header image
September 12th, 2008 by dm Email, Law & Policy, Spam 2 Comments

This just in, from the Washington Post.

"The Virginia Supreme Court today invalidated the state’s "anti-spam" law, designed to prevent the sending of masses of unwanted e-mail, by saying the law broadly violated the First Amendment right to freedom of speech, in particular anonymous speech."

The Virginia spam law makes it a misdemeanor to send unsolicited bulk e-mail by using false transmission information, such as a phony domain name or Internet protocol address. The domain name is the e-mail address. The Internet protocol is a series of numbers, separated by periods, assigned to every e-mail account. The crime becomes a felony if more than 10,000 recipients are mailed in a 24-hour period.

Justice Agee, writing the opinion, held that the only way to engage in an anonymous protected speech would be to falsify IP address or domain name information, and because such act is prohibited by the Virginia spam law, the law must be struck.

August 1st, 2008 by dm Government, risks none Comments

From the Washington Post:

Federal agents may take a traveler’s laptop or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed.

Also, officials may share copies of the laptop’s contents with other agencies and private entities for language translation, data decryption or other reasons, according to the policies, dated July 16 and issued by two DHS agencies, U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement.

..

The policies cover "any device capable of storing information in digital or analog form," including hard drives, flash drives, cell phones, iPods, pagers, beepers, and video and audio tapes. They also cover "all papers and other written documentation," including books, pamphlets and "written materials commonly referred to as ‘pocket trash’ or ‘pocket litter.’ "

 We have known for some time that the border agents have the authority to search a laptop without probable cause and as part of the routine border inspection.  But the detention, for an unspecified period of time, without any suspicion or probable cause may raise some eyebrows, especially from business travelers, who often carry not only a laptop full of confidential company information, but also flash drives (encrypted or otherwise), cell phones, Blackberries (often with sensitive information) or even sensitive company plans printed on paper. 

Attorneys who travel internationally are also concerned by the new revelation - confidential and sensitive client information is often stored on mobile devices, and the detention, discovery and sharing of such information may have devastating consequences for a client’s case or the confidentiality of such information.

July 9th, 2008 by dm Breaches, Vulnerabilities 1 Comments

We have written in the past of the dangers of file sharing not so much from copyright prosecution point (although the dangers are real) but so much from having the file sharing software "incidentally" share files located on the networked computer.   A high-profile data breach from the Washington, DC area confirms the dangers.  The case is about having investment and personal information of high-powered Washington, DC figures, including Supreme Court justices, shared to anybody in the world.

From the article which appeared this morning in the Washington Post:

Sometime late last year, an employee of a McLean investment firm decided to trade some music, or maybe a movie, with like-minded users of the online file-sharing network LimeWire while using a company computer. In doing so, he inadvertently opened the private files of his firm, Wagner Resource Group, to the public.

That exposed the names, dates of birth and Social Security numbers of about 2,000 of the firm’s clients, including a number of high-powered lawyers and Supreme Court Justice Stephen G. Breyer.

It is very difficult to protect against this type of breach, as it is due to human error.  Many companies have IT policies which prohibit file sharing software.  Many IT departments are successfully able to block "some" of the file sharing P2P traffic.  But there are always some who download, install, and run the file sharing software on company hardware containing sensitive information without much regard of the consequences.

May 19th, 2008 by James Paulick Copyright none Comments

This article is related to a prior post, found here: Courts split

 
 In another blow to the recording industry, a Federal District Court Judge in the District of Minnesota in Capitol Records, Inc. v. Jammie Thomas, has granted a new trial in a copyright infringement case stating that his jury instruction was in error when he stated “The act of making copyrighted sound recordings available for electronic distribution on a peer to peer network, without license from the copyright owners, violates the copyright owners’ exclusive right of distribution, regardless of whether actual distribution has been shown.”


 In his brief order in Capitol Records, the Judge stated that his decision to grant a new trial was founded on the fact that both parties failed to cite a controlling Eighth Circuit case that held "…infringement of the distribution right requires an actual dissemination of either copies or phonorecords." National Car Rental System, Inc. v. Computer Associates Int’l, Inc., 991 F.2d 426,434 (8th Cir. 1993).


 This order for a new trial is in agreement with the recent decision in London-Sire Records, Inc. v. Doe., a District of Massachusetts case in the First Circuit that denied a subpoena to identify Doe because the recording company failed to state a claim of copyright infringement if there was no evidence of an actual distribution/download.


 The new trial decision, however, is contrary to the case in Elektra v. Barker, in the Southern District of New York, where the judge held that “making available” is enough to state a claim of copyright infringement.  Elektra was in the Second Circuit.
 

So far the Supreme Court has not ruled on the finely pointed question of whether “making a copyrighted song available for download” infringes upon a copyright owners exclusive right to distribution.


 It remains to be see how much attention these recent decisions get in the other Circuits as the onslaught of recording industry cases funnels itself through the District Courts.

May 13th, 2008 by dm Email, Spam none Comments

Yesterday, May 12th, the Federal Trade Commission (FTC) released a new rule under the CAN-SPAM Act.  The new rule seeks to clarify some of the requirements CAN-SPAM imposes on senders of bulk email. 

  • First, an E-mail recipient cannot be required by the sender to pay a fee, supply any information other E-mail address and opt-out  preference, or take any steps other than sending a reply E-mail  or visiting a single Web page to opt out.  From personal experience, many commercial websites add you automatically to their mailing list if you purchase something from them. This is fine; however, if you want to unsubscribe, often you have to click on a link in the email, go to a web page, enter your account information, or if you do not have an account - your order number, then find out where the email preferences menu is hidden, and finally fill out a couple of forms to submit an opt-out request.  All of this is gone - there must be a single web page.
  • The definition of “sender” has been changed to make it easier  to determine which of multiple entities advertising in a single E-mail  message is responsible for complying with the Act’s opt-out requirements;
  • A “sender” of commercial e-mail can include an accurately-registered post office box or private mailbox established under United States Postal Service regulations to satisfy the Act’s requirement  that a commercial e-mail display a “valid physical postal address.” 

The new changes provide small, but helpful to the Internet users, tweaks.  Kudos to the FTC for staying on top of the CAN-SPAM to make it more effective and user-friendly regulation.  It is unfortunately, however, that it takes so long to implement some of the more obvious changes.

April 30th, 2008 by dm 1030, Breaches, Forensics, Hacking, cfaa none Comments

A decision from the U.S. District Court for the Northern District of California held that the costs associated with the tracking and discovery of the identity of the person who stole proprietary information from a company does constitute "loss" for the purposes of calculation of damages under the Computer Fraud and Abuse Act (CFAA).

The dispute in the case was between a company and its competitor.  Plaintiff alleged that the defendant competitor company accessed privileged parts of plaintiff’s computer information system to, among other things, create a disparaging PowerPoint slide show.  Plaintiff based its claim under CFAA which prohibits unauthorized access to a protected computer and any person who suffers damage or loss in excess of $5,000 due to another’s misuse may maintain a civil action. 

Plaintiff relied on CFAA and its $5,000 threshold by arguing that the costs to identify that it was the competitor company who broke into its systems should be counted towards the $5,000 threshold. Defendant disagreed and moved for summary judgment, in reliance of Tyco Int’l v. Does, which holds that CFAA allows recovery for losses beyond mere physical damage to property but additional types of damages have generally been limited to accessing the damage caused to the system or to resecure the system following the attack.

The court distinguished the Tyco case on the facts and held that the costs of "responding to [the] offense" should include the costs, as in this case, of determining that defendant was one of the hackers who did access the computer system without authorization.

 

April 27th, 2008 by James Paulick Copyright 1 Comments

    A recent pair of federal district court decisions are split on whether making copyrighted songs available for download violates copyright laws even when there is no proof that the copyrighted works were ever downloaded under 17 U.S.C.A. Sec. 106.  An original article on this news is here:    http://news.lp.findlaw.com/ap/high_tech/1700//04-04-2008/20080404145001_26.html.  The two cases are:  Elektra Entertainment Group, Inc. v. Barker and London-Sire Records, Inc. v. Doe.
    These two cases are virtually identical in factual scenarios.  In each case a set of Defendant’s had copyrighted songs on their harddrives that were made available to anyone on the internet via Peer to Peer software - a common scenario among mp3 owners.  In the past decade, there have been an enormous amount of complaints filed in courts by record companies against individuals who distribute their copyrighted works.  In many of these cases the record companies are successful either through out-of-court settlements or decisions on the merits of the case.  However, what is interesting in these cases is that there was no proof available that the songs were ever downloaded. Therefore, the record companies were arguing that merely making the songs available through peer to peer software violates copyright law.
    The crux of this issue in both of the cases came down to statutory interpretation of what is the meaning of "distribution" within 17 U.S.C.A. Sec. 106(3).  Sec. 106 states:

"The owner of copyright under this title has the exclusive rights to do and to authorize any of the following: (sec 3) to distribute copies or phonorecords of the work to the    public by sale or other transfer of ownership, or by rental, lease, or lending;"

    In both cases, the record companies were arguing that publication and distribution were synonymous.  There is a lengthy discussion that I will avoid on how each judge arrived at different decisions based on Supreme Court cases interpreting the terms "publication" and "distribution". However, the bottom line is that the Elektra case said publication = distribution and the other did not, resulting in practically diametrically opposed decisions.  The Elektra case held that making available for download was distribution for purposes of Sec 106(3), and the London-sire case said merely making a song available wasn’t enough.
    This split is important because it essentially comes down to the question of how much proof the record companies need to gather before they have a prima facie case of copyright violation.  It is also important for the millions of people out there on peer to peer networks sharing songs.  As both cases acknowledged, many people out there have validly obtained copyrighted songs through purchase and unknowingly offer them on the internet through peer to peer software.  Is it really fair to go after these people if you can’t truly show an active participation in the distribution?  Furthermore, is it fair to go after someone even if there’s no proof that they know they are offering the copyrighted song and that there is absolutely no proof that the song was ever downloaded by a third party? Either way, it is an interesting battle of statutory interpretation among the federal courts that could have important implications in the ever-present wrangling over mp3s and copyright violations.

April 25th, 2008 by dm Breaches, Forensics none Comments

Data breaches happen every day and, unfortunately, we are getting so used to hearing news about the most recent breach that it no longer creates an interesting report.  Most businesses of any significance will, soon or later, become a victim of some sort of breach.  So the question becomes not whether you will suffer a data breach, but how are you going to respond to one when it happens.

The Wall Street Journal Business Technology Blog (WSJ) writes about the University of Miami’s (UM) response to their recent breach when thieves stole backup tapes containing two million medical records belonging to the University out of the back of a van last month.  WSJ notes that although the breach is nothing to be proud about, the response by University of Miami is pretty impressive.

What made UM’s response so good? The university provided a detailed, but clear, response to what exactly happened and why the breach poses low risk.  UM hired outside consultants to conduct testing and to determine the likelihood of successful access to the data.  After the consultants reported that such likelihood was low, UM released the notification with clear and common sense explanation.

Hopefully this practice should become the model to responding to security breaches.

We have written in the past about the freedom of border agents to search laptops at the border crossing points.

A new opinion (PDF) in United States v. Arnold by the Ninth Circuit Court of Appeals dated April 21, 2008, confirms this trend by holding that customs officers may examine electronic contents of a passenger’s laptop without reasonable suspicion. 

The Facts.  Arnold, a 43-year old arrived at Los Angeles International airport from the Philippines.  At Customs, he was asked for secondary inspection, where the officer asked him to turn on his laptop to determine whether it was functioning.  Once the computer booted up, the desktop showed folders named "Kodak Pictures" and "Kodak Memories."  The agents opened the folders and noticed pictures of nude women.  The agents then questioned Arnold about his computer, his trip, and upon review of the images, determined that there are several images which the agents believed were child pornography. 

The Opinion.  After a district court granted Arnold’s motion to suppress evidence, the Ninth Circuit reversed.  The Ninth Circuit based its opinion on Supreme Court precedent which held that the right of the United States to protect its border is paramount; however, such authority is not unlimited.  The two major exceptions for border searches without reasonable suspicion are searches  which cause "exceptional damage to property" or if the search was conducted in a "particularly offensive manner."  The Ninth Circuit held that the record did not support finding on either of the two exceptions and therefore the search was proper.

March 27th, 2008 by dm Breaches, Email, Vulnerabilities 1 Comments

Many emails happily reach their final and intended destination.  But there are some emails which arrive where they are not intended to. There are two recent stories which suggest not only how people should be careful what the "TO:" field in their email says, but also use some common sense. 

The first story is about the "donotreply.com" domain, whose owner admitted that he receives millions of unintended emails each week, many with substantially sensitive information.   Many senders of bulk email do not want to have each recipient to be able to hit ‘Reply’ and send a return message.  As a result, they just type something that is intended to remind the recipient not to email back, for example, "please@donotreply.com."  However, there are people who send emails back, and according to the owner of the donotreply.com domain, there are some very sensitive wayward emails.  For example, a bank sent to a donotreply.com email address a PDF with a list of all computers within the bank which are not properly patched with up-to-date security settings. 

The second story is about a website promoting Mildenhall, a small town in Suffolk, UK, which owned the domain www.mildenhall.com.  However, Mildenhall also hosted a U.S. Air Force base with 2,500 servicemen and women. As a result, the mildenhall.com started receiving hundreds of emails, intended for the US Air Force personnel at Mildenhall.  Among the emails received, future flight paths for Air Force One.  The domain’s owner tried to warn the US base, but the emails kept coming.  Finally, the domain owner decided to shut down the site as to avoid confusion and leak of potentially sensitive information.

These two stories highlight some of the biggest problems with email as a communication tool, especially for sensitive and unencrypted information.  First is the trend of domain owners turning on their "catch all" email setting whereby all email directed to a particular domain, even if the email address does not exist, is captured and treated as "received" as opposed to being returned as "undeliverable."  The second is the casual approach towards email.  There are plenty of stories about major litigation blunders, competitive information disclosures, or simply embarassing personal stories which have been sent to the wrong party and subsequently leaked to the world.  Email users, especially users dealing with sensitive information, should create a habit, if not a procedure, of checking every outgoing email for accuracy of the recipient, at the least.  Finally, the use of email for transmission of sensitive information without encryption is troubling.  What is the appropriate treshold level for encrypting email - that depends on the organization and the documents being transmitted, but the senders of the list of vulnerable PCs on the network or of the flight path of Air Force One should have known better to use encryption.

« Previous entries