his just in, from the
Washington Post.
"The Virginia Supreme Court today invalidated the state’s
"anti-spam" law, designed to prevent the sending of masses of unwanted
e-mail, by saying the law broadly violated the First Amendment right to
freedom of speech, in particular anonymous speech."
The Virginia spam law makes it a misdemeanor to send unsolicited bulk
e-mail by using false transmission information, such as a phony domain
name or Internet protocol address. The domain name is the e-mail
address. The Internet protocol is a series of numbers, separated by
periods, assigned to every e-mail account. The crime becomes a felony if
more than 10,000 recipients are mailed in a 24-hour period.
Justice Agee, writing the opinion, held that the only way to engage
in an anonymous protected speech would be to falsify IP address or
domain name information, and because such act is prohibited by the
Virginia spam law, the law must be struck.
From the
Washington Post:
Federal agents may take a traveler’s laptop or other electronic
device to an off-site location for an unspecified period of time without
any suspicion of wrongdoing, as part of border search policies the
Department of Homeland Security recently disclosed.
Also, officials may share copies of the laptop’s contents with other
agencies and private entities for language translation, data decryption
or other reasons, according to the policies, dated July 16 and issued by
two DHS agencies, U.S. Customs and Border Protection and U.S.
Immigration and Customs Enforcement.
..
The policies cover "any device capable of storing information in
digital or analog form," including hard drives, flash drives, cell
phones, iPods, pagers, beepers, and video and audio tapes. They also
cover "all papers and other written documentation," including books,
pamphlets and "written materials commonly referred to as ‘pocket trash’
or ‘pocket litter.’ "
We have known for some time that the border agents have the
authority to search a laptop without probable cause and as part of the
routine border inspection. But the detention, for an unspecified period
of time, without any suspicion or probable cause may raise some
eyebrows, especially from business travelers, who often carry not only a
laptop full of confidential company information, but also flash drives
(encrypted or otherwise), cell phones, Blackberries (often with
sensitive information) or even sensitive company plans printed on
paper.
Attorneys who travel internationally are also concerned by the new
revelation - confidential and sensitive client information is often
stored on mobile devices, and the detention, discovery and sharing of
such information may have devastating consequences for a client’s case
or the confidentiality of such information.
We have written in the past of the dangers of file sharing
not so much from copyright prosecution point (although the dangers are
real) but so much from having the file sharing software "incidentally"
share files located on the networked computer. A high-profile data
breach from the Washington, DC area confirms the dangers. The case is
about having investment and personal information of high-powered
Washington, DC figures, including Supreme Court justices, shared to
anybody in the world.
From the article which appeared this morning in the
Washington Post:
Sometime late last year, an employee of a McLean investment firm
decided to trade some music, or maybe a movie, with like-minded users of
the online file-sharing network LimeWire while using a company
computer. In doing so, he inadvertently opened the private files of his
firm, Wagner Resource Group, to the public.
That exposed the names, dates of birth and Social Security
numbers of about 2,000 of the firm’s clients, including a number of
high-powered lawyers and Supreme Court Justice Stephen G. Breyer.
It is very difficult to protect against this type of breach, as it is
due to human error. Many companies have IT policies which prohibit
file sharing software. Many IT departments are successfully able to
block "some" of the file sharing P2P traffic. But there are always some
who download, install, and run the file sharing software on company
hardware containing sensitive information without much regard of the
consequences.
This article is related to a prior post, found here:
Courts split
In another blow to the recording industry, a Federal District Court Judge in the District of Minnesota in Capitol Records, Inc. v. Jammie Thomas,
has granted a new trial in a copyright infringement case stating that
his jury instruction was in error when he stated “The act of making
copyrighted sound recordings available for electronic distribution on a
peer to peer network, without license from the copyright owners,
violates the copyright owners’ exclusive right of distribution,
regardless of whether actual distribution has been shown.”
In his brief order in Capitol Records, the Judge stated that
his decision to grant a new trial was founded on the fact that both
parties failed to cite a controlling Eighth Circuit case that held
"…infringement of the distribution right requires an actual
dissemination of either copies or phonorecords." National Car Rental System, Inc. v. Computer Associates Int’l, Inc., 991 F.2d 426,434 (8th Cir. 1993).
This order for a new trial is in agreement with the recent decision in London-Sire Records, Inc. v. Doe.,
a District of Massachusetts case in the First Circuit that denied a
subpoena to identify Doe because the recording company failed to state a
claim of copyright infringement if there was no evidence of an actual
distribution/download.
The new trial decision, however, is contrary to the case in Elektra v. Barker,
in the Southern District of New York, where the judge held that “making
available” is enough to state a claim of copyright infringement. Elektra was in the Second Circuit.
So far the Supreme Court has not ruled on the
finely pointed question of whether “making a copyrighted song available
for download” infringes upon a copyright owners exclusive right to
distribution.
It remains to be see how much attention these recent decisions get in
the other Circuits as the onslaught of recording industry cases funnels
itself through the District Courts.
Yesterday, May 12th, the Federal Trade Commission (FTC)
released a new rule under the CAN-SPAM Act. The new rule seeks to
clarify some of the requirements CAN-SPAM imposes on senders of bulk
email.
- First, an E-mail recipient cannot be required by the sender to pay a
fee, supply any information other E-mail address and opt-out
preference, or take any steps other than sending a reply E-mail or
visiting a single Web page to opt out. From personal experience, many
commercial websites add you automatically to their mailing list if you
purchase something from them. This is fine; however, if you want to
unsubscribe, often you have to click on a link in the email, go to a web
page, enter your account information, or if you do not have an account -
your order number, then find out where the email preferences menu is
hidden, and finally fill out a couple of forms to submit an opt-out
request. All of this is gone - there must be a single web page.
- The definition of “sender” has been changed to make it easier to
determine which of multiple entities advertising in a single E-mail
message is responsible for complying with the Act’s opt-out
requirements;
- A “sender” of commercial e-mail can include an accurately-registered
post office box or private mailbox established under United States
Postal Service regulations to satisfy the Act’s requirement that a
commercial e-mail display a “valid physical postal address.”
The new changes provide small, but helpful to the Internet users,
tweaks. Kudos to the FTC for staying on top of the CAN-SPAM to make it
more effective and user-friendly regulation. It is unfortunately,
however, that it takes so long to implement some of the more obvious
changes.
A decision from the U.S. District Court for the Northern
District of California held that the costs associated with the tracking
and discovery of the identity of the person who stole proprietary
information from a company does constitute "loss" for the purposes of
calculation of damages under the Computer Fraud and Abuse Act (CFAA).
The dispute in the case was between a company and its competitor.
Plaintiff alleged that the defendant competitor company accessed
privileged parts of plaintiff’s computer information system to, among
other things, create a disparaging PowerPoint slide show. Plaintiff
based its claim under CFAA which prohibits unauthorized access to a
protected computer and any person who suffers damage or loss in excess
of $5,000 due to another’s misuse may maintain a civil action.
Plaintiff relied on CFAA and its $5,000 threshold by arguing that the
costs to identify that it was the competitor company who broke into its
systems should be counted towards the $5,000 threshold. Defendant
disagreed and moved for summary judgment, in reliance of
Tyco Int’l v. Does,
which holds that CFAA allows recovery for losses beyond mere physical
damage to property but additional types of damages have generally been
limited to accessing the damage caused to the system or to resecure the
system following the attack.
The court distinguished the
Tyco case on the facts and held
that the costs of "responding to [the] offense" should include the
costs, as in this case, of determining that defendant was one of the
hackers who did access the computer system without authorization.
A recent pair of federal district court decisions are
split on whether making copyrighted songs available for download
violates copyright laws even when there is no proof that the copyrighted
works were ever downloaded under 17 U.S.C.A. Sec. 106. An original
article on this news is here:
http://news.lp.findlaw.com/ap/high_tech/1700//04-04-2008/20080404145001_26.html. The two cases are:
Elektra Entertainment Group, Inc. v. Barker and
London-Sire Records, Inc. v. Doe.
These two cases are virtually identical in factual scenarios. In
each case a set of Defendant’s had copyrighted songs on their harddrives
that were made available to anyone on the internet via Peer to Peer
software - a common scenario among mp3 owners. In the past decade,
there have been an enormous amount of complaints filed in courts by
record companies against individuals who distribute their copyrighted
works. In many of these cases the record companies are successful
either through out-of-court settlements or decisions on the merits of
the case. However, what is interesting in these cases is that there was
no proof available that the songs were ever downloaded. Therefore, the
record companies were arguing that merely making the songs available
through peer to peer software violates copyright law.
The crux of this issue in both of the cases came down to statutory
interpretation of what is the meaning of "distribution" within 17
U.S.C.A. Sec. 106(3). Sec. 106 states:
"The owner of copyright under this title has the exclusive rights
to do and to authorize any of the following: (sec 3) to distribute
copies or phonorecords of the work to the public by sale or other
transfer of ownership, or by rental, lease, or lending;"
In both cases, the record companies were arguing that publication
and distribution were synonymous. There is a lengthy discussion that I
will avoid on how each judge arrived at different decisions based on
Supreme Court cases interpreting the terms "publication" and
"distribution". However, the bottom line is that the
Elektra
case said publication = distribution and the other did not, resulting in
practically diametrically opposed decisions. The Elektra case held
that making available for download was distribution for purposes of Sec
106(3), and the London-sire case said merely making a song available
wasn’t enough.
This split is important because it essentially comes down to the
question of how much proof the record companies need to gather before
they have a prima facie case of copyright violation. It is also
important for the millions of people out there on peer to peer networks
sharing songs. As both cases acknowledged, many people out there have
validly obtained copyrighted songs through purchase and unknowingly
offer them on the internet through peer to peer software. Is it really
fair to go after these people if you can’t truly show an active
participation in the distribution? Furthermore, is it fair to go after
someone even if there’s no proof that they know they are offering the
copyrighted song
and that there is absolutely no proof
that the song was ever downloaded by a third party? Either way, it is an
interesting battle of statutory interpretation among the federal courts
that could have important implications in the ever-present wrangling
over mp3s and copyright violations.
Data breaches happen every day and, unfortunately, we are
getting so used to hearing news about the most recent breach that it no
longer creates an interesting report. Most businesses of any
significance will, soon or later, become a victim of some sort of
breach. So the question becomes not whether you will suffer a data
breach, but how are you going to respond to one when it happens.
The
Wall Street Journal Business Technology Blog
(WSJ) writes about the University of Miami’s (UM) response to their
recent breach when thieves stole backup tapes containing two million
medical records belonging to the University out of the back of a van
last month. WSJ notes that although the breach is nothing to be proud
about, the response by University of Miami is pretty impressive.
What made UM’s response so good? The university provided a detailed, but
clear,
response to what exactly happened and why the breach poses low risk.
UM hired outside consultants to conduct testing and to determine the
likelihood of successful access to the data. After the consultants
reported that such likelihood was low, UM released the notification with
clear and common sense explanation.
Hopefully this practice should become the model to responding to security breaches.
We have
written in the past about the freedom of border agents to search laptops at the border crossing points.
A new opinion (
PDF) in
United States v. Arnold
by the Ninth Circuit Court of Appeals dated April 21, 2008, confirms
this trend by holding that customs officers may examine electronic
contents of a passenger’s laptop without reasonable suspicion.
The Facts. Arnold, a 43-year old arrived at Los
Angeles International airport from the Philippines. At Customs, he was
asked for secondary inspection, where the officer asked him to turn on
his laptop to determine whether it was functioning. Once the computer
booted up, the desktop showed folders named "Kodak Pictures" and "Kodak
Memories." The agents opened the folders and noticed pictures of nude
women. The agents then questioned Arnold about his computer, his trip,
and upon review of the images, determined that there are several images
which the agents believed were child pornography.
The Opinion. After a district court granted
Arnold’s motion to suppress evidence, the Ninth Circuit reversed. The
Ninth Circuit based its opinion on Supreme Court precedent which held
that the right of the United States to protect its border is paramount;
however, such authority is not unlimited. The two major exceptions for
border searches without reasonable suspicion are searches which cause
"exceptional damage to property" or if the search was conducted in a
"particularly offensive manner." The Ninth Circuit held that the record
did not support finding on either of the two exceptions and therefore
the search was proper.
Many emails happily reach their final and intended
destination. But there are some emails which arrive where they are not
intended to. There are two recent stories which suggest not only how
people should be careful what the "TO:" field in their email says, but
also use some common sense.
The
first story
is about the "donotreply.com" domain, whose owner admitted that he
receives millions of unintended emails each week, many with
substantially sensitive information. Many senders of bulk email do not
want to have each recipient to be able to hit ‘Reply’ and send a return
message. As a result, they just type something that is intended to
remind the recipient not to email back, for example,
"please@donotreply.com." However, there are people who send emails
back, and according to the owner of the donotreply.com domain, there are
some very sensitive wayward emails. For example, a bank sent to a
donotreply.com email address a PDF with a list of all computers within
the bank which are not properly patched with up-to-date security
settings.
The
second story
is about a website promoting Mildenhall, a small town in Suffolk, UK,
which owned the domain www.mildenhall.com. However, Mildenhall also
hosted a U.S. Air Force base with 2,500 servicemen and women. As a
result, the mildenhall.com started receiving hundreds of emails,
intended for the US Air Force personnel at Mildenhall. Among the emails
received, future flight paths for Air Force One. The domain’s owner
tried to warn the US base, but the emails kept coming. Finally, the
domain owner decided to shut down the site as to avoid confusion and
leak of potentially sensitive information.
These two stories highlight some of the biggest problems with email
as a communication tool, especially for sensitive and unencrypted
information. First is the trend of domain owners turning on their
"catch all" email setting whereby all email directed to a particular
domain, even if the email address does not exist, is captured and
treated as "received" as opposed to being returned as "undeliverable."
The second is the casual approach towards email. There are plenty of
stories about major litigation blunders, competitive information
disclosures, or simply embarassing personal stories which have been sent
to the wrong party and subsequently leaked to the world. Email users,
especially users dealing with sensitive information, should create a
habit, if not a procedure, of checking
every outgoing
email for accuracy of the recipient, at the least. Finally, the use of
email for transmission of sensitive information without encryption is
troubling. What is the appropriate treshold level for encrypting email -
that depends on the organization and the documents being transmitted,
but the senders of the list of vulnerable PCs on the network or of the
flight path of Air Force One should have known better to use encryption.
« Previous entries
