Issue 55 January 2002	BYTES IN BRIEF® by Editors: Sharon D. Nelson, Esq. and John W. Simek Associate Editor: Amelia C. Hierholzer Editor Emeritus: G.V. Nelson 9500+ subscribers worldwide © 2001 Sensei Enterprises, Inc./Nelson & Wolfe. All rights reserved. This newsletter may not be reproduced or redistributed in any manner except with consent of the copyright owner. Distributed by Silver Law Inc. under license.

FEDS SELECT NEW ENCRYPTION STANDARD

The federal government has approved a new data encryption standard to safeguard sensitive information in federal computer systems, replacing the now obsolete standard adopted in 1977. The National Institute for Standards and Technology selected the Advanced Encryption Standard (AES), a new encryption technology. There was a four-year competition for the new standard in which experts around the globe attacked the candidate encryption codes to test their security. The winning standard, named Rijndael, was named after its co-creators, Joan Daemen and Vincent Rijmen, cryptographers from Belgium. Rijndael relies on an algorithm that encodes electronic communications by generating random numbers using 128, 192, or 256-bit encryption keys. The previous standard relied on a 56-bit key, which provided for approximately 10,000,000,000,000,000 different keys. By comparison, the new 128-bit keys provide a sextillion times greater number of possible keys (a number expressed by 340 followed by 36 zeros.) The earlier standard was cracked in the late 1990s after researchers developed machines that could recover a 56-bit key within a few hours. According to NIST, assuming that one could build a machine capable of recovering a 56-bit key in one second, it would take that same machine roughly 149 trillion years to crack a 128-bit AES key. Further information may be found at http://csrc.nist.gov/encryption/aes

JUDGE UNPLUGS INTERIOR DEPARTMENT

On December 5th, U.S. District Judge Royce C. Lamberth, presiding over a long-standing suit alleging federal government mishandling of American Indian trust funds, partially pulled the plug on the Interior Department's Internet presence. The judge ordered the Interior Department to "immediately disconnect from the Internet all information technology systems that house or provide access to individual Indian trust data." The judge had previously commissioned a computer security test that concluded that the trust fund accounts were vulnerable to alteration or diversion by hackers. The hacker who successfully got into the system reported that it was easy to access, with no firewalls or other software or hardware in place to block intruders or alert systems administrators to their presence. Many of the Department's functions have been impacted, including the use of e-mail communications by employees and the provision of data to other federal agencies. Concerns were raised that the National Earthquake Information Center will not be able to issue bulletins in real time, and in the case of a natural disaster, the Department will not be able to push critical information to the Federal Emergency Management Agency. Certain river gauge information is also transmitted via the Internet, and fears were expressed that the ability of the Department to assist in monitoring possible flood conditions had been hampered. The Department is seeking to restore functionality as soon as permitted by the Court, but remains committed to full compliance with the outstanding court order. Contempt charges have twice been filed against Interior Secretary Gale Norton, once in connection with charges that she filed false reports with the court about her department's progress in securing its systems and once for failure to remove access to the Indian trust fund data on personal computers used by employees and contractors. The restricted Interior Department web site may be found at http://www.doi.gov

ERESOLUTION BOWS OUT OF DOMAIN NAME ARBITRATION

The Canadian domain arbitrator eResolution closed its doors in December, saying it could not generate enough business because the domain name resolution process favors large corporations and trademark holders. The company says the system created by the Internet Corporation for Assigned Names and Numbers (ICANN) allows complainants to select the arbitrator that will hear their cases, and that they naturally seek those who favor big business and trademark holders. eResolution's position was recently supported by a study released by University of Ottawa professor Michael Geist which examined 3,000 cases decided under ICANN's Uniform Dispute Resolution Policy (UDRP). The study concluded that there is widespread forum shopping, resulting in 9 of 10 cases going to the World Intellectual Property Organization (WIPO) or the National Arbitration Forum (NAF) where complainants won more frequently than with eResolution. According to his data, complainants won 82.2 percent of the time with WIPO, 82.9 percent with the NAF, but only 63.4 percent with eResolution. In February, there were 183 new cases filed with WIPO and 96 with the NAF, but only three new cases with eResolution. In a related matter, ICANN named a joint venture in China and Hong Kong, the Asian Domain Name Dispute Resolution Centre, to settle domain name disputes in Asia. eResolution's farewell may be found on its web site at http://www.eresolution.com. Geist's study may be found at http://aix1.uottawa.ca/~geist/geistudrp.pdf. ICAAN's announcement of the new dispute resolution service may be found at http://www.icann.org/announcements/announcement-03dec01.htm

COURT SPELLS OUT U.S. DOMAIN NAME JURISDICTION 

Reversing a trial court, the 1st U.S. Circuit Court of Appeals in Boston held on December 5th that federal courts have jurisdiction over international domain name disputes, including those filed with the World Intellectual Property Organization (WIPO). The appellate judges ruled that under the Anti-Cybersquatting ConsumerProtection Act, a domain name holder may file a civil action suit in U.S. courts if the domain name has been suspended,disabled or transferred. The decision means that Jay Sallen, who lost the domain name Corinthians.com to a Brazilian soccer team in a WIPO dispute-resolution process, may seek to obtain a U.S. court decision that would permit him to keep the domain name. Sallen registered Corinthians.com in August 1998 and posted Biblical material on the site. On May 18, 2000, Corinthians Licenciamentos, owners of the soccer team, filed a complaint with WIPO, alleging that Sallen's domain name was similar to its trademark and that it has rights in Brazil to the name, "Corinthiao," the Portuguese equivalent of "Corinthians." A WIPO panel concluded that Sallen used the domain name in bad faith and ordered it transferred to the owners of the soccer team, prompting Sallen to file suit under the Anti-Cybersquatting Consumer Protection Act. Experts say that the case sets a precedent in establishing the right to appeal arbitration decisions under the UDRP. The decision in the case may be found at http://laws.findlaw.com/1st/011197.html

VERISIGN OFFERS DOMAIN/TRADEMARK SAFEGUARD SERVICES

On December 6th, VeriSign launched a new set of services to help businesses protect their brands and trademarks on the Internet. The Digital Brand Management Services offer two sets of features to VeriSign customers: registration and name services, and trademark protection and promotion services. The registration services will search the Internet seeking web sites that use companies' names or the names of their products. A list of those sites will then be returned to the client so the company can either register those names, attempt to buy them from their current owners, or do nothing. The service will also help companies register for country-specific domain names in countries where registration is more difficult than in the United States. The second service VeriSign will offer is a digital brand-protection service. This service will search the Internet for sites that are using a company's trademarked materials, such as reports, logos, or art, and notify clients about that use. Clients will then be able to take action against those sites or reach licensing deals with them. The services cost between $5,000 and $100,000, depending on what options a customer chooses. Further information may be found at http://corporate.verisign.com/news/2001/pr_20011206a.html

FBI ANNOUNCES CYBERCRIME DIVISION

The FBI announced its latest reorganization on December 3rd, including the formation of a Cybercrime Division to handle intellectual property, high tech and computer crimes. The Cybercrime Division will be paired with the Criminal Investigation Division under Ruben Garcia Jr., the new executive assistant director for Criminal Investigations. The three other divisions are Counterterrorism/Counterintelligence, Law Enforcement Services, and Administration. The FBI did not announce how the National Infrastructure Protection Center (NIPC), the interagency group that tracks cybercrimes, would be integrated with the reorganization. Some parts of NIPC fit naturally with the Criminal Investigation Division while others would seem to belong in the Counterterrorism/Counterintelligence Division. Further information may be found at http://www.fbi.gov/pressrel/pressrel01/reorg120301.htm

ONE MORE TIME: BILL TO BAN NET GAMBLING

After many false starts, a new bill introduced by Rep. Bob Goodlatte purports to avoid the stumbling blocks that have derailed former attempts to ban Internet gambling. The new bill recognizes states' rights, including the right to place ticket sales for their lotteries online, seeks no changes to laws regulating American Indian casinos or the horse racing industry, and addresses Bush administration concerns that the online and offline world receive equivalent treatment. Christiansen Capital Advisors, which studies the gambling industry, estimates that gamblers worldwide bet $2.2 billion online in 2000 and projects that figure will swell to over $6 billion in 2003. Nevada is projected to become the first state to allow Internet gambling. Also, New Jersey has proposed letting gamblers wager via the Internet on "real time" games being played at Atlantic City casino tables. Goodlatte's bill gives law enforcement wide authority to seek injunctions against any intermediaries, including banks, which enable gambling over the Internet. The text of the bill may be found at http://www.house.gov/goodlatte/gamble.pdf

DOJ BEGINS PATRIOT ACT MONITORING

Just hours after the USA Patriot Act became law, the Department of Justice began utilizing its new authority, including monitoring cable modem users without first obtaining a court order. The government has also used its new powers to obtain court orders for logs from Internet providers that are outside of the court's traditional jurisdiction. The Justice Department has prepared a "field guidance" manual for prosecutors. The field guidance manual prepared by the Justice Department may be found at http://www.epic.org/privacy/terrorism/DOJ_guidance.pdf. The Act itself may be found at http://thomas.loc.gov/cgi-bin/query/z?c107:H.R.3162.ENR:

DECSS RULING APPEALED

On November 30th, the DVD Copy Control Association filed a petition for review with the California Supreme Court, seeking to reverse an appellate decision that overturned a lower court's injunction prohibiting the posting of the source code for DeCSS. DeCSS is a computer program designed to defeat the copy protection system used by DVDs. The trial court had imposed a preliminary injunction that ordered defendants to stop publishing the source code for DeCSS on the Internet. On November 1st, the Court of Appeal in the Sixth Appellate District of California reversed the lower court's injunction, finding that the temporary injunction was a prior restraint violation of the First Amendment. In the petition for review, the DVD CCA argued that the Court of Appeal decision failed to protect trade secrets from unlawful dissemination and also that the court did not properly apply the First Amendment, "in the trade secret context to mixed conduct and speech in the form of a computer program." The petition also cited the November 28th decision by the 2nd Circuit Court of Appeals in New York which upheld a N.Y. District Court's decision to prohibit hacker magazine 2600 from posting DeCSS or linking to other web sites allowing the download of the DeCSS code. The appellate court decision may be found at http://www.courtinfo.ca.gov/opinions/documents/H021153.PDF

EUROPEAN UNION BANS SPAM

European telecommunications ministers voted on December 6th to prohibit unsolicited commercial e-mail, requiring that consumers opt-in to receive commercial e-mail. There is an exception allowing a business to send e-mails to a customer after a purchase, but the customer must be allowed to opt out at any time without charge. The ban is part of a draft law on privacy in electronic communications that is part of a broad revision of EU telecommunications law. The ministers ratified an earlier decision to prohibit the transmission of unsolicited text to mobile phones. The ministers refused requests by the U.S. government and European law enforcement authorities to require longer retention of European citizens' electronic data. The proposed law still requires the approval of the European Parliament. Further information may be found at http://www.zdnet.com/zdnn/stories/news/0,4586,2830908,00.html?chkpt=zdhpnews01

COURT SUPPORTS ONLINE PRIVACY FOR SEX OFFENDERS

On December 6th, a New Jersey federal district court ruled that New Jersey may post sex offenders' names, but not their addresses or town/city of residence. U.S. District Court Judge Joseph E. Irenas ruled that an offender's constitutional right to privacy exceeds any state's need to publicize addresses online, though prosecutors may still release such information to immediate neighbors. The ruling provides a setback to a constitutional amendment overwhelmingly approved by voters which would have let the state post offenders' addresses and physical descriptions. It had been challenged as a violation of privacy by the American Civil Liberties Union and the public defender's office. The state has not yet decided whether to appeal the ruling. Roughly two dozen states now have some form of an Internet sex offender registry, some with and some without addresses. Further information may be found at http://www.nandotimes.com/nation/story/189441p-1834071c.html

CALIFORNIA COURT WEIGHS IN ON INTERNET JURISDICTION

Who has jurisdiction over online content? On November 26th, a California appellate court offered its guidance in Nam Tai Electronics v. Tizer. Nam Tai is a consumer electronics products manufacturer based in Hong Kong whose stock is traded on Nasdaq. Joe Titzer, who lived in Colorado, posted 246 messages on a Yahoo message board regarding Nam Tai's stock. Nam Tai filed a complaint in state court charging that some of the messages, suggesting that Nam Tai had colluded with other businesses in restraint of free trade, were libelous. Titzer won dismissal of the case based on improper jurisdiction in California and Nam Tai appealed the decision. Nam Tai argued that jurisdiction was proper because Titzer had affirmatively registered aliases and posted messages on Yahoo's California-maintained web site. The court of appeal stated "the issue is not whether the company that makes the Web sites available is incorporated or based in California." The court held that "the determinative question is whether the Web sites themselves are of particular significance to California or Californians such that the user has reason to know the posting of the message will have significant impact in this state." The court found that there was no evidence to show that Titzer's messages were directed specifically to Californians. Although Titzer had agreed to submit to personal and exclusive jurisdiction of the California courts when he signed up with Yahoo, the court held that the clause was not enforceable because it was an adhesion contract and because it did not cover actions between registered users and third parties. If this case is followed, commentators suggest that generalized online conduct may be insufficient to confer jurisdiction. The decision in the case may be found at http://www.courtinfo.ca.gov/opinions/documents/B149382.PDF

FBI'S MAGIC LANTERN – BLACK MAGIC????

The FBI's keystroke-monitoring software, known as Magic Lantern, has antivirus vendors shaking their heads. The FBI would like antivirus vendors to accommodate its software, which can be detected by antivirus programs. This new project would fundamentally create a government-approved worm that would self-install encryption-keystroke loggers on selected computers. Under the U.S. Patriot Act, initial authorization may be obtained from a state or U.S. attorney general at first, with a court order required after the fact. Vendors worry that any back door left open for the FBI to deposit its own Trojan software will be speedily exploited by hackers and virus writers. On December 12th, an FBI spokesman finally confirmed that Magic Lantern exists, but indicated that it is under development and has not yet been deployed. Major anti-virus vendors have said they would not voluntarily cooperate with the FBI and that their products would continue to be updated to detect and prevent viruses, regardless of their origin, unless there was a legal order to do otherwise. Further information may be found at http://www.wired.com/news/print/0,1294,49102,00.html

SKLYAROV DIGITAL COPYRIGHT PROSECUTION DEFERRED

Computer programmer Dmitri Sklyarov, who was arrested five months ago for devising a program that allowed the disabling of Adobe's encryption software protecting electronic books, reached an agreement that defers his prosecution in exchange for his testimony in the prosecution of his employer, the Moscow-based company ElcomSoft. The trial date is set for April 15, 2002. The charges against Sklyarov will be dropped if he does not violate any local, state, or federal laws during his one year court supervision or until the trial ends, whichever comes first. Sklyarov was the first person to be criminally prosecuted under the 1998 Digital Millennium Copyright Act. Sklyarov and ElcomSoft were indicted on charges of selling the Advanced eBook Processor, which defeats Adobe's electronic book encryption. Sklyarov plans to testify for the defense as well as the prosecution. The U.S. attorney's office's agreement with Sklyarov may be found at http://www.usdoj.gov/usao/can/press/ assets/applets/2001_12_13_sklyarov.pdf

NEW YORK COURT DISMISSES ONLINE NEWS SUIT

On December 11th, New York Supreme Court Judge Paula J. Onansky dismissed all claims against The Narco News Bulletin and other defendants. The Bank of Mexico had brought a libel suit against the defendant over Narco's web site reports accusing the bank president of trafficking in drugs. The bank brought the suit in New York saying that jurisdiction was proper because people could read the material published on the site in New York, though all the alleged acts happened in Mexico. Onansky's opinion states that news web sites should be treated just like any print or broadcast news publication. This brought Narco News within the purview of New York Times Co. v. Sullivan, in which the U.S. Supreme Court held plaintiffs must prove actual malice or a reckless disregard for the truth in libel cases involving media defendants. Court documents in Banco Nacional de Mexico v. Rodriguez may be found at http://www.eff.org/Cases/BNM_v_Narco_News/ 20010712_eff_narconews_pr.html. The Narco News is online at http://www.narconews.com

EX-EMPLOYEE BANNED FROM E-MAILING COMPANY LISTS

On December 11th, California's 3rd District Court of Appeal upheld an injunction against Kourosh Kenneth Hamidi, holding that the former Intel employee's unauthorized transmission of e-mail to Intel's staff constituted trespass. Hamidi, after being fired from Intel in 1996, sent six disgruntled e-mails to Intel's staff mailing list, approximately 35,000 individuals, over a two-year period. Intel asked him to stop – when he refused, Intel filed suit alleging trespass to legal property. The decision in the case may be found at http://www.courtinfo.ca.gov/opinions/documents/C033076.PDF

SUIT FILED TO OVERTURN CDA

On December 11th, the National Coalition for Sexual Freedom and photographer Barbara Nitke, who publishes sadomasochistic photos on the Internet, filed suit in the U.S. District Court for the Southern District of New York, seeking to overturn the remaining censorship provisions of the Communications Decency Act (CDA). The plaintiffs argue that the obscenity provision of the CDA is so broad that it violates free speech. The defendants in the case are Attorney General John Ashcroft and the U.S. government. In its 1997 decision in Reno v. ACLU, the Supreme Court struck down provisions of the law relating to indecency, ruling that the law violated the First Amendment. The Court ruled that obscene speech, which is not protected by the First Amendment, must meet the following three criteria: 1) it must be prurient in nature; 2) it must be completely devoid of scientific, political, educational or social value; and 3) it must violate local community standards. The difficulty of how to apply local community standards to the Internet is at the heart of the case. The complaint in the case may be found at http://www.ncsfreedom.org/cda.htm

FEDS MOVE AGAINST SOFTWARE PIRATES

On December 11th, federal agents seized computers in 27 cities in the U.S. to gather evidence against an international software piracy ring. Law enforcement authorities in the United States, Australia, Finland, England and Norway also served warrants on individuals accused of software piracy. The crackdown encompassed three separate operations called Operation Buccaneer, Operation Bandwidth and Digital Piratez. The raids were directed at 62 individuals, all of whom are expected to be charged with copyright infringement. One of the most famous targets was the "warez" group called "DrinkOrDie" which achieved notoriety when it released a copy of Windows 95 two weeks before Microsoft began selling it. DrinkOrDie now has two leaders, one in the United States and another in Australia, officials said. There are believed to be 1,500 warez members nationwide and eight to 10 major groups. Warez is the generic online name for digital content such as games, movies or software whose copy protection has been defeated, allowing the programs to be used without buying the legitimate software. A week after the original raids, the scope of the inquiry expanded exponentially with further raids at several universities, including Duke, the Massachusetts Institute of Technology and the University of California at Los Angeles, as well as raids at several software and computer companies. The U.S. Customs Service's press release regarding the operation http://www.customs.ustreas.gov/hot-new/pressrel/2001/1211-00.htm

CALIFORNIA ADOPTS COURT RECORD ACCESS RULES

On December 18th, the California Judicial Council approved new rules that will govern access to electronic court records. The rules establish the public's right to "reasonable access'' to electronic records but, citing privacy concerns, records will not be available on the Internet for criminal, family, juvenile, guardianship and conservatorship, mental health and civil harassment cases. Under the California rules, courts will only have to supply electronic records on a case-by-case basis, a provision that had been opposed by the media. However, the case-by-case limitation does not apply to court calendars, dockets or indexes. The new rules will go into effect on July 1st. http://www.siliconvalley.com/docs/news/svfront/access121901.htm

PACER HACKER PLEADS GUILTY

It was announced on December 18th that Nicholas Mamich, of Bowdoinham, Maine, had pled guilty to one felony count of fraud for hacking into the Public Access to Court Electronic Records (PACER). PACER is operated by the Administrative Office of the United States Courts. Between approximately May 2000 and November 2000, from his home in Bowdoinham, Maine, Mamich gained unauthorized access to 65 PACER computer servers belonging to United States District Courts around the country on several hundred occasions and downloaded millions of pages of data to his personal computer. Mamich devised a program that placed hidden files on the PACER servers that bypassed the PACER billing program, so that no charges would accrue. The Administrative Office of the United States Courts estimated that it incurred expenses of at least $40,000 to discover and repair the damage. The system has now been configured to prevent this type of conduct. Mamich could be sentenced up to five years imprisonment, a $250,000 fine, or both. Sentencing is scheduled for March 12, 2002. Further information is available at http://www.usdoj.gov/criminal/cybercrime/MamichPlea.htm

MICROSOFT SUES "LINDOWS"

Microsoft filed a motion with the U.S. Court for the Western District of Washington on December 20th, asking the court to order the start-up company Lindows not to use that name, which Microsoft says infringes its "Windows" trademark. The suit also seeks unspecified monetary damages. Lindows is developing a version of the Linux operating system that will run applications written for Microsoft's Windows OS as well as for the open-source Linux operating system. Microsoft argues that the company, which plans to formally release its product next year, is purposely trying to confuse Lindows with Windows. The Lindows web site may be found at http://www.lindows.com

STATES WANT MICROSOFT'S SOURCE CODE

On December 7th, nine states and the District of Columbia submitted a proposal to U.S. District Judge Colleen Kollar-Kotelly asking for Microsoft's crown jewels, its source code, if it fails to abide by the proposed restrictions on its business practices. The proposal would compel Microsoft to reveal the source code for the Internet Explorer browser and would require that it also reveal the source code for the Windows operating system if it failed to comply with the court's restrictions. Other elements of the proposed remedy would force Microsoft to sell a stripped-down version of Windows, license Office to a third party to be ported to competing operating systems such as Linux, and include Sun Microsystems' Java with Windows XP. The proposal was filed preparatory to the March remedy hearing.

Microsoft called the proposal "extreme and not commensurate with what is left of the case" and filed a brief on December 12th saying that "the non-settling states seek to punish Microsoft and to advance the commercial interests of powerful corporate constituents - Microsoft competitors such as Sun Microsystems, Oracle, Apple and Palm." Microsoft said the proposal of the hold-out states was tantamount to a wholesale confiscation of its intellectual property and urged the court to rule that the current settlement proposal applies to all states, including the hold-outs. On December 21st, Microsoft asked Judge Kollar-Kotelly to delay the scheduled March 11th remedy hearing for four months, saying that the company needed more preparation time given the gravity of the remedies proposed by the remaining plaintiffs.

On December 10th, Microsoft filed a brief addressing the Tunney Act and summarizing all communications between the company and federal government employees. The brief indicates that all communications took place in the context of settlement discussions. Microsoft opponents immediately fired back charges that Microsoft had failed to disclose its lobbying activity in connection with the antitrust case. The Tunney Act, designed to make sure that antitrust settlements are free from political influence, requires Microsoft to disclose any lobbying on the company's behalf "concerning or relevant" to the proposed agreement. Microsoft's opponents point to the company's strong lobbying efforts and widespread campaign contributions. Legal documents in the case may be found at http://www.microsoft.com/presspass/legalnews.asp

MICROSOFT AMENDS SCHOOL SETTLEMENT PLAN

Microsoft's plan to settle more than 100 private class action lawsuits by setting up a foundation to assist schools in need by donating $1 billion in money, software, services and training over five years has undergone some revision. The changes, submitted to the U. S. District Court for the District of Maryland on December 10th, would allow Judge J. Frederick Motz to select the members of the foundation's five-member board based on nominations by plaintiffs' attorneys, Microsoft, and five educational associations. A further revision would give the foundation, rather than Microsoft, control over the training portion of the settlement. A major remaining issue is the sum allocated to training, $90 million, which critics charge is vastly insufficient. Apple Computer argued in a December 7th filing and in a December 10th hearing that the settlement "will constitute a massive subsidy for the adoption of Microsoft technology, not only in the eligible schools, but throughout school districts and states." Apple has suggested that Microsoft give its proposed $1 billion in cash to an independent foundation, allowing schools in need to select the computer technology of their choice. On December 11th, U.S. District Judge J. Frederick Motz asked the parties to meet privately and try to resolve their differences. On December 20th, Judge Motz announced that he would postpone his decision on the settlement until after January 10th to give the settling attorneys more time to craft a compromise with dissenting class-action attorneys from California. They had asked Motz to exempt them from the deal because they believe the money should be reimbursed directly to customers who were overcharged for Microsoft's software. Microsoft's original settlement agreement may be found at http://www.microsoft.com/presspass/legal/ca/11-20settlement.asp