greg Skibiski, chief executive of Sense. “We were able to look at people moving around stores” and other locations. Such travel patterns, coupled with data on incomes, can give retailers early insights into sales levels and who is shopping at competitors’ stores. The [MIT] Media Lab researchers have worked with Hitachi Data Systems, the Japanese technology company, to use some of the lab’s technologies to improve businesses’ efficiency. For example, by equipping employees with sensor badges that generate the same kinds of data provided by the students’ smartphones, the researchers determined that face-to-face communication was far more important to an organization’s work than was generally believed. Productivity improved 30 percent with an incremental increase in face-to-face communication, Dr. Pentland said. The results were so promising that Hitachi has established a consulting business that overhauls organizations via the researchers’ techniques. Dr. Pentland calls his research “reality mining” to differentiate it from an earlier generation of data mining conducted through more traditional methods. http://www.nytimes.com/2008/11/30/business/30privacy.html?scp=1&sq=youre%20leaving%20a%20digital%20trail&st=cse
OBAMA TEAM CHANGES CHANGE.GOV COPYRIGHT POLICY (CNET, 1 Dec 2008) - President-elect Barack Obama’s transition team has licensed the site Change.gov under the Creative Commons Attribution 3.0 License, giving visitors more freedom to use content from the site. Change.gov was previously was copyrighted under an “All Rights Reserved” notice. Stanford Law Professor Larry Lessig, who noted the change on his blog Monday, called the move “consistent with (Obama’s) values of any ‘open government’ and with his strong leadership on ‘free debates.’” The license under which the site is copyrighted allows visitors to copy, distribute, display, and perform material from the site, as well as to remix it, as long as the work is attributed to its source. The site says the transition team has adopted “a policy of terminating, in appropriate circumstances and at our sole discretion, subscribers or account holders who are deemed to be repeat infringers.” http://news.cnet.com/8301-13578_3-10110822-38.html
MASSACHUSETTS EXTENDS DEADLINE FOR COMPLIANCE WITH NEW PRIVACY AND SECURITY REGULATIONS (Wilmer Hale, 2 Dec 2008) - The Massachusetts Department of Consumer Affairs and Business Regulation (OCABR) extended the compliance deadline for its recently adopted regulations establishing rigorous standards for safeguarding personal information, 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, “in light of intervening economic circumstances [and] the financial challenges brought on by national and international economic conditions.” This extension parallels the Federal Trade Commission’s extension of the compliance deadline for its Red Flags Rule for certain financial institutions. Among other things, the Massachusetts regulations require businesses handling personal information about Massachusetts residents to encrypt documents sent over the Internet, saved on laptops or other portable devices, or wirelessly transmitted. The regulations also require companies to adopt contractual provisions requiring third-party service providers to protect personal information, and to obtain certification that third-party service providers are in compliance with the Massachusetts regulations. The regulations were initially set to become effective on January 1, 2009. OCABR extended until May 1, 2009: (1) the general compliance deadline, (2) the deadline for requiring encryption of laptops, and (3) the deadline for ensuring that third-party service providers are capable of protecting personal information and contractually requiring them to do so. The agency further extended until January 1, 2010, the deadline for requiring third-party service providers to certify that they are in compliance with the Massachusetts regulations and for ensuring encryption of other portable devices, such as memory sticks, DVDs and PDAs. http://wilmerhaleupdates.com/ve/ZZ780028VMM61E6927t
THINGS YOU SHOULD NEVER PUT IN AN E-MAIL (ABA Journal, 3 Dec 2008) - Over at the Wichita Eagle blog What the Judge Ate for Breakfast, there’s a caution about e-mail during office hours on office computers. Courts reporter Ron Sylvester quips, “My wife says you should never put anything in a company e-mail that you don’t want to be shown to 12 strangers on a big movie screen.” His wife’s an employment lawyer, so she should know. The post notes that lawyers are increasingly searching company e-mail and files during e-discovery. So what are they looking for? Roger Matus, over at the blog Death by E-mail, reproduces a top 10 list. Here are a few that will likely raise red flags for e-discovery sleuths:
• “Delete this email immediately.”
• “I really shouldn’t put this in writing.”
• “We’re going to do this differently than normal.”
• “I don’t want to discuss this in e-mail. Please give me a call.”
• “Don’t ask. You don’t want to know.”
Matus then advises, “If you find yourself typing one of these phrases, perhaps you should delete the entire e-mail.” http://www.abajournal.com/weekly/things_you_should_never_put_in_an_e-mail
SEARCH ENGINES LEARN TO TANGO (Steptoe & Johnson’s E-Commerce Law Week, 4 Dec 2008) - Not so long ago, search engines put up a big fight against efforts to censor their search results. But it has gradually become clearer that even search engines must - and can - comply with different jurisdictions’ laws or court orders restricting certain content, whether that content is allegedly defamatory, invasive of privacy, politically subversive, or in some other way offensive or illegal under local law. Most of the attention has been on China and other “Internet restricting” regimes’ efforts to censor search results. But China is hardly alone in its effort to enforce its rules in cyberspace. Now comes Argentina, which appears to have forced Google and Yahoo! to learn to dance to yet another rhythm. According to news reports, Argentinean judges have served both companies with temporary restraining orders barring the Argentinean versions of their websites from displaying search results for certain keywords related to famous individuals. These individuals - who reportedly include former footballer Diego Maradona, fashion models, public officials, and actors - alleged that searches for their names and related terms contained links to websites that defamed them or otherwise caused them harm, and requested that the search engines refrain from displaying these results. The search engines have reportedly been unsuccessful in appealing the restraining orders so far, and are complying with the orders while the underlying litigation continues. Whether they will succeed in escaping the grasp of this latest would-be dance partner remains to be seen. http://www.steptoe.com/publications-5750.html
WHAT CONSTITUTES “REASONABLE” DATA SECURITY? WELL, SINCE YOU ASKED... (Steptoe & Johnson’s E-Commerce Law Week, 4 Dec 2008) - Three more authorities have weighed in on what constitutes “reasonable” data security. In a “Business Privacy Guide,” the New York State Consumer Protection Board recently advised companies to include “reasonable” safeguards for personal information - including the use of encryption - in their written policies for protecting the personal information of employees and customers. North of the border, the Canadian Privacy Commissioner has released a Privacy Breach Handbook that lays out steps for responding to a data breach and notes that organizations must “protect personal information with safeguards appropriate to its sensitivity.” Meanwhile, the California Office of Information Security and Privacy Protection has released a Management Memo reminding California agencies of their duty to use encryption and other means to protect personal information. While none of these sources offers anything radically new, they add three new tiles to the emerging mosaic of what constitutes “reasonable” security measures for personal information and other sensitive data. http://www.steptoe.com/publications-5750.html
**** RESOURCES ****
NEW YORK TIMES SEARCHABLE OBAMA APPOINTENTS TOOL - As he prepares to take office, President-elect Barack Obama is relying on a small team of advisers who will lead his transition operation and help choose the members of a new Obama administration. Below is a series of profiles of potential members of the administration. http://topics.nytimes.com:80/top/news/us/series/the_new_team/index.html
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu.
2. Edupage, http://www.educause.edu/pub/edupage/edupage.html.
3. SANS Newsbites, firstname.lastname@example.org.
4. NewsScan and Innovation, http://www.newsscan.com.
5. BNA’s Internet Law News, http://ecommercecenter.bna.com.
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html.
7. McGuire Wood’s Technology & Business Articles of Note, http://tinyurl.com/ywsusp
8. Steptoe & Johnson’s E-Commerce Law Week, www.steptoe.com
9. Eric Goldman’s Technology and Marketing Law Blog, http://blog.ericgoldman.org/.
10. Readers’ submissions, and the editor’s discoveries.
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: E-mail addresses of individuals who subscribe to this periodic e-newsletter by sending email to Vince Polley with “MIRLN” in the subject line are kept by Vince Polley; this listing will not be provided to any other persons.