COURT FORBIDS FBI TO SPY ON CAR COMPUTERS

On November 18th, the 9th Circuit Court of Appeals ruled 2-1 that the FBI and other law enforcement bodies may not remotely activate dashboard computing systems, such as OnStar. The court said that the eavesdropping would render the system inoperable during an emergency. The court ruled that "the company could not assist the FBI without disabling the system in the monitored car" and said a district judge was wrong to have granted the FBI its request for surreptitious monitoring. The court did not reveal which brand of remote-assistance product was being used but did say it involved luxury cars and, in a footnote, mentioned Cadillac, which sells General Motors' OnStar technology in all current models. Privacy advocates are distressed that the decision did not focus on privacy issues, but on the interference with the contractual relationship between the service provider and the customer, to the point that the service was being interrupted. Under current law, the court said, companies may only be ordered to comply with wiretaps when the order would cause a minimum of interference. The opinion in The Company v. The United States of America may be found at http://www.ca9.uscourts.gov/ca9/newopinions.nsf/7BD3F8D6A62D994588256DE2005C863B /$file/0215635.pdf?openelement

On November 19th, the Senate voted to outlaw deceptive spam and to set up a "do not spam" registry for those who do not want to receive unsolicited commercial e-mail. Under the bill, spammers who flood e-mail inboxes with pornography and get-rich-quick schemes could face jail time and million-dollar fines, which passed by a vote of 97 to 0. The Bush administration said it supported the bill. Senators noted that spam has become a top constituent concern and could overwhelm the Internet if left unchecked. The bill would not outlaw all unsolicited commercial e-mail, focusing instead on the fraudulent or deceptive messages estimated to make up two-thirds of all unsolicited commercial e-mail. Marketers who falsify return addresses or routing information, hide their pitches behind misleading subject lines such as "Re: your request," or promote body-enhancement pills or other fraudulent products would face jail sentences of up to a year and fines of up to $1 million. Repeat offenders could face jail terms of up to five years. Marketers would have to label sexually explicit messages to allow users to filter them out. More than half of U.S. states have passed anti-spam bills of their own, many of which set tougher regulations for marketers. The bill would preempt most state laws, but would allow states to set higher penalties for deceptive or fraudulent activity if they wished. The text of the bill may be found by entering the bill number (S. 877) at http://thomas.loc.gov/

On November 21st, The House of Representatives overwhelmingly passed a bill (392 to 5) to curb spam. The bill would preempt more than 35 state anti-spam laws, including some that imposed significantly tighter restrictions on e-mail marketing. The bill would prohibit senders of unsolicited commercial e-mail from disguising their identity by using a false return address or misleading subject line. In addition, it would prohibit senders from harvesting addresses off Web sites and require such e-mails to include a mechanism so recipients can indicate they do not want to be included in future mass mailings. Like the Senate bill that passed earlier, it includes the establishment of a "Do Not Spam" list. On November 27th, the Senate passed by unanimous consent the House version of the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003, but the bill needs to go back to the House for final approval because the Senate version included some technical corrections to the House version. Further information may be found at http://www.idg.com.sg/idgwww.nsf/unidlookup/93CE4A1A39E8BB9848256DEB0010B8B4?Ope nDocument

In late October, software used by an electronic voting system manufactured by Sequoia Voting Systems was left unprotected on a publicly available server, generating concerns about the possibility of vote tampering in future elections. The software was made available at ftp.jaguar.net, stored on an FTP server owned by Jaguar Computer Systems, a firm that provides election support to a California county. The software is used for placing ballots on voting kiosks and for storing and tabulating results for the Sequoia AVC Edge touch-screen system. Though access has since been blocked, the concern is that anyone with modest technical knowledge could see how the code works and potentially exploit it to rig voting results. Although Sequoia blasted Jaguar for its security lapse, it said that the code that was retrieved is used to accumulate unofficial results on election night and does not compromise the integrity of the official electronic ballots themselves. The files on the server revealed that the Sequoia system relies heavily on Microsoft software components, a fact the company often has failed to discuss since Microsoft software is a frequent target of hackers. This represents the second time this year that voting machine code has been leaked on the Internet. In January, source code for the AccuVote-TS system made by Diebold Election Systems was found on an unprotected FTP server belonging to the company. Researchers at Johns Hopkins and Rice universities who read the Diebold code found numerous security flaws in the system and published a report that prompted the state of Maryland to conduct its own audit of the software. Sequoia’s own discussion of why electronic voting should be regarded as secure may be found at http://www.sequoiavote.com/mediadetail.php?id=69. The report about the Diebold code may be found at http://avirubin.com/vote.pdf. Diebold had been aggressively filing actions against posters of internal company memos raising security concerns associated with their e-voting software, but has now apparently decided to withdraw its Digital Millenium Copyright Act (DMCA) claims. The company acknowledges that the material is now widely available. Its most recent filing may be found at http://cyberlaw.stanford.edu/about/cases/DieboldResponse.pdf

On October 28th, it was reported in Great Britain that Julian Green had been exonerated of child pornography charges. Green was arrested in October 2002 after police raided his home and found 172 child pornography images on his hard drive. A computer forensics firm reported that there were 11 Trojan horse programs on Green's computer that were set to log onto pornographic sites without Green's permission whenever he loaded up a browser to access the Internet. Confronted by the evidence, the prosecution elected to drop the charges. Green's acquittal is one of three recent cases where a Trojan defense has succeeded in a British court. In April, Karl Schofield was cleared of possession of child porn charges when prosecutors accepted expert testimony that an unnamed Trojan could have been responsible for the presence of 14 child porn images on his computer. Aaron Caffrey, the teenage hacker charged with crippling the Port of Houston's web-based systems, was found not guilty after a jury accepted his story that attackers used an unspecified Trojan to gain control of his PC and launch the assault. The prosecution argued that no trace of Trojan infection was found on Caffrey's computer but the defense was able to counter this argument with testimony from Caffrey that it was possible for a Trojan to destroy itself and all traces of its existence. Many commentators are skeptical of the "Trojan horse defense" and believe it will be a rallying point for those charged with possession of child porn or breaking into other computer networks. Further information may be found at http://www.theregister.co.uk/content/55/33636.html

On October 30th, British lawmakers announced that they would utilize their new criminal antispam law to extradite spammers to Britain for trial. The new law goes into effect in December. While initially extradition would be used to target spammers, it could be expanded to include suspects in other cybercrime cases such as virus-writing and hacking. The British have spoken to FBI officials about extraditing American spammers who violate British laws and report that the FBI generally doesn’t see any problem with the proposed extraditions. Further information may be found at http://news.com.com/2100-1028_3-5099322.html?tag=prntfr

On November 5th, Microsoft announced that it would team with law enforcement to find authors of worms, viruses and other malicious code, paying up to $5 million to fund the program. The first two bounties offered, $250,000 each, are for information leading to the arrest and conviction of the individuals responsible for releasing the MSBlast worm and Sobig virus. Microsoft executives were joined by representatives from the FBI, the Secret Service and Interpol at a press conference that announced the new fund. The rewards will be open to residents of any country, subject to that country's laws, Microsoft said. People with information can report it to law enforcement online, to Interpol, to the Internet Fraud Complaint Center or to the FBI, Secret Service or Interpol field offices. The program is officially titled "The Anti-Virus Reward Program." Further information may be found at http://www.microsoft.com/presspass/features/2003/nov03/11-05AntiVirusQA.asp

On November 3rd, Cloudmark announced that Sendmail, Inc. whose technology transports almost 60 percent of Internet e-mail, will make Cloudmark’s antispam filtering tools a core portion of its commercial mail management software. Sendmail produces open-source software that routes corporate e-mail to and from the Internet. Roughly 90 percent of Fortune 1000 companies use the software on their networks. It also sells a commercial version that includes e-mail management and filtering services to protect enterprises against viruses and spam. By partnering with Cloudmark, Sendmail replaces its former antispam provider, Elron Software. Sendmail chose Cloudmark after testing 42 antispam software products over several months. Cloudmark's product Authority won the product selection based on its performance and effectiveness at mitigating false-positives, or mislabeling legitimate e-mail as spam. Further information may be found at http://www.cloudmark.com/company/press/release/2003-11-03.php

In a flurry of settlements in November, Microsoft has reached agreements in class action suits in Tennessee, North Carolina, North Dakota and South Dakota. The terms are varied, but detailed on Microsoft’s web site and represent a continuing pattern of trying to extricate Microsoft from the multitude of class action suits pending against it. The four settlements combined are expected to cost Microsoft about $73 million. Further information may be found at http://www.microsoft.com/presspass/legalnews.asp

On November 11th, The International Federation of the Phonographic Industry (IFPI), the global trade body representing major and independent music labels, announced a "one-stop" international license for online radio broadcasters, hoping the removal of red tape will encourage the rise of legitimate Web music services. Previously, online radio broadcasters had to secure approval from an alphabet soup of national collection agencies. Broadcasting a single song online to European listeners across the continent, for example, would require a Webcaster to obtain dozens of licensing contracts. The IFPI expects collection agencies in 30 to 40 countries to sign up for the single license agreement by the end of 2003. The agreement is for radio-style broadcasts only. Internet firms must still secure individual licensing agreements to sell permanent song downloads to consumers. Further information may be found at http://www.ifpi.org/site-content/press/20031111.html

On October 30th, the U.S. Patent and Trademark Office (PTO) took the unusual step of agreeing to re-examine the Eolas patent for a browser plug-in. The patent, owned by the University of California and licensed exclusively to one-man software company Eolas, describes how a Web browser can use external applications. Recently a federal jury found that Microsoft had infringed the patent and awarded a $521 million judgment. After Microsoft made public planned changes to its Internet Explorer browser that had the potential to render millions of Websites partially or wholly inoperable, the World Wide Web Consortium (W3C) urged the PTO to re-examine the so-called 906 patent in light of W3C technologies that it said predated Eola’s patent. Specifically, the consortium pointed out early HTML drafts by W3C Director Tim Berners-Lee and W3C staff member Dave Raggett that it said qualified as prior art in the case. Prior art is a similar invention that predates a patent, therefore invalidating it. Further information may be found at http://www.computerworld.com/governmenttopics/government/legalissues/story/0,108 01,87085,00.html

On November 20th, Attorney General John Ashcroft, Assistant Attorney General Christopher A. Wray of the Criminal Division, FBI Assistant Director Jana Monroe and Federal Trade Commission (FTC) Chairman Timothy Muris announced the arrests or convictions of more than 125 individuals and the return of over 70 indictments in a coordinated nationwide enforcement operation designed to crack down on the leading types of online economic crime. The ongoing operation, known as Operation Cyber Sweep, has been coordinated by 34 U.S. Attorneys’ offices nationwide, the FBI, the Postal Inspection Service, the FTC, the United States Secret Service, and the Bureau of Immigration and Customs Enforcement, together with a variety of state, local and foreign law enforcement agencies. The operation targets a variety of online economic crimes that involved schemes including fraud, software piracy and the fencing of stolen goods. More than 125 investigations have been opened since Operation Cyber Sweep began on Oct. 1, 2003. Investigators have uncovered more than 125,000 victims with estimated losses of more than $100 million. More than 90 search and seizure warrants were executed as part of the operation, and prosecutors have obtained more than 70 indictments to date. The charges have led to more than 125 arrests or convictions. Further information may be found at http://www.usdoj.gov/opa/pr/2003/November/03_crm_638.htm

On November 20th, AT&T announced that it had filed a lawsuit against online auction house eBay and its PayPal unit, claiming the companies' online payment systems violate its patent on secure Internet transactions. AT&T said its patent covers transactions in which an intermediary securely processes payments over a communications system such as the Internet. The use of an intermediary ensures that one party will not have to disclose sensitive information, such as a credit card number or bank account number, directly to the other party in a deal. The suit was filed in federal district court in Delaware. AT&T offered to license the patented technology to each of the companies, but it said the two companies have refused to pay for a license. AT&T asked the court for a permanent injunction preventing eBay and PayPal from using the technology. It also asked for the profits and revenues the companies gained from its use, and an award of compensatory damages. Further information may be found at http://www.att.com/news/item/0,1847,12548,00.html

It just had to happen sometime. Infuriated over the flood of spam in his e-mail box, a Silicon Valley computer programmer was arrested on November 20th for threatening to torture and kill employees of a company he held accountable for sending him spam promising to enlarge his penis. Charles Booher, 44, was arrested and released on a $75,000 bond for making repeated threats to employees of a Canadian company, Albion Medical, between May and July. Booher threatened to send a package full of anthrax spores to the company, to disable an employee with a bullet and torture him with a power drill and ice pick; and to hunt down and castrate the employees unless they removed him from their e-mail list, according to prosecutors. In a telephone interview, Booher acknowledged that he had indeed "sort of lost my cool." Booher faces up to five years in prison and a $250,000 fine, with a preliminary hearing scheduled for December. He said he does not own any guns or have access to anthrax. Further information may be found at http://www.wired.com/news/print/0,1294,61339,00.html

On October 31st, The Internet Corporation for Assigned Names and Numbers (ICANN) issued an Advisory announcing that it had approved a timetable for expanding the online addressing system with the objective of allowing domain names made up entirely of non-English characters. ICANN called for studies by next September on technical, economic, trademark and other considerations related to new names. The Board resolutions may be found at http://www.icann.org/announcements/advisory-31oct03.htm

On November 13th, a federal court in Los Angeles dismissed charges filed by two domain name registrars that alleged the Internet Corporation for Assigned Names and Numbers (ICANN) had engaged in anticompetitive practices. The charges were filed after ICANN said it would hand over the management of expired domain names ending in .com and .net, called the Wait-Listing Service, to online security company VeriSign. The plaintiffs claimed that ICANN breached its obligations because many other parties had objected to its proposal. The court ruled, however, that the wait-list change would not harm competition or the public trust. Further information may be found at http://www.theregister.co.uk/content/6/34032.html

On November 16th, Microsoft Corp. Chairman Bill Gates announced new junk e-mail filtering technology called SmartScreen in his keynote address at the annual Comdex trade show in Las Vegas. Gates, who was the keynote speaker Sunday at Comdex for the 20th year in a row, also unveiled new software to improve network security, which will be available to customers under a beta test program starting in January. The SmartScreen technology will be used in several products. The technology will use algorithms to judge whether incoming e-mail messages qualify as junk e-mail and filter them out before they get to the end user's e-mailbox. The other product focuses on improving the overall security of a network, including simplifying how to keep software up to date and patching any known security holes. The products represent Gates’ view of "seamless computing," in which computers and other devices can talk automatically and trade data without technological hiccups or security issues. Critics charge that by removing human error, Gates would also remove choice and automatically subject users to the legendary Microsoft security holes. The transcript of the entire keynote speech may be found at http://www.microsoft.com/billgates/speeches/2003/11-16comdex2003.asp

On November 19th, Judge Nancy Edmunds of the U.S. District Court of Michigan's Southern Division denied Wells Fargo's motion for a preliminary injunction against WhenU.com, a distributor of free advertising software. Wells Fargo and plaintiff Quicken Loans charged that WhenU.com violated their copyrights and trademarks by delivering ads for rival Web sites to consumers while they were visiting their own sites. The court wrote that "the fact that some WhenU advertisements appear on a computer screen at the same time (the) plaintiffs' Web pages are visible in a separate window does not constitute a use in commerce of the plaintiffs' marks." While only a preliminary opinion, it seems to concur with an earlier judgment in favor of WhenU.com in its case against U-Haul International. Like Wells Fargo, U-Haul had charged WhenU with trademark and copyright violations, among other complaints, as a result of pop-ups for competing movers that appeared on U-Haul's Web pages. In September, a Virginia U.S. District Court judge granted a motion for summary judgment in favor of WhenU. WhenU makes software that tracks the movement of Web surfers and serves up targeted ads to those who are likely to make a purchase. For example, an ad for travel site Priceline.com might appear while a surfer is visiting Travelocity.com. The software is bundled with other popular downloads, such as peer-to-peer software BearShare or weather applications, that consumers use for free by agreeing to receive occasional ads. About 30 million Net users have WhenU's software on their desktops, sometimes without their knowledge if they fail to read the fine print. The judge wrote, "The fact is that the computer user consented to this detour when the user downloaded WhenU's computer software" and "While pop-up advertising may crowd out the U-Haul advertisement screen through a separate window, this act is not trademark or copyright infringement, or unfair competition." The decision in Wells Fargo & Co. et al v. WhenU.com, Inc. may be found at http://www.mied.uscourts.gov/_opinions/Edmundspdf/NGE03cv71906WhenU.pdf

On November 13th, Senators John Cornyn and Dianne Feinstein introduced the Artists Rights and Theft Prevention (ART) Act to make it easier to prosecute suspected pirates who offer "pre-release" movies and music online. Internet movie piracy is costing the major studios up to $1 billion a year in lost revenue, according to Macrovision Corp., which develops anti-piracy technology. The largest music publishing and distribution companies lost $700 million to digital file sharing in 2002, according to a report from the Boston-based Forrester research group. Under current law, felony charges apply only to piracy suspects who distribute 10 or more copies of pre-release albums and movies, with a retail value of more than $2,500. Under the Cornyn-Feinstein bill, felony charges could be filed against people who share pre-release entertainment online, regardless of the number of copies or its value. On the Internet, where many pirated goods are offered free over peer-to-peer networks, it can be difficult to place a dollar figure on a single act of piracy. That difficulty has made it harder to prosecute even the most egregious cases of copyright infringement. The text of the bill may be found by entering the bill number (S. 1932) at http://thomas.loc.gov/

The U.S. Library of Congress has created four narrow exemptions to the Digital Millennium Copyright Act (DMCA), in which it is legal to crack digital copyright protections. Such protections can now be broken to access: 1) Lists of sites blocked by commercial Internet filtering software, but not spam-fighting lists; 2) Computer programs protected by hardware dongles that are broken or obsolete; 3) Computer programs or video games that use obsolete formats or hardware; 4) E-books that prevent read-aloud or other handicapped access formats The move was criticized by free-speech activists, who had hoped for more exceptions. The exceptions may be found at http://www.copyright.gov/1201/

On October 31st, digital privacy rules came into force in the European Union. The new laws require companies to obtain consent before sending e-mail, tracking personal data on Web sites or pinpointing callers' locations via satellite-linked mobile phones. How to enforce the rules is left up to the 15 member states, whose fines vary. None of the member states call for prison sentences. The directive may be found at http://register.consilium.eu.int/pdf/en/02/st03/03636en2.pdf

FCC APPROVES 'BROADCAST FLAG' FOR DIGITAL TV

The Federal Communications Commission (FCC) announced on November 4th that it had approved the use of broadcast flags, a mechanism that will make it harder for computer users to distribute digital TV programs on the Internet. The FCC decision does not preclude the use of the flag for news or other content that is already in the public domain. A dissenting FCC commissioner argued that the decision also did not directly consider the impact of the technology on personal privacy. Further information may be found at http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-240759A1.pdf

On November 6th, the U.S. District Court for the District of Massachusetts dismissed a class action suit against Pharmatrak arising from the collection of personal information through the use of cookies. While an appellate court found that Pharmatrak may have intercepted personal information within the meaning of the Electronic Communications Privacy Act (ECPA), the district court, hearing the case on remand, ruled that Pharmatrak collected only a small amount of personal information. The decision in In re: Pharmatrak Inc. Privacy Litigation may be found at http://pacer.mad.uscourts.gov/dc/opinions/tauro/pdf/pharmatrakremand.pdf

The Center for Democracy and Technology (CDT) released a report on November 17th entitled: "Ghosts in Our Machines: Background and Policy Proposals on the "Spyware Problem." The report says that lawmakers have yet to figure out the best way to combat computer spyware that tracks Internet users’ online activity. The group urged Congress to establish broad online privacy rights to protect against secret online surveillance. A copy of the report may be found at http://www.cdt.org/privacy/031100spyware.pdf