Bytes in BriefBytes in Brief^®

Issue 66 December 2002 BYTES IN BRIEF® by Editors: Sharon D. Nelson, Esq. and John W. Simek Associate Editor: Amelia C. Hierholzer Editor Emeritus: G.V. Nelson 9500+ subscribers worldwide © 2001 Sensei Enterprises, Inc./Nelson & Wolfe. All rights reserved. This newsletter may not be reproduced or redistributed in any manner except with consent of the copyright owner. Distributed by Silver Law Inc. under license. HOMELAND SECURITY ACT SIGNED INTO LAW On November 13th, the House of Representatives voted 299 to 121 to approve the Homeland Security Act of 2002, which was signed into law by President Bush on November 25th. The Act will combine portions of 22 existing agencies into a new Department of Homeland Security with former Pennsylvania Governor Tom Ridge as its Secretary. Ridge is expected to take office on January 24th. The Department will analyze terrorism intelligence to match it against the nation's vulnerabilities, develop new technologies to detect threats, coordinate the training and funding of state and local police and fire departments, and scrutinize U.S. borders and ports of entry. At the last moment, the Cyber Security Enhancement Act (CSEA) was inserted into the Homeland Security bill. CSEA expands the ability of police to conduct Internet or telephone eavesdropping without first obtaining a court order, and offers Internet providers more latitude to disclose information to police. Among other things, the Act provides for prison terms up to life for computer intrusions that "recklessly" put the lives of others at risk. The text of the Act may be found by entering the bill number (H.R. 5005) at http://thomas.loc.gov COURT APPROVES MICROSOFT SETTLEMENT On November 1st, U.S. District Judge Colleen Kollar-Kotelly ruled that the settlement between the Justice Department, nine states and Microsoft would benefit the public. She rejected appeals from nine other states, led by California, to restrict Microsoft’s conduct in other markets, including TV set-top boxes and Internet services, say that their proposals would "require drastic alterations to Microsoft's products as well as to aspects of its business model which do not involve illegal conduct." Under the settlement agreement, Microsoft is required to provide competitors with detailed technical information to make competing products, such as e-mail and media players, work flawlessly with Windows. The agreement also requires that Microsoft make Windows available under a standard licensing agreement to computer manufacturers, although discounts could still be given to large volume purchasers. It also allows computer manufacturers to remove desktop icons to add-on Windows features, such as the Media Player. The underlying software code would still be in place, but the user would have no access to it, allowing manufacturers to promote the software of rivals by placing their icons on the desktop. Microsoft is forbidden under the agreement from retaliating if manufacturers choose to install competing products. On November 8th, Microsoft followed the court-approved sanctions by appointing three of its board members to a new committee charged with ensuring that Microsoft complies with the settlement agreement. The new committee, chaired by Harvard University business professor James I. Cash Jr., intends to hire a compliance officer who will enforce the judge's sanctions. Massachusetts has decided to appeal. The other dissenting states are deciding whether to appeal or to simply try to police the court’s ruling. Legal documents in the case may be found at http://www.microsoft.com/presspass/legalnews.asp ICANN APPROVES ELECTION REFORM PLAN On October 31st, the Directors of the Internet Corporation for Assigned Names and Numbers (ICANN) voted 15-3 at a quarterly meeting in Shanghai, China, to adopt a comprehensive reform plan. The new plan abandons online elections for board members, instead filling board seats by appointments from business and technical groups, as well as a special nominating committee that will include some public representatives. ICANN’s original 1998 charter called for half the board of directors to be chosen by the public. An online election in 2000 filled five of the nine public seats, but was perceived as a failure because of a low turnout and charges of ballot-stuffing. ICANN commissioned a task force to look into the issue, but did not follow its recommendations. The new plan has already come under fire, critics charging that it will further insulate intellectual-property lawyers, Internet infrastructure companies and other ICANN insiders from the world's 550 million Internet users. The reform plan may be found at http://www.icann.org/committees/evol-reform/blueprint-20jun02.htm DRAFT CYBERSECURITY GUIDELINES RELEASED BY NIST On October 28th, the National Institute of Standards and Technology (NIST) released a draft of new cybersecurity guidelines designed to help agencies safeguard their sensitive systems. The guidelines address how to measure the risk of online or employee breaches to an application, database or computer network. Started in March 2002, the project aims to develop standard guidelines for certifying and accrediting federal information systems. It also seeks to define the minimum security that is acceptable in federal systems and to promote the development of public and private sector assessment labs and the certification of individuals. The guideline document is the first in a set of three that will spell out how agencies should secure their computer systems against Internet and insider threats. The second document, due in spring 2003, will outline the minimum security that every agency must have in place. A third document, due at the same time, will tell auditors how to verify that systems have been secured properly. The current draft of the guidelines, called the "Guidelines for Security Certification and Accreditation of IT Systems," will be open to public comment until January 31, 2003 and may be found at http://csrc.nist.gov/publications/drafts.html MICROSOFT’S OFFICE 11 WILL RUN ON XP AND 2000 ONLY On October 29th, Microsoft acknowledged that it plans to offer its new productivity suite, called Office 11, currently in beta release, only for users who have Windows 2000 with Service Pack 3 or Windows XP. It does not plan to offer Office 11 for Windows 98, 98 Second Edition, ME, or NT. While Microsoft may make a fortune from the "forced upgrade," it will almost certainly further alienate business users who are already irate about the increase in licensing fees. At the end of 2001, only 20% of users were utilizing Windows 2000 or XP, a number that is expected to double by the end of 2002. Support for Windows 98 and NT desktop operating systems is slated to end on June 30, 2003. The final version of Office 11 is expected to be released in mid-2003. Further information may be found at http://staging.infoworld.com/articles/hn/xml/02/10/30/021030hnoffice.xml?Template=/storypages/printfriendly.html EMPLOYER MONITORING REMAINS AT SAME LEVEL The General Accounting Office recently released a report concluding that corporate monitoring of employee e-mail and Internet use has not changed significantly since the terrorist attacks of September 11, 2001. The report also said that few employees are ever disciplined for inappropriate Internet behavior. Under current law in general and the Electronic Communications Privacy Act of 1986 in particular, employers can monitor all Internet activity of their employees. Because companies own their computers and networks, courts have ruled that employees should have no reasonable expectation of privacy at work. A copy of the report may be found at http://www.gao.gov/new.items/d02717.pdf VIRGINIA SUPREME COURT RULES AOL MUST DISCLOSE USER ID On November 1st, the Virginia Supreme Court ruled against American Online (AOL) in its effort to withhold the identity of a subscriber. Nearly two years ago, the electronics design and manufacturing company Nam Tai Electronics filed suit, alleging that 51 unknown individuals had committed libel, trade libel and violations of California’s unfair business practices law by posting defamatory messages about the company stock on an Internet message board. One of the individuals was an AOL subscriber and Nam Tai secured a subpoena requesting that AOL identify the subscriber. AOL filed a motion to quash the subpoena, arguing that disclosure would "infringe upon the well-established First Amendment right to speak anonymously. The California court handling the case denied the motion and Virginia-based AOL appealed the ruling to the Virginia Supreme Court. The decision in the case may be found at http://www.courts.state.va.us/txtops/1012761.txt HOUSE PASSES CYBERSECURITY BILL On November 12th, the House of Representatives unanimously passed the $903 million Cyber Security Research and Development Act. The act will fund new cybersecurity initiatives over the next five years and train computer security experts in combating cyberattacks. The Senate passed a near identical bill in February, so the legislation will go directly to the President, who is expected to approve it promptly. According to Bill Wulf, president of the National Academy of Engineering, the United States only graduates roughly seven computer security Ph.D.s per year. The Act directs the National Science Foundation to create new cybersecurity research centers, undergraduate program grants, community college grants and fellowships. The National Institute of Standards and Technology would fund academic-industry partnerships and other research incentives. The text of the Act may be found by entering the bill number (H.R. 3394) at http://thomas.loc.gov PRIVACY GROUPS SEEK TO FORCE DOJ TO REVEAL SURVEILLANCE On November 13th, the American Civil Liberties Union and the Electronic Privacy Information Center asked a federal court to compel the Justice Department to respond to their August 21st Freedom of Information request for documents related to Patriot Act surveillance. The request seeks aggregate statistics and policy directives from both the FBI and the Department of Justice, with specific emphasis on details about surveillance that targets American citizens or foreign nationals "on the basis of activities protected by the First Amendment." The lawsuit was filed on October 25th after negotiations with the DOJ collapsed. The plaintiffs want the district court to force the Justice Department to provide a list of documents within seven days and the documents themselves within 20 days. On September 3rd, the DOJ said in writing that it would expedite the process but no documents or list of documents covered by the FOIA request have yet been produced. The ACLU motion for injunction may be found at http://www.aclu.org/SafeandFree/SafeandFree.cfm?ID=11281&c=206 VISA: TRADEMARK BESTS THE DICTIONARY On November 16th, it was reported that, in a domain name case of first impression, a corporate trademark prevailed over a word in the dictionary. A Nevada district court found the evisa.com site run by Joe Orr of New York City could dilute Visa's trademark. Evisa.com offered travel and translation services, as well as multilingual presentation software. Visa hosts its own e-visa.com site, and has pending applications for trademarks including EVisa, E-Visa, and E Visa. Commentators said that the court essentially held that the Visa credit card company could restrict the ability of others to use the word 'visa' when they offer travel-related information and services. On November 21st the Electronic Freedom Foundation appealed the ruling. The court order in the case may be found at http://www.eff.org/Cases/Visa_v_JSL/20021121_evisa_order.pdf DATABASE OF PRIESTS ACCUSED OF SEXUAL ABUSE On November 12th, a Roman Catholic victims' group launched a website to track priests accused of sexually abusing children and adults. The database contains the identities of the 325-plus priests who have resigned or have been removed from their posts since January, pending investigations, because of abuse allegations dating back years. The list provides information on each accused cleric's city and diocese, and the status or outcome of any criminal or civil cases. The website may be found at http://www.survivorsfirst.org/ BRIT CHARGED WITH HACKING U.S. MILITARY On November 12th, federal authorities announced that indictments had been secured in northern Virginia and New Jersey against Gary McKinnon of London, England. McKinnon, a computer administrator accused of hacking into 92 computer networks operated by the U.S. military and NASA, was indicted on eight counts of computer-related crimes. Two of the computer networks were at the Pentagon. McKinnon reportedly caused $900,000 in damage to computers in 14 states. McKinnon faces up to ten years in prison on each count. Federal authorities are seeking McKinnon’s extradition. If he is extradited, he would be the first person extradited to face hacking charges in the U.S. U.S. Attorney Paul McNulty characterizes McKinnon’s exploits as "the biggest hack of military computers ever detected." The hacks were accomplished by exploiting known security problems with Microsoft Windows NT and Windows 2000. McKinnon is believed to have acted alone and without any connection to terrorist groups. Further information may be found at http://www.wired.com/news/print/0,1294,56332,00.html REMEMBER JOHN POINDEXTER? HE’S BACK John Poindexter, once a Reagan administration national security advisor, was convicted in 1990 of five felony counts of lying to Congress, destroying official documents and obstructing congressional inquiries into the Iran-Contra affair. Poindexter was sentenced to six months in prison, the federal judge finding that he was the "decision-making head" of a scheme to deceive Congress. His conviction was overturned in 1991 by the U.S. Court of Appeals, which found that his rights had been violated by using testimony he had given Congress after a grant of immunity. In a major comeback, Poindexter now runs the Pentagon’s Information Awareness Office. He has started designing a global computer-surveillance system to give U.S. counterterrorism officials access to personal information in government and commercial databases around the world. The system proposed by Poindexter and funded by the Defense Advanced Research Projects Agency (DARPA) at about $200 million a year, would be able to sweep up and analyze data in a highly systematic way. Poindexter’s agency is already beginning to award contracts to high tech vendors. Experts agree that, if constructed, it would probably be the largest data-surveillance system ever built. Poindexter said any operational system would include safeguards to govern the collection of information, but critics are highly skeptical. Further information may be found at http://www.epic.org/events/tia_briefing/ CYBERSECURITY: U.S. FAILS AGAIN On November 19th, the U.S. government flunked a cybersecurity review for the third straight year. Of the 24 agencies surveyed, 15 received failing grades and only three received a grade of C or higher. The Department of Transportation received the lowest score, 28 out of a possible 100. The General Accounting Office conducted the review. Further information may be found at http://www.siliconvalley.com/mld/siliconvalley/news/editorial/4555878.htm DOE CLOSES ONLINE RESEARCH DATABASE PUBSCIENCE The Department of Energy (DOE) has shut down the online research database Pubscience after receiving complaints that it competed too closely with commercial efforts. Pubscience, which contained a searchable database of more than 2 million documents on physical sciences and energy-related research, was closed in recent weeks after the DOE was pressured by the private sector to reassess its value in a marketplace where commercial interests were at stake. A handful of privately owned sites let researchers pull up abstracts of scientific research documents, as well as buy the full-text documents of thousands of technical periodicals. Proponents of the site's closure said the move fell into line with a federal law that forbids the government to compete with the private sector in business. The DOE said it had carefully evaluated Pubscience in light of private sector offerings and found that it substantially duplicated those offerings. Critics say that much of the research available free online was paid for by taxpayer dollars and that it should not be hoarded by private commercial interests. Further information may be found at http://news.com.com/2100-1023-966824.html MASS IDENTITY THEFT REVEALED In what appears to be the largest case of identity theft ever uncovered, a computer help desk employee has been charged with stealing the financial and personal information of 30,000 people over three years. Phillip Cummings, 33, appeared in U.S. District Court in Manhattan on November 25th to face charges that he and two colleagues would get reports from the major credit reporting bureaus using Cummings" access to passwords that belonged to Ford Motor Credit Co., Washington Mutual Bank and other financial institutions. Prosecutors say the three men then sold lists of credit card numbers, checking accounts and other personal data to scam artists for $60 per name. So far, authorities say they have documented $2.7 million in losses. Cummings worked at Teledata Communications Inc., a New York company that provides lenders with software, terminals and support to help them tap the major credit databases kept by Equifax Inc., Experian Information Solutions Inc. and TransUnion LLC. Federal officials stated that victims have reported unauthorized charges on their credit cards, money lost from their bank accounts, or use of their identities on credit card and loan applications. If convicted of wire fraud, Cummings faces up to 30 years in prison, plus up to five years in jail for conspiracy. He was released by a federal magistrate in New York after posting a $500,000 bond. Further information may be found at http://www.cnn.com/2002/LAW/11/26/ID.theft.ap/index.html CALIFORNIA SUPREME COURT: NO JURISDICTION IN DECSS CASE On November 25th, the California Supreme Court ruled 4-3 that Matthew Pavlovich, a former Purdue University student now living in Texas, can't be forced to answer in California for posting computer code on the Web that unscrambles DVD encryption technology. "There is no evidence in the record suggesting that the site targeted California," Justice Janice Rogers Brown wrote for the majority. The opinion in Matthew Pavlovich v. DVD Copy Control Association may be found at http://www.courtinfo.ca.gov/opinions/documents/S100809.PDF COURT SAYS COPS’ HACKER VIOLATED 4TH AMENDMENT A federal judge in Virginia has issued what is believed to be the first ruling that hacking into an Internet connected home PC without a warrant violates the Fourth Amendment prohibition of unreasonable search and seizures. The judge suppressed evidence of child porn possession after the defendant's lawyers argued the evidence had been illegally obtained by a hacker whose methods had received approval from law enforcement officials. The hacker had uploaded a file to a child porn newsgroup that made it possible to track who downloaded files from the service. The uploaded file contained the SubSeven Trojan, which the hacker used to remotely search people's computers for porn. The hacker then acted as a cybervigilante, sending anonymous tips to law enforcement officials alerting them to child porn files the hacker had found on people's PCs. Based on the hacker’s information, U.S. attorneys and state prosecutors filed numerous charges against a Virginia man, William Adderson Jarrett. Jarrett pleaded guilty but his attorneys also argued that the FBI violated Jarrett's Fourth Amendment rights when they retrieved the information, via the hacker, without a warrant. The court concurred, ruling that the evidence could not be used in court because the FBI had sanctioned hacking as a means of obtaining it. Further information may be found at http://news.com.com/2100-1023-965926.html SPECIAL COURT APPROVES U.S. SURVEILLANCE TECHNIQUES On November 18th, a special panel from the U.S. Circuit Court of Appeals for the District of Columbia overturned a May decision by the ultra-secret Foreign Intelligence Surveillance Court, ruling that the DOJ has broad discretion in the use of wiretaps and other surveillance techniques to track suspected terrorists and spies. The secretive federal court had previously concluded proposals by Attorney General John Ashcroft under the new USA Patriot Act were not reasonably designed to safeguard the privacy of Americans. On appeal, the panel said the expanded wiretap guidelines sought by Ashcroft do not violate the Constitution. The decision in the case may be found at http://www.cadc.uscourts.gov/common/newsroom/02-001.pdf EIGHTH CIRCUIT APPROVES FAXED WARRANTS On November 18th, the Eighth Circuit Court of Appeals overturned a lower court decision and ruled that service of a warrant on an ISP by fax complies with the "reasonableness" requirement of the Fourth Amendment. The defendant, Dale Robert Bach, had been investigated by authorities for child pornography crimes. As part of the investigation, authorities served a search warrant by fax to Yahoo, Bach’s Internet Service Provider. The evidence gleaned from that warrant was used to prosecute Bach. The defendant argued that police officer presence is required during the service of a warrant under such circumstances because the service of a search warrant by fax machine doesn't adequately safeguard the Fourth Amendment guarantee of a "reasonable" search. U.S. search and seizure law has mandated officer presence at the service of a warrant since the 1700s. The lower court had held that the evidence should be suppressed because the search was illegal under both federal and state laws. The decision in U.S. v. Bach may be found at http://www.epic.org/privacy/bach/ruling.pdf 2ND CIRCUIT RESTRICTS ACPA JURISDICTION On November 7th, the 2nd Circuit Court of Appeals upheld a lower court ruling involving the application of the in rem provision of the Anticybersquatting Consumer Protection Act of 1999. Deciding a case of first impression in the circuit, the court said the basic jurisdictional grant in the Anticybersquatting Consumer Protection Act of 1999 (ACPA) "contemplates exclusively a judicial district within which the registrar or other domain-name authority is located." The 2nd Circuit upheld Southern District Judge Denise Cote's dismissal of an action brought by Mattel, the owners of the Barbie doll, Matchbox and Hot Wheels trademarks, against 57 Internet sites that allegedly sought to "cybersquat" on those trademarks by registering their domain names in other jurisdictions. The decision in Mattel v. Barbie-club.com may be found at http://laws.findlaw.com/2nd/017680.html AOL RELEASES ENTERPRISE AIM SERVICES America Online has released Enterprise AIM Services, which will allow corporations to have greater control of instant messaging. The new product allows system administrators the ability to manage the use of messaging software from behind a corporate firewall. It lets managers keep closer control of employees’ use of instant messaging, letting managers block communications outside the corporation if they wish, as well as allowing them to log, audit and create reports on all AIM communications so they can be monitored for legal, regulatory and accounting compliance. Further information may be found at http://www.aim.com/get_aim/enterprise/enterprise.adp Copyright ©  2001 Nelson & Wolfe/Sensei Enterprises, Inc. All rights reserved.