A revised British "Good Practice Guide for Computer-based Electronic Evidence" has been compiled by the National Hi-Tech Crime Unit and the Association of Chief Police Officers. The guide is designed to assist law enforcement officers in the proper collection of electronic evidence to avoid losing cases because improper procedures were followed. The guide states: "Computer-based electronic evidence is, by its very nature, fragile. It can be altered, damaged or destroyed by improper handling or improper examination. Operating systems and other programs frequently alter and add to the contents of electronic storage." The general advice at crime scenes is for police to isolate and switch off machines that may contain electronic evidence but new guidance includes the handling of PDAs, organizers and mobile phones. The guidelines may be found at http://www.nhtcu.org/ACPO%20Guide%20v3.0.pdf

On September 30th, Microsoft announced that it would pay $10.5 million to settle an antitrust lawsuit brought by U.S. customers who claimed that Microsoft used its monopoly power to overcharge them for direct purchases of software. Under the settlement, consumers and businesses that bought Microsoft's software directly from the company's website or direct marketing campaigns agreed to drop their charges. Microsoft, which admitted no wrongdoing, said it would pay each purchaser a portion of the price paid for software bought up until April 30, 2003. The settlement, which is pending in the U.S. District Court in Maryland, must be approved by U.S. District Judge J. Frederick Motz. Further information may be found at http://www.microsoft.com/presspass/press/2003/sep03/09-30MDLpr.asp. On October 28th, Microsoft announced that it had settled six more class action lawsuits involving antitrust claims and product pricing. This brings to ten the number of class action suits which have thus far been settled, leaving five still in progress. The settlements in the six suits total approximately $200 million. Further information may be found at http://www.microsoft.com/presspass/legal/ca/

On October 3rd, a proposed class action suit was filed against Microsoft in Los Angeles Superior Court, seeking to hold Microsoft liable for security defects in its software. The suit contends that by failing to secure its software, Microsoft subjected its customers to having their private data made public. The lawsuit was filed on behalf of Marcy Hamilton, a Los Angeles resident, who claims a flaw allowed a digital thief to steal her personal information. Microsoft said it would fight the suit, observing that it has heavily invested in responding to security problems. It will also fight having the suit certified as a class action suit, noting that even those affected by security problems will be affected in different ways. Historically, courts have upheld software makers' right to subject customers to license agreements that waive the right to sue over defects. However, the suit argues that Microsoft should not enjoy the same right to make such a restrictive contract, since consumers have limited choices when it comes to choosing the operating system for their computers. The suit also claims that Microsoft's security warnings are too complex to be understood by the general public and serve instead to tip off fast-moving hackers on how to exploit flaws in its operating system. The suit further claims unfair competition and the violation of two California consumer rights laws, one of which is intended to protect the privacy of personal information in computer databases. It asks for unspecified damages and legal costs, as well as an injunction against Microsoft barring it from unfair business practices. Further information may be found at http://www.infoworld.com/article/03/10/02/HNmssecsuit_1.html

On September 29th, storage firm Optima Technology announced that it had filed a lawsuit against Network Solutions, a VeriSign subsidiary, in Orange County Superior Court in California. The suit alleges that Network Solutions gave away its domain name without permission and seeks more than $3,000,000 in damages. The optimatech.com domain was transferred to former Optima employee Michael DeCorte, allegedly allowing him to divert Optima revenues into his possession. When Optima noticed sharply declining revenues in 2001, it realized that the domain name transfer was responsible, according to the complaint. Later that year, Network Solutions, which originally said it had proper authorization to transfer the domain, returned it to Optima. Further information may be found at http://www.optimatech.com/networksolutions.html

On September 29th, the Recording Industry Association of America (RIAA) announced that it had settled with 52 of the 261 individuals it sued for illegally swapping music files. Another twelve users agreed to settle after they learned they might be sued. Defense lawyers familiar with some cases said payments ranged from $2,500 to $7,500 each, with at least one settlement as high as $10,000. The settlements do not include any admission of wrongdoing and require Internet users to destroy copies of illegally downloaded songs. They must also agree not to make any public statements that are inconsistent with the agreement. The RIAA also said 838 people have requested amnesty from future lawsuits, in exchange for a formal admission they illegally shared music and a pledge to delete the songs off their computers. The offer does not apply to people who already are targets of legal action. The RIAA announced in late October that it was preparing a second round of file-swapping lawsuits, notifying 204 individuals that they are in line to be sued for copyright infringement. Unlike previous suits, the RIAA is giving the lawsuit targets warning this time around, offering them a chance to settle before the suits are filed. The change in tactics comes after sharp criticism from federal lawmakers and others concerning the group's earlier court actions against 261 individuals. On October 30th, the RIAA announced the filing of another 80 lawsuits. Further information may be found at http://www.riaa.com/news/newsletter/092903.asp

On October 3rd, Charter Communications filed suit in the U.S. District Court in St. Louis, seeking to bar the Recording Industry Association of America (RIAA) from procuring the identities of its cable customers that have been allegedly swapping music files illegally. Charter filed a motion to quash the RIAA’s request for the names of 150 Charter customers alleged to be file-swappers. Charter sent letters late last week to the 150 customers whose identities were sought, in an effort to notify them that they are targets of the RIAA and that Charter is making legal objections to the RIAA's requests. The RIAA responded by saying that the subpoenas it filed comply with the letter of the law. Further information may be found at http://www.corporate-ir.net/ireye/ir_site.zhtml?ticker=CHTR&script=410&l ayout=-6&item_id=455926 and http://support.charter.com/sdcuser/asp/CopyrightInfringement.htm

On September 29th, the American Civil Liberties Union (ACLU) announced that it had filed court documents in Boston accusing the Recording Industry Association of America (RIAA) of illegally using thousands of subpoenas to identify alleged copyright infringers. The ACLU claims that the recording industry's subpoenas, filed under the Digital Millennium Copyright Act (DMCA), violated due process and constitutional rights shielding Internet users' anonymity. David Plotkin, a Boston attorney who filed the motion for the ACLU, said "the statute only allows for a subpoena when the copyrighted material at issue is stored on the ISP's system, but not, as in the case of Boston College and almost all other ISPs, when the material is stored on the Internet user's personal computer." Plotkin also argues that the subpoena suffers from procedural deficiencies and violates the due process and free expression guarantees of the U.S. Constitution. In another case, a federal judge in Washington, D.C. considered similar arguments and rejected them, ruling the DMCA was constitutional. That case, which pits Verizon Communications against the RIAA, is on appeal to the U.S. Court of Appeals for the District of Columbia Circuit. Further information may be found at http://www.aclu.org/Privacy/Privacy.cfm?ID=13802&c=251

Symantec’s bi-annual Internet Security Threat Report, which compiles data from customers as well as from more than 20,000 sensors embedded in its global DeepSight Threat analysis system, paints a foreboding future. The new data shows that 64% of attacks during the first six months of this year were aimed at vulnerabilities less than one year old and that 39% percent targeted security flaws that had been disclosed in the previous six months. In brief, companies are finding it difficult to patch their systems quickly as vulnerabilities are announced with viruses rapidly released on the heels of the announcements. Among the other major trends, Symantec spotted a significant increase in the number of blended threats, those that use multiple vectors such as e-mail, instant messaging, Internet Relay Chat, and peer-to-peer networks to infect and compromise systems. The number of blended threats rose 20% during the first six months of this year compared to the first half of 2002. To deflect these blended threats, companies need to deploy a wide range of security services, including firewalls, anti-virus guardians at the gateway, and intrusion-detection and prevention systems. Another major trend is the increasing number of attacks against Windows. In the first six months of 2003, the number of viruses and worms aimed at Windows more than doubled compared to the same period in 2002. Commentators have noted that Microsoft’s dominance has made it the target of choice. Further information may be found at http://www.symantec.com/press/2003/n031001.html

On October 4th, VeriSign, the administrator of the .com and .net domains, shut down its new SiteFinder service, after the Internet Corporation for Assigned Names and Numbers (ICANN) ordered the company to undo controversial changes. In a letter sent to VeriSign on October 3rd, ICANN CEO Paul Twomey told the domain name registrar that it had until 6 p.m. PDT Saturday to comply with a request to take down the SiteFinder service. SiteFinder, introduced on September 15th, included a wildcard feature redirecting all misspelled or unassigned .com and .net domain names to a search page owned by VeriSign. Before that, requests for nonexistent, reserved or inactive domain names would generate an error message. Three companies that compete with VeriSign subsidiary Network Solutions have filed lawsuits, claiming the move is an unfair business practice. In addition, at least seven organizations have criticized VeriSign's wildcard change, including the Internet Society, the Public Interest Registry and several engineering groups within ICANN. These groups say the change causes havoc with applications such as spam filters and mail servers that rely on an Internet server returning an error message when a domain does not exist. VeriSign’s view on the "temporary" suspension of SiteFinder may be found at http://www.verisign.com/corporate/news/2003/pr_20031003.html

On October 6th, Eolas Technologies filed a motion in the U.S. District Court in Chicago asking for an injunction against distributing copies of Internet Explorer capable of running plug-in applications in a manner covered by Eolas’ patent. Eolas is the sole licensee and sublicensor of a browser plug-in patent owned by the University of California. If the court grants the injunction, and finds that Microsoft's proposed IE work-around does not circumvent the patent, Microsoft may find itself forced to pay Eolas to provide fundamental plug-in capabilities in the browser. In an August verdict, a jury found that Microsoft's IE browser infringed on an Eolas patent that describes how a browser opens external applications of the type that Macromedia, Adobe Systems, RealNetworks, Apple Computer, Sun Microsystems and many other software providers produce. Microsoft said it is well on its way to end-running both the patent and a potential injunction with an IE alteration it has previewed and expects to introduce early next year. Microsoft has also filed motions to set aside the $521 million judgment and to grant it a new trial. Further information may be found at http://www.newsfactor.com/perl/story/22455.html

On October 9th, the Securities and Exchange Commission (SEC) said it had filed criminal and civil securities fraud charges in federal court in Boston against Van Dinh, a 19 year old resident of Phoenixville, Pennsylvania. Dinh infiltrated the TD Waterhouse account of a Boston resident by use of a keystroke logger and used the account to buy put options in common shares of Cisco that Dinh owned and wanted to sell. This is the first action brought by the SEC against an Internet hacker for using another person’s account to make trades. The victim suffered a $40,000 loss. Dinh allegedly lured victims to a Web site with a request for help in testing software he had written that tracked stock price moves. But, officials said, the program was really a subterfuge that installed a program called the Beast, which, when downloaded onto the victim’s computer, tracked every character the user typed and relayed them back to Dinh. The SEC said it is seeking to force Dinh to pay the money he avoided losing and an unspecified amount in civil penalties. Prosecutors charged Dinh with securities fraud, mail and wire fraud, and causing damage in connection with unauthorized access to a computer. The fraud counts carry maximum penalties of 20 years in prison, and the computer counts carry a maximum penalty of 10 years. Further information may be found at http://www.sec.gov/news/press/2003-135.htm

On October 7th, a three-judge panel of the U.S. Court of Appeals for the 10th Circuit gave the Federal Trade Commission (FTC) the green light to start enforcing its national do-not-call list. The court found that the government is likely to prove that it is in the public's interest to curb unwanted telephone sales calls. A lower court had declared the registry unconstitutional and had barred the FTC from enforcing it pending a government appeal. According to the opinion, "There is a substantial likelihood that the FTC will be able to show . . . that the list directly advances the government's substantial interests and is narrowly tailored." Consumers have placed more than 50 million residential telephone numbers in the registry. The decision in FTC v. Mainstream Marketing Services may be found at http://www.ck10.uscourts.gov/circuit/031429.pdf

On October 6th, the 9th Circuit Court of Appeals ruled that cable companies are required to open their networks to competitors’ high-speed Internet service providers. The ruling bars the Federal Communications Commission (FCC) from following through with plans to allow cable companies to exclude rivals from selling competing brands of Internet service over their lines. The FCC adopted its deregulatory approach last year, arguing that it would give the cable industry an incentive to continue investing in sophisticated fiber-optic networks. But the court said the agency must continue to classify cable's Internet offerings as a telecommunications service, subjecting it to the same regulations governing high-speed Internet service provided by telephone companies. If the ruling survives the FCC’s promised appeal, the decision could provide broadband Internet users with new options for the content they see online, their e-mail addresses and potentially the monthly rates they pay. The decision could benefit companies such as EarthLink and America Online, which are trying to move their customer base from slower dial-up connections to higher-speed data services. Given this ruling, those companies could demand access to cable's broadband networks. The decision in Brand X Internet Services v. FCC may be found at http://www.ca9.uscourts.gov/ca9/newopinions.nsf/58AF00C2122345DD88256DB7005BFAA3 /$file/0270518.pdf?openelement

After years in court, University of Illinois professor Daniel Bernstein’s battle against the government Cold War laws restricting the publication of some forms of encryption code is over and the suit has been dismissed. U.S. District Judge Marilyn Hall Patel dismissed the case after the Bush administration said it would no longer try to enforce portions of the regulations. Bernstein had filed suit in 1995 after spending three years fighting with the government over whether a simple encryption program could be freely distributed over the Internet. U.S. law at the time deemed online publication an export that could be punished with severe penalties. Further information may be found at http://zdnet.com.com/2100-1105_2-5092154.html

On October 14th, federal prosecutors asked San Francisco’s Ninth District Court of Appeals to reverse a computer crime conviction against a man for notifying a company’s customers of a flaw in the company’s e-mail service. This most unusual step was taken because prosecutors conceded that they had made a mistake in prosecuting and obtaining a conviction against 30 year-old Bret McDanel. The former system administrator has already served his 16-month sentence and is currently on supervised release, during which time his access to computers is curtailed. In September 2000, McDanel notified the customers of his former employer, Tornado Development, that the company's Web-based e-mail system had a flaw that could allow an attacker to gain access to a user's e-mail. The prosecutors argued that his action damaged Tornado’s system. Following an appeal by Jennifer Granick, executive director of Stanford Law School's Center for Internet and Society, the U.S. attorney's office for the Central District of California concedes that the evidence did not establish an intent to 'damage' within the meaning of the Computer Fraud and Abuse Act under which McDanel was convicted. The original conviction seemed to establish a precedent that, by revealing a flaw in a system's security, a researcher could be accused of harming the system and violating computer crime laws. Essentially, Tornado had refused to fix the security problems McDanel had identified and he warned its users so they could help themselves. Further information may be found at http://news.com.com/2102-7348_3-5092697.html?tag=st_util_print

On October 14th, the Supreme Court agreed to once again examine how the government can protect children from online pornography without breaching the First Amendment. The latest case asks whether a subsequent law, twice rejected by an appeals court, restricts too much material that adults have the right to see or buy. The court will also decide whether the government can require some form of an adults-only screening system to ensure child computer users cannot see material deemed harmful to them. Congress passed the Child Online Protection Act in 1998 to crack down on Internet sites that do not block pornography and other inappropriate material from children. Its penalties include six months in jail and $50,000 in fines for first-time violators and additional fines for repeat offenders. It is on hold pending court challenges. The American Civil Liberties Union challenged the law as an unconstitutional restraint on free speech and the 3rd Circuit Court of Appeals has twice struck the law down, most recently ruling in March that it is "constitutionally infirm." The Bush administration appealed to the high court. The 3rd Circuit decision may be found at http://vls.law.villanova.edu/locator/3d/March2003/991324.pdf

In a twist that surprised many observers, 19 year-old Aaron Caffrey was acquitted by a jury of hacking into a computer system that provides navigational data for the port of Houston. The October 17th ruling, at Southwark Crown Court in London, accepted Caffrey’s argument that unidentified hackers had installed a Trojan Horse on his computer, containing an attack script which he unwittingly set into motion. Prosecutors had said Caffrey intentionally launched an electronic assault on a woman he met in an Internet chat room because he believed she had insulted his girlfriend. They alleged that in carrying out that attack, Caffrey inadvertently paralyzed the Houston system by bombarding it with thousands of electronic messages. The port's Internet site was forced out of service temporarily, making it difficult to obtain information about ships' whereabouts. Caffrey, who belongs to a group called Allied Haxor Elite, acknowledged hacking into computers in the past but only with the permission of the machines' owners, in order to test their security systems. He insisted he had nothing to do with the September 2001 attack in Houston. He was charged and brought to trial after computer experts failed to find Trojan Horse software that would have indicated someone had hijacked Caffrey's computer. He testified that the program might have been designed to self-destruct, leaving no trace of its presence. Further information may be found at http://www.usatoday.com/tech/news/2003-10-17-hack-acquittal_x.htm

On October 22nd, a fourth decision was issued in the closely watched Zubulake v. USS Warburg case, which has changed the rules for cost-shifting in electronic evidence cases. Plaintiff sought an adverse inference instruction from the court for defendant's alleged failure to preserve relevant information stored on six-plus backup tapes. The court found that the defendant had a duty to preserve backup tapes it could identify as storing key players' email messages and that the defendant failed to preserve some of those tapes. Judge Scheindlin denied plaintiff's motion for an adverse inference instruction, using a three-part test. First, the judge concluded that the defendant had a duty to preserve the backup tapes and had breached that duty. Second, she found that the defendant had a sufficiently culpable state of mind at the time it failed to preserve the tapes (mere negligence for at least three tapes and gross negligence for three other tapes and part of a seventh). Finally, however, she determined that the plaintiff could not determine relevance, that she could not demonstrate that the lost evidence would have supported her claims. For that reason, the court denied plaintiff's motion. The opinion in the case may be found at http://www.sochaconsulting.com/decisions.htm

On October 24th, California won its first anti-spam case when a court fined PW Marketing, a Los Angeles company, and its owners $2 million for transmitting millions of unsolicited e-mails telling readers how to spam. The judgment forbids PW Marketing from sending unsolicited commercial e-mail, accessing computers that belong to other people without their permission and disguising its identity by sending e-mails that appear to originate from a different address. The injunction also forbids the company’s owners from owning or managing any business that advertises over the Internet for a period of 10 years. Further information may be found at http://caag.state.ca.us/newsalerts/2003/03-130.htm

On October 21st, New York State Attorney General Eliot Spitzer announced an agreement with Victoria’s Secret to protect the privacy of its customers. Under the agreement, the company will compensate New Yorkers whose personal information was inadvertently left accessible via the Internet and implement a series of reforms to improve website security. Contrary to the firm’s stated web site policy, investigators found that some consumers' personal information, including name, billing address, and items ordered, was available on the company web site for a period beginning in August of 2002 and ending in late November of 2002. Under the terms of the settlement, Victoria's Secret is required to establish and maintain an information security program to protect personal information, establish management oversight and employee training programs, hire an external auditor to annually monitor compliance with the security program and provide refunds or credits to all affected New York consumers. The settlement also requires Victoria's Secret to pay $50,000 to the State of New York in costs and penalties. Further information may be found at http://www.oag.state.ny.us/press/2003/oct/oct21b_03.html

On October 20th, the Internet Software Consortium (ISC) announced that it has launched an Internet crisis coordination center to assist in protecting the Internet from hackers. The new Operations, Analysis and Research Center (OARC) will be used to study and monitor Internet traffic so that technicians will be able to differentiate high-demand traffic spikes from high-intensity attacks on root servers. To date, members of the OARC include the Internet Society, Cisco Systems, MCI, XO Communications, UltraDNS, TLD operator Afilias and Verio, as well as many of the operators of the global root DNS name servers. The OARC web site may be found at https://oarc.isc.org/

On October 22nd, the U.S. Senate voted 97-0 to pass a bill to outlaw deceptive unsolicited e-mail and to establish a "do-not-spam" registry for those who choose not to receive unsolicited e-mail. Marketers would have to label sexually explicit messages to allow users to filter them out. Violators could face prison sentences of up to a year for first offenses and up to five years for subsequent offenses as well as million dollar fines under the bill. Similar legislation in the House of Representatives has stalled as legislators try to resolve the differences between the two competing bills. The Bush Administration said it supported the bill. The bill would preempt most state laws, but would allow states to set higher penalties for deceptive or fraudulent activity if they wished. The text of the "CAN-SPAM Act of 2003" may be found by entering the bill number (S. 977) at http://thomas.loc.gov/

On October 29th, Napster (a division of Roxio), announced that the long-awaited Napster 2.0 had launched. Napster offers consumers music downloads for 99 cents per song or $9.95 per album, CD burning, transfer to portable devices, decades of Billboard charts, shared playlists within the Napster community, exclusive and original content, interactive radio, music videos and access to the world’s largest music store with more than 500,000 tracks thus far. Be advised that the current version is only supported on Windows XP/2000 operating systems. The new Napster may be found at http://www.napster.com

The Electronic Frontier Foundation (EFF) has published a new study on the unintended consequences of the Digital Millennium Copyright Act (DMCA). The document highlights incidents involving the DMCA and scientific research as well as its impact on fair use. In general, it concludes that the DMCA has failed to accomplish its intended purpose of curtailing copyright infringement and has instead been used to stifle a wide range of legitimate activities. The report may be found at http://www.eff.org/IP/DRM/DMCA/20031003_dmca_unintended_cons.pdf

The U.S. District Court for the District of Maryland issued an opinion on September 30th declining to assert jurisdiction over an Egyptian company with a "semi-interactive" web site. The court noted that there was no evidence that the foreign company "intentionally targeted" state residents. The decision in Electronic Broking Services v. E-Business Solutions & Services may be found at http://www.mdd.uscourts.gov/Opinions152/Opinions/ebs_op1003.pdf

On October 16th, Verisign announced that it has agreed to sell 85% of the Network Solutions registrar business to Pivotal Private Equity, a Phoenix-based venture capital firm. The company will retain full ownership of the registry for dot-com and dot-net domains. Under the terms of the agreement, VeriSign will receive approximately $100 million, consisting of $60 million in cash and a $40 million senior subordinated note. VeriSign will also retain a 15% equity stake in Network Solutions. The transaction is subject to certain closing conditions and is anticipated to close in the fourth quarter. Further information may be found at http://www.verisign.com/corporate/news/2003/pr_20031016.html

On October 16th, the U.S. District Court for the District of Minnesota issued an opinion rebuffing a move by Minnesota state regulators to force VoIP (Voice over IP) provider Vonage to comply with rules governing phone companies. Judge Michael Davis ruled that federal law protects information services from regulation and preempts state limits on VoIP services. The decision in Vonage Holdings Corporation v. The Minnesota Public Utilities Commission may be found at http://www.nysd.uscourts.gov/courtweb/pdf/D08MNXC/03-08475.PDF

On October 17th, the 3rd Circuit Court of Appeals refused to overturn a regulation passed by the U.S. Copyright Office that says radio stations must pay royalties when their broadcasts are simultaneously transmitted digitally over the Internet. The unanimous three-judge panel of the 3rd U.S. Circuit Court of Appeals found that the rule was correct because Congress intended for the royalty exemption to apply only to "traditional, over-the-air broadcasts." The decision in Bonneville International Corporation et al v. MaryBeth Peters may be found at http://caselaw.findlaw.com/data2/circs/3rd/013720p.pdf

On October 21st, the Federal Communications Commission (FCC) announced that it will adopt strict limits in the near future on sending digital television programs over the Internet to avoid copying. New rules will allow programmers to attach a code to digital broadcasts that will in most cases bar consumers from copying and sending copies of digitally-broadcast programs. The Center for Democracy and Technology (CDT) has issued a report on the broadcast flag that may be found at http://www.cdt.org/copyright/broadcastflag.pdf

On October 21st, Judge Easterbrook of the 7th Circuit Court of Appeals issued a new decision in a case involving a suit over videotaped scenes of naked football players in a locker room. The suit named the ISPs that provided access to sellers of the video. While affirming the dismissal of the suit, Easterbrook cast doubt on the Zeran interpretation that s. 230 of the Communications Decency Act of 1996 (CDA) provides full immunity to intermediaries, suggesting that it is possible that a state rule requiring ISPs to protect third parties from harm due to material posted on a site they host could result in liability for the intermediary. The opinion in Doe v. GTE Corporation may be found at http://caselaw.lp.findlaw.com/data2/circs/7th/024323p.pdf

On October 15th, the California Court of Appeals issued a decision in which it held that s.230 of the CDA does not bar a suit against a re-poster of allegedly defamatory content to Usenet groups. While a lower court found that the re-poster was protected by the intermediary provision of s.230, the appellate court engaged in a lengthy analysis of Zeran, finding that the earlier interpretation of the section granted immunity far broader than that intended by Congress. The case was remanded to the lower court for further proceedings consistent with the opinion. The decision in Barrett v. Rosenthal may be found at http://www.courtinfo.ca.gov/opinions/documents/A096451.PDF