Issue 72 June 2003	BYTES IN BRIEF® by Editors: Sharon D. Nelson, Esq. and John W. Simek Associate Editors: Jaime W. Burgess and Anthony J. Stefano Editor Emeritus: G.V. Nelson 9500+ subscribers worldwide ® 2003 Sensei Enterprises, Inc. All rights reserved. This newsletter may not be reproduced or redistributed in any manner except with consent of the copyright owner. Distributed by Silver Law Inc. under license.

Prison time for spammers? Under a new Virginia law signed on April 29th, spammers could receive up to five years in prison and have their assets seized. If a commercial bulk e-mailer sends e-mail to or from Virginia with a bogus return address, or if a spammer transmits 10,000 or more e-mail messages in a day, he or she could end up facing felony penalties, paying massive fines and spending up to five years in jail. The penalties may apply even if the sender and recipient live elsewhere, according to Virginia Governor Mark Warner, because so much Internet traffic passes through Northern Virginia. The Virginia law also prohibits tools that automate spam and the forging of e-mail headers. Many commentators have expressed the concern that prosecutors will not enforce the law aggressively both because they lack funding and because they do not perceive spam as a serious crime. The text of the act may be found at http://leg1.state.va.us/cgi-bin/legp504.exe?ses=031&typ=bil&val=sb1139

New Hampshire may be poised to become the first state in the Union to provide legal protection for people who tap into insecure wireless networks. House Bill 495 says that operators of wireless networks must secure them or lose some of their ability to prosecute anyone who gains access to the networks. The bill would effectively legalize many forms of the activity known as war driving -- drivng around and scanning for open wireless access points. Wireless systems typically ship without any security features enabled and/or have default settings that are well known. Because the radio waves broadcast by wireless base stations are powerful, neighbors or adjacent businesses sometimes inadvertently connect to each other's wireless networks. War driving has led to another phenomenon known as war chalking, in which war drivers make specialized markings on sidewalks and buildings to indicate open connections. Thousands of these wireless "hotspots" are listed in online databases such as 80211hotspots.com. House Bill 495 effectively defines an operator's failure to secure a wireless network as a form of negligence. The text of the bill may be found at http://www.gencourt.state.nh.us/legislation/2003/HB0495.html

On May 1st, the Recording Industry Association of America (RIAA) agreed to settle suits against four university students charged with operating file-swapping networks on college networks. The RIAA settled with the students for $12,000-$17,500 each, to be paid over four years. The suits originally sought fines of up to $150,000 per pirated song. According to the RIAA, the goal was not to financially devastate the students but to send a clear message to other students. All of the defendants agreed to remove their file-swapping Web sites and never to download or distribute bootlegged copies of songs in the future. Further information may be found at http://www.siliconvalley.com/mld/siliconvalley/5769446.htm

On April 30th, the Federal Trade Commission (FTC) announced that it would join 33 state and local law enforcement agencies to target Internet auction fraud, with 57 initial actions planned. Auction fraud was the #1 Internet-related complaint recorded by the FTC last year. The new initiative is called "Operation Bidder Beware," and includes 17 criminal cases. The bulk of the cases involve identity theft and situations where consumers made payment and did not receive the merchandise. Further information may be found at http://www.ftc.gov/opa/2003/04/bidderbeware.htm

In a report released on April 30th by the Federal Trade Commission (FTC), the agency said that two thirds of all spam is false in one manner or another. In its study, the FTC examined 1,000 unsolicited e-mails, looking for deceptive claims in message text and in the "from," and "subject" lines. Twenty percent of the spam studied involved business opportunities such as work-at-home and franchise offers. Offers for pornography or dating services accounted for another 18 percent. Spam involving pitches for credit cards, mortgages and insurance was the third largest category at 17 percent. The FTC report may be found at http://www.ftc.gov/reports/spam/030429spamreport.pdf

On April 15th, the Federal Trade Commission (FTC) filed suit in federal district court in St. Louis to block an allegedly illegal spam operation that uses innocent subject lines, false return e-mail addresses and empty "reply-to" links to induce unsuspecting consumers and children to open the mail, exposing them to sexually explicit material. The case was brought under the FTC Act, which prohibits unfair and deceptive acts or practices in or affecting commerce. The suit seeks gains from the operation, restitution to the victims, and to permanently enjoin any further violations of the FTC Act. The complaint and other documents in Federal Trade Commission v. Brian Westby may be found at http://www.ftc.gov/os/caselist/0323030.htm

America Online (AOL), Microsoft and Yahoo announced on April 28th that they have teamed up to fight spam. In an unusual collaborative effort, the three competitors agreed to work against the spam, which is clogging inboxes, networks and computer memory space. The three partners in this effort hope to devise ways to block unidentified messages, stop spammers from creating fraudulent e-mail accounts and work more closely with law enforcement to rein in the practice. Further information may be found at http://www.microsoft.com/presspass/press/2003/apr03/04-28JoinForcesAntispamPR.asp

On May 16th, Attorney General John Ashcroft announced that 130 people had been charged and more than $17 million seized in a crackdown on investment swindles, identity theft and other forms of Internet crime. The crimes involved setting up fake banking sites, operating bogus investment schemes, selling unreleased movies or non-existent goods or services, and selling counterfeit goods. The initiative, called Operation E-Con, was coordinated by 43 United States Attorney’s Offices nationwide, the Federal Bureau of Investigation (FBI), the Federal Trade Commission (FTC), the Postal Inspection Service, the Secret Service, and the Bureau of Immigration and Customs Enforcement with a number of other state and local law enforcement agencies in the U.S. and around the globe. Further information may be found at http://www.usdoj.gov/opa/pr/2003/May/03_crm_301.htm

On May 15th, federal and state law enforcement agencies announced that they had sent letters to operators of more than 1,000 e-mail servers globally warning them that an open relay (an e-mail server that allows the unauthenticated re-routing of mail) "creates problems for consumers worldwide, for law enforcement and for your organization." The Federal Trade Commission (FTC) pointed out that spammers hunt down these open relays and hijack their resources. It asked that these open relays be closed. Other organizations involved in this effort include the Securities and Exchange Commission, the Postal Inspection Service and the offices of three U.S. Attorneys and four state attorneys general. The letter warns "It may appear to recipients of the spam that the spam is coming from your system; your mail server and Internet service resources may be utilized by unknown third parties; your network connections may become clogged with traffic; your administrative costs may increase; or your Internet Service Provider may shut down your Internet service. Fixing your open relay mail server will help you protect your system from being misused." A good source for learning how to fix open relays, according to the FTC, may be found at http://www.mail-abuse.org/tsi. A copy of the FTC’s letter may be found at http://www.ftc.gov/bcp/conline/edcams/spam/openrelay/pdf/EnglishLetter.pdf

On May 7th, EarthLink was awarded $16.4 million by a federal court in addition to an injunction against Howard Carmack, the so-called "Buffalo Spammer." The lawsuit, filed in November in U.S. District Court in Atlanta, alleged that Carmack had used stolen credit cards, identity theft and other illegal means to purchase hundreds of Internet accounts in order to send out 825 million unsolicited commercial e-mails. The court also permanently banned the defendant from spamming and from a host of related activities, including distributing mass e-mail software and selling e-mail addresses. Further information may be found at http://www.earthlink.net/about/press/pr_nyspamring and http://www.earthlink.net/about/press/pr_spammerarrest

A computer researcher in Pakistan discovered how to breach Microsoft’s security procedures for its popular Internet Passport service, which was designed to protect customers visiting some retail Web sites, sending e-mails and in some cases making credit-card purchases. Microsoft acknowledged the flaw affected all of its 200 million Passport accounts but said it fixed the problem on May 8th, after details were published on the Internet. Microsoft could face a staggering fine by U.S. regulators of up to $2.2 trillion. Under a settlement with the Federal Trade Commission (FTC) last year over deceptive claims about Passport security, Microsoft pledged to take reasonable safeguards to protect personal consumer information during the next two decades or risk fines up to $11,000 per violation. The FTC is currently investigating the Passport vulnerability. The FTC said that each vulnerable account could constitute a separate violation - raising the maximum fine that could be assessed against Microsoft to $2.2 trillion. The researcher, Muhammad Faisal Rauf Danka, discovered that by typing a specific Web address that included the phrase "emailpwdreset," he could seize any person's Passport account and change the password associated with it. Experts have long warned that Microsoft's plan to keep information for millions of users in one central location would be too tempting a target for malicious hackers. The question now is whether Microsoft violated the consent decree it signed with the FTC when it changed the Passport system in September and added the vulnerable password reset feature. Microsoft’s report of the Passport issue and its resolution may be found at http://www.microsoft.com/security/passport_issue.asp

On May 13th, telecommunications company NeuStar, Inc. said it will debut the "kids.us" Internet domain to U.S. residents and businesses on September 4th, while registered trademark holders will be able to reserve their marks during a special preregistration period from June 17th to August 15th. Last fall, Congress directed NeuStar to set up the domain after previous attempts to shield children from inappropriate material online failed to survive court challenges. Web sites within the "kids.us" domain will be screened to ensure that they do not carry foul language, pornography, graphic violence and other material inappropriate for children 13 and younger. These sites will also be forbidden to include certain interactive features, such as chat rooms and instant messaging, or links to Web sites outside the domain. NeuStar will charge domain-name sellers a wholesale rate of $65 per year. Customers will pay somewhat more than that to reserve a "kids.us" address, along with a $250 annual charge to cover the costs of the content review. Neustar’s press release may be found at http://www.neustar.com/pressroom/files/announcements/kidspressrelease-final.pdf

On May 15th, Wisconsin and twelve other states sued an Internet firm that allegedly billed people who tried to close pop-up windows for pornographic web sites. The suits, filed in conjunction with the Federal Trade Commission, allege Alyon Technologies Inc. violated advertising and telecommunications laws by connecting Internet users to the company's toll phone number when they tried to close Alyon's pop-up windows advertising porn sites. The toll number charges $5 a minute, according to the complaint, resulting in bills ranging from $14 to more than $1,000. Other states that have sued are California, Connecticut, Florida, Illinois, Kentucky, Missouri, New Jersey, Ohio, North Carolina, Nebraska, Texas and West Virginia. Further information may be found at http://www.reuters.com/newsArticle.jhtml?storyID=2752669

A group of anonymous spammers, using an association called eMarketersAmerica.org, has asked a federal court to find that two spam blacklisting sites, Spamhaus and SPEWS.org (Spam Prevention Early Warning System), have published false, misleading and libelous information about their business practices. The suit was filed on April 14th in the U.S. District Court for the Southern District of Florida. The blacklisting groups say the libel charges are especially frivolous in that they focus on whether e-mail was solicited rather than the actual content of the messages. Internet service providers often use the blacklists to block incoming e-mail from spammers before it arrives in customers' inboxes. Further information may be found at http://www.spamhaus.org/legal/answer-03-80295.html

On May 5th, Microsoft announced that it had settled a class action suit in Montana and will pay $12.3 million in vouchers to Montana consumers who said the company violated state antitrust laws. Microsoft will issue the vouchers to Montana customers who purchased its operating systems, productivity suites, spreadsheet or word processing software over a four-year period ending August 2002. The $5 to $12 vouchers can be used to purchase computer hardware or software from any manufacturer. Microsoft also will donate half of the unclaimed settlement proceeds to Montana schools. Microsoft now has 15 similar class-action lawsuits outstanding in various states and the District of Columbia. The lawsuits were primarily based on claims that Microsoft used its Windows monopoly to overcharge consumers on various products. The settlement in the case may be found at http://www.microsoft.com/presspass/legal/ca/05-06-03MontanaAgreement.pdf

A record number of searches and wiretap orders granted by the Foreign Intelligence Surveillance Court in 2002 reveals a growing trend of reliance on the secret court in government investigations. The number of Foreign Intelligence Surveillance Act (FISA) orders jumped more than 30 percent to 1,228 last year, compared to 934 the year before. The FBI uses the warrants in investigations of suspected terrorists and spies to eavesdrop on communications and conduct physical searches. Since FISA's inception in 1978, the court has approved every FBI application it has received, despite disclosing last year in a report that the agency had misled FISA judges in 75 cases. The increase in FISA orders corresponded with a 9 percent dip in the number of Title III wiretaps authorized by federal and state courts in 2002. Last year, state and federal judges approved 1,359 wiretap applications, compared to 1,491 in 2001, according to a report published by the Administrative Office of the U.S. Courts. Applications for FISA warrants receive less scrutiny than Title III wiretaps despite the fact that they are much more intrusive. While Title III wiretaps allow investigators to eavesdrop on the oral and electronic communications of suspects, FISA orders include these wiretapping techniques as well as physical searches of residences, automobiles and belongings. Statistics with regard to the issuance of FISA orders may be found at http://www.epic.org/privacy/wiretap/stats/fisa_stats.html

On May 21st, the World Wide Web Consortium (W3C) finalized The Royalty-Free Patent Policy, which bans the use of most royalty-bearing technology in its technical recommendations. The policy, announced by the Patent Policy Working Group of the W3C, is very close to the draft issued two months ago. In shutting fee-bearing patents out of standards development in all but exceptional cases, it marks a compromise between open-source advocates and proprietary software companies. Patents have been a bone of contention between the open-source community and proprietary software companies. Some proprietary software makers cash in on large patent portfolios by requiring licensing fees and may be reluctant to give away the rights to intellectual property after investing time and money creating the technology. On the other hand, many in the open-source community believe patents impede the development process and can slow the adoption of standards. A copy of the policy may be found at http://www.w3.org/Consortium/Patent-Policy-20030520.html

A small group of Internet vendors sued Visa, MasterCard, American Express, and Discover on May 20th, alleging that they had failed to inform online merchants when goods were purchased with stolen credit cards or by customers with a history of fraud. The suit was filed in federal court in Raleigh, North Carolina on behalf of eGeneral Medical Inc., Howell Automotive and Direct Foreign Exchange PLC. More plaintiffs are expected to join the suit, which seeks class action status. The lawsuit asks that credit card companies be required to let online, phone-based and direct-mail merchants know if the credit card a customer is using has been stolen or compromised or if the cardholder has a history of fraud, just as they would notify brick-and-mortar retailers. The lawsuit also alleges that merchants are required to pay the credit card companies transactional and penalty fees for the fraud, which they cannot recover. The lawsuit seeks actual and punitive damages, but without naming a specific dollar amount. The charges in the lawsuit include breach of contract, duty of care and fiduciary duty, negligent misrepresentation, fraud and deceit and unfair deceptive trade practice. Further information may be found at http://www.reuters.com/newsArticle.jhtml?storyID=2799843

On May 27th, a federal court in Norfolk dealt a powerful blow to online auction house eBay, awarding $35 million to a Virginia attorney/inventor who had alleged that eBay infringed his patents by utilizing its "Buy It Now" fixed price selling system. The jury found that eBay had willfully violated the patents, which would allow the judge to triple the money award if he so chose. The judge could also compel eBay to stop using the technology. The "Buy It Now" transactions are eBay’s fastest growing segment and accounted for 26% of the company’s $5.3 billion in first-quarter sales this year. Further information may be found at http://home.hamptonroads.com/stories/print.cfm?story=54678&ran=113044

Eleven privacy and consumer advocacy groups filed a complaint with the FTC on April 22nd, asking that it investigate whether Amazon. com is violating COPPA by permitting children 12 years old and younger to post reviews of toy products without their parents’ consent. Amazon spokesman Bill Curry called the complaint groundless because "Amazon.com is not a site directed at children." The complaint says Amazon.com employees read product reviews before they are posted and should ensure that children do not disclose their personal information in the reviews. The complaint provides an example of a review that was allegedly posted by an 11-year-old and contained the child's full name along with the child's home city and state. A day after the suit was filed, Amazon.com pulled the identifying information from its site and said the children had by-passed steps designed to keep their comments anonymous. The complaint in the case may be found at http://www.epic.org/privacy/amazon/coppacomplaint.html

On May 29th, it was announced that AOL Time Warner and Microsoft have settled a broad array of disputes and litigation between the two companies. Microsoft has agreed to pay AOL a total of $750 million and AOL will have a seven-year royalty-free license for Microsoft’s Internet Explorer. In a statement, Microsoft’s chairman Bill Gates said "With Microsoft's media technology expertise and AOL Time Warner's content expertise, we believe we can accelerate the adoption of digital media for the Internet and help content providers across the entire industry." Microsoft also agreed to help AOL distribute its online service and the two companies will work to ensure that AOL works well with future versions of Windows. Further information may be found at http://www.microsoft.com/presspass/legalnews.asp

On April 25th, the U.S. District Court for the Central District of California dismissed much of the record industry and movie studios' lawsuit against file-swapping services Morpheus and Grokster, ruling that the companies were not liable for copyright infringements using their software. The court identified key differences for contributory and vicarious infringement copyright liability between the centralized Napster P2P (peer-to-peer) model and the decentralized model used by Morpheus and Grokster. He wrote "Defendants distribute and support software, the users of which can and do choose to employ it for both lawful and unlawful ends." The court added that the companies are "not significantly different from companies that sell home video recorders or copy machines." The ruling does not directly affect KaZaA, software distributed by Sharman Networks, which has also been under attack by the entertainment industry. The decision in the case may be found at http://shorl.com/darobremibuke

On May 9th, the 1st Circuit Court of Appeals issued its decision in In Re Pharmatrak, a privacy case involving a company, which pharmaceutical companies hired to track how customers used their websites. The company collected more information than anticipated and a class action suit ensued. The court ruled that URL search terms may constitute content for the purposes of the Wiretap Act and that no consent for the data's collection was ever provided by users. The decision may be found at http://laws.lp.findlaw.com/1st/022138.html

The Pentagon has submitted to Congress its report on the Total Information Awareness program. The report assures Congress that the surveillance system will only analyze legally acquired information and is not meant to be a centralized database of information on U.S. citizens. The purpose of TIA is to identify possible terrorists by comparing information in a wide range of databases. The name of the project has been changed to the Terrorism Information Awareness program, to help relieve privacy concerns that prompted congressional restrictions. The report may be found at http://www.darpa.mil/body/tia/TIA DI.pdf

On May 13th, the federal district court for the Southern District of New York sought to establish new criteria for e-discovery requests. The court said that while most courts rely on considerations such as the specificity of the request, the likelihood of discovering critical information, the availability of the information from other sources, the purpose for which the data is kept, the relative benefits to the parties, the costs, and the ability of each side to pay those costs, it would add to the list of considerations "the amount in controversy" and the "issues at stake in the litigation." The decision in Zubulake v. UBS Warburg may be found at http://www.nysd.uscourts.gov/rulings/02cv1243_051803.pdf

On May 15th, the European Commission adopted the first report on the implementation of the Data Protection Directive. The report notes that it has broadly achieved its aim of ensuring strong protection for privacy but that late implementation by some member states along with differences in national approaches has prevented the EU from obtaining the full benefit of the Directive. The report may be found at http://europa.eu.int/comm/internal_market/privacy/lawreport_en.htm

On May 6, the North Dakota Supreme Court affirmed a $3 million libel judgment in a case involving Internet jurisdiction. The case concerned a Minnesota resident who posted allegedly defamatory postings about a North Dakota professor on her website. The court ruled that the site directly targeted the state and thus affirmed the assertion of jurisdiction and the jury award. The decision in Wagner v. Miskin may be found at http://www.court.state.nd.us/COURT/OPINIONS/20020200.htm