CAN SPAM ACT BECOMES LAW

On December 8th, the unanimous approval by the House of Representatives ended fractious wrangling over the course of years and ensured that the CAN-SPAM Act of 2003 would become law. The bill, signed into law by President Bush on December 16th, will go into effect January 1, 2004. The final version of the Controlling the Assault of Non-Solicited Pornography and Marketing Act (commonly known as "CAN-SPAM") represents a compromise aimed at eliminating the worst tactics used by spammers, such as forging e-mail headers and sending unsolicited pornographic advertisements. It requires that marketers include "a functioning return" address or a link to a Web form which can process unsubscribe requests. The Act prohibits the harvesting of e-mail addresses by either (1) automatic means from an Internet Web site or proprietary online service maintained by a third party; or (2) an automated system that generates possible electronic addresses by combining names, letters and numbers in numerous permutations. Critics have said that CAN-SPAM, and spam legislation in general, ultimately will fail to have much of an effect on the amount of spam reaching users’ in-boxes, in part because of the volume of spam coming from overseas. The Act takes an "opt out" approach that does not ban bulk, unsolicited e-mail advertisements and pre-empts state laws like California's that do, a crucial issue for direct marketers. The final version of CAN-SPAM differs from its predecessors in that it broadens the definition of what qualifies as spam sent to mobile devices, and it makes it easier for state attorneys general to seek injunctions against spammers engaged in header forgery or who bounced mail through networks "accessed without authorization." The Act does not apply to spam sent by political, religious or nonprofit groups. The law will be enforced by the Federal Trade Commission (FTC) and the state attorneys general. Violators of the Act can be subjected to criminal penalties, which include fines and up to five years in prison, while civil damages can amount to as much as $250 per spam e-mail. Aggravated violations can cause civil damages to be tripled. The Act does not create a private right of action that consumers could use to sue spammers. Internet access providers, however, are authorized to institute a civil suit against an offender. The text of the Act may be found at http://thomas.loc.gov/cgi-bin/bdquery/z?d108:s.00877:

As of January, Microsoft will cease offering support services for its Windows 98 operating system, though it said it might still release security patches if threats appear serious enough. About 20 percent of all Windows-based computers still run Windows 95 or 98, according to International Data Corp., a technology market research firm. Support for Windows 95 terminated Dec. 31, 2001. Users running Windows 98 will not be able to call Microsoft for help after January 16th. Online assistance will still be available. Further information may be found at http://support.microsoft.com/default.aspx?scid=fh;EN-US;w98

In a December 19th decision which surprised many commentators, the United States Court of Appeals for the District of Columbia said that the Recording Industry Association of America (RIAA) was using unlawful methods to trace customers suspected of copyright infringement. The RIAA had issued a number of subpoenas to Verizon Communications and other Internet service providers seeking the names of customers involved in music file swapping. Verizon argued that existing copyright law does not give the recording industry such authority and that its customers' privacy was being violated. A lower court upheld the RIAA’s position, but the strongly worded ruling of the appeals court took Verizon’s part, saying that the copyright law does not authorize the issuance of the subpoenas. "We are not unsympathetic either to the RIAA's concern regarding the widespread infringement of its members' copyrights, or to the need for legal tools to protect those rights," the court wrote. "It is not the province of the courts, however, to rewrite (copyright law) in order to make it fit a new and unforeseen Internet architecture, no matter how damaging that development has been to the music industry." Even if the court's decision is ultimately upheld against appeals, the RIAA still will have the power to identify and sue file swappers. The big difference, though, is that the RIAA would have to file a "John Doe" lawsuit against each anonymous swapper, a process that would be considerably more labor-intensive and time-consuming. That in turn could limit the number of people the association has the resources to pursue. The decision in RIAA v. Verizon may be found at http://news.com.com/pdf/ne/2003/riaa.pdf

Upholding a lower court decision, an Oslo appeal court cleared 20-year-old Jon Johansen of DVD piracy charges, saying that he had broken no laws by helping to unlock a code and distribute a computer program on the Internet enabling unauthorized copying of DVD movies. The U.S. movie industry, which says that piracy costs $3.0 billion a year in lost sales, had accused Johansen of theft in cracking the copy-protection code when he was 15 and appealed his earlier acquittal. The Motion Picture Association of America (MPAA) will have to go to Norway's supreme court if it appeals again. Further information may be found at http://www.cnn.com/2003/TECH/biztech/12/22/dvd.piracy.reut/index.html

On December 18th, streaming media provider RealNetworks sued Microsoft on antitrust charges, accusing it of illegally using its Windows monopoly against digital media competitors. The suit was filed in federal court in San Jose, California and alleges that Microsoft has pursued a broad course of predatory conduct over a period of years resulting in substantial lost revenue and business for RealNetworks. The complaint adds that Microsoft has wielded its "monopoly power to restrict how PC makers install competing media players while forcing every Windows user to take Microsoft's media player, whether they want it or not." The complaint estimates that damages could exceed $1 billion in lost business and also seeks injunctive relief to prevent further illegal conduct by Microsoft. RealNetwork's 64-page complaint accuses Microsoft of "tying" its Windows Media Player to its Windows operating system, shutting out competitors such as Real and instantly achieving "virtually universal distribution." From October 2001 to March 2003, for example, Microsoft's "tying" ensured that Windows Media Player was preinstalled on about 95 percent of PCs shipped, according to the complaint. By contrast, RealNetworks' digital media player was preinstalled on less than 2 percent of the estimated 207 million new PCs shipped. The suit also charges that Microsoft has failed to share important information about the Windows code, thus hurting the performance of its RealPlayer product. Other charges allege that Microsoft used contractual restrictions and financial incentives to "force PC makers to accept Windows PC operating systems with the bundled Windows Media Player and to restrict the ability of PC makers to preinstall or promote competing digital media players." The suit also says Microsoft's pricing practices stifle competition. It alleges that Microsoft effectively forced competitors to provide free versions of their software to compete with Windows Media Player. A copy of the complaint in RealNetworks, Inc. v. Microsoft Corp. may be found at http://news.findlaw.com/wsj/docs/microsoft/realms121803cmp.pdf

On December 18th, Microsoft and New York Attorney General Eliot Spitzer filed lawsuits against a group of e-mail marketers that they said were responsible for sending billions of fraudulent spam messages. Microsoft said the defendants in the civil lawsuits include Synergy 6 of New York and Scott Richter, who runs Westminster, Colorado-based OptInRealBig.com. The suits accuse Richter and accomplices of sending illegal spam through 35 countries and disguising their work to prevent irritated consumers from tracing the messages. Spitzer said Richter was responsible for sending more than 250 million spam messages per day and said he believes Richter clears several million dollars a month in profits. He said he hoped the joint legal action with Microsoft, which seeks up to $20 million in fines, would drive Richter and Synergy 6 into bankruptcy. Microsoft said it filed five additional lawsuits against other spammers who allegedly used the same transmission path in New York that originally led investigators to Richter and the alleged spam network. Further information may be found at http://www.microsoft.com/presspass/press/2003/dec03/12-18NYSAGandMicrosoftPR.asp

Lindows announced on November 25th that its jury trial with Microsoft, due to start in December, has been delayed until March 1, 2004. The U.S. District Court in Seattle pushed the trial back due to a scheduling conflict. The trial had originally been planned for April 2003, but the judge delayed that date to give Lindows time to review documents from a 1992 trademark case in which Apple Computer brought suit against Microsoft. In that case, Microsoft successfully argued that it had not infringed on Apple's copyright because the windowed graphical interface of the Mac operating system had been used by other companies. Microsoft originally sued Lindows in December 2001, claiming that the company’s website infringed its trademark on the Windows operating system. The court declined to shut down the website, querying whether Microsoft had the right to the word "windows." Lindows then asked the court to dismiss the case, but the judge decided that the case should go to the jury. Further information may be found at http://www.lindows.com/lindows_news_pressreleases_archives.php?id=85

On November 26th, law enforcement authorities in California announced that they had arrested Edward Jonathan Krastof, 38, at his home in Concord, California, the same town in which a computer was stolen from Wells Fargo & Co. Krastof confessed to stealing the computer, as well as another computer and a laptop, after breaking into the office of a Wells Fargo analyst. The computers were recovered along with equipment used for scanning identity cards and checks. Wells Fargo had offered a $100,000 reward in the case, but will be able to retain the funds since the arrest was made based on regular police work rather than a tip. Investigators traced the computer to Krastof when he logged onto his own America Online account at home through one of the stolen computers. That enabled authorities to trace the computer's Internet Protocol (IP) address to Krastof's home address through his AOL account. Data on the recovered computer included names, addresses, and account and social security numbers for people with personal lines of credit used for consumer loans and overdraft protection. Further information may be found at http://www.wellsfargo.com/press/computertheftarrest20031126.jhtml?year=2003& _requestid=233862

On Monday, November 24th, Microsoft published a technical white paper that describes its internal security practices, which Microsoft hopes will "help customers successfully secure their environments." The report, entitled "Security at Microsoft," details the methods and technologies used by the company's Operations and Technology Group (OTG) to secure Microsoft's own global corporate network of more than 300,000 computers and 4,200 servers. In the report, Microsoft describes its risk management strategy. The company classifies different computing resources according to their "value class," from servers hosting the Windows source code down to test servers. Microsoft also describes how its security group assesses the potential risks and threats to those assets and sets appropriate policies to guard them, given the value of their data. Microsoft notes that it experiences more than 100,000 intrusion attempts each month and gets more than 125,000 infected e-mail messages in the same period. To protect corporate assets from threats introduced by remote workers, Microsoft says it has invested heavily in smart card technology. It has deployed more than 65,000 smart cards to remote workers, enabling them to log on to the corporate network using two-factor authentication. The report is surprisingly frank in admitting to past security failures. It acknowledges Microsoft has been attacked in the past and notes "there is a medium to high probability that within the next year, a successful attack will occur that could compromise the High Value and/or Highest Value data class," such as source code or human resources data. A copy of the white paper may be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/best prac/default.asp

After sparring with American Blind & Wallpaper Factory over the sale of keyword advertising, it was announced on December 4th that search engine Google had filed a complaint with the U.S. District Court in San Jose, California on November 26th. American Blind was demanding that Google cease selling keyword phrases that it claims violate its trademarks. Google has asked the court to rule on whether its keyword advertising policy is lawful. Though Google said it could prevent advertisers from buying keywords that directly infringe on American Blind’s trademarks, the company said it could not block other descriptive phrases that American Blind wished to protect. Those phrases included "American wallpaper" and "American blind," according to the request for a declaratory judgment. Google says in its terms and conditions that advertisers themselves "are responsible for the keywords and ad text that they choose to use." But if requested, Google will perform a limited investigation and respect "reasonable" requests to remove trademark terms from the bidding process. Further information may be found at http://news.com.com/2102-1024_3-5113673.html?tag=st_util_print

On December 10th, John Zuccarini pled guilty to 49 federal charges of using misspelled Internet domain names for such sites as Disneyland, Teletubbies and Britney Spears to entice children to pornographic websites. Breaking down in tears, he also pled guilty to one count of possessing child pornography. Under a plea deal reached with Manhattan federal prosecutors, Zuccarini agreed to serve a prison term of 30 to 37 months. However, the judge who will sentence Zuccarini is not bound by the agreement and can impose a different term. Zuccarini, who was sued more than 100 times by such organizations as Dow Jones and The National Association of Professional Baseball Leagues for misusing their domain names, was the first person charged under a new federal law making it a crime to attract children to X-rated Internet sites. Zuccarini had admitted in previous private litigation that Web site operators paid him between 10 cents and 25 cents for every hit he brought them. Zuccarini claimed he made as much as $1 million from these payments. Zuccarini admitted carrying out his scheme by registering at least 3,000 domain names based on misspellings of legitimate companies and individuals. A very large percentage of those names were geared toward children. Further information may be found at http://www.usatoday.com/tech/news/2003-12-11-zuccarini-guilty_x.htm

On December 11th, AT&T announced that it plans to have a service delivering voice over Internet Protocol (VoIP) available to consumers in the top 100 markets by the first quarter of 2004. AT&T already offers managed VoIP services to some businesses and has been testing a consumer service in three states since October. AT&T is the latest and largest telecommunications company to embrace VoIP, but it is far from alone. Several start-ups, such as Vonage, 8x8 and VoicePulse, offer a similar service, and many Baby Bells are doing so or are expected to do so soon. VoIP providers typically charge about $40 a month for unlimited local and long-distance. AT&T did not release pricing information. Using the Internet to send phone calls is generally cheaper than standard methods, because users don't have to pay access charges to the various telephone companies that route the calls over their networks. Such charges can amount to 20 percent to 30 percent of the cost of offering local service. AT&T's plans emerged the same week that cable giant Time Warner Cable said it reached deals with Sprint and MCI to expand its VoIP service. The company's Digital Phone plan costs $39.95 a month and allows unlimited local and long-distance service. Those who aren't Time Warner Cable customers pay an additional $10 a month. Further information may be found at http://www.att.com/news/item/0,1847,12627,00.html

A report issued on December 9th and prepared for the House of Representatives' Committee on Government Reform, found that almost all agencies improved their computer-security grade since last year. However, several key federal departments continued to fail to adequately protect their networks and earned an "F." Overall, the government earned a "D" on this year's report card. In 2002, it was given an "F." Two agencies, the Department of Health and Human Services and the National Aeronautics and Space Administration, slipped in the rankings since 2002. The newest department in the federal government, the Department of Homeland Security, got off to a bad start with an overall "F" for its computer security, despite the fact that securing the nation's network is part of its mission. This year, two agencies earned an "A": The Nuclear Regulatory Commission and the National Science Foundation. Further information may be found at http://reform.house.gov/TIPRC/Hearings/EventSingle.aspx?EventID=652

Once notorious hacker Kevin Mitnick, now a successful author, speaker and head of a security company, has been commissioned to write a new book following the success of his first book, The Art of Deception. The new book, tentatively entitled The Art of Intrusion, would document the stories of real hacks, with the names of hackers and other information obscured to prevent authorities and victims from identifying them. Mitnick is offering $500 for the best story and $200 for all stories that are incorporated in the final draft. Further information may be found at http://news.zdnet.co.uk/0,39020330,39118685,00.htm

Mythic Entertainment, Inc., based in Fairfax, Virginia, has sued Microsoft alleging that its forthcoming game, called Mythica, infringes on Mythic’s trademarks. The suit was filed in the U.S. District Court for the Eastern District of Virginia. Mythic's flagship game, Dark Age of Camelot, is known among gamers as a "massive multiplayer online role playing game." About 225,000 subscribers in the United States and Europe pay more than $10 a month to take on roles as hunters or minstrels in Mythic's imaginary online world. The game, which blends Arthurian legends, Norse mythology and Celtic lore, has been in existence since October 2001. Microsoft's game, scheduled for release in 2004, offers similar character classes and draws from similar source material. Further information may be found at http://www.pcworld.com/news/article/0,aid,114019,00.asp

According to a report issued by the Markle Foundation's Task Force on National Security in the Information Age, the Bush administration has failed to improve how federal agencies and law enforcement officials share information in the war against terrorism. The panel said the information network should use technology to restrict access to sensitive information to those who have permission to view it. The report, entitled "Creating a Trusted Network for Homeland Security," also recommends limiting the private-sector data that can be held by the government and ensuring that data be shared using standards that are interoperable across many technologies. The report may be found at http://www.markletaskforce.org

On December 19th, the 4th Circuit Court of Appeals upheld a suit filed by Network Solutions in which it claimed registration fees associated with thousands of registrations by a Korean and a Dutch registrant. The court affirmed that the domain name registration agreement was enforceable and that a forum selection clause was also enforceable. The decision in Network Solutions, Inc. v. Hoblad may be found at http://pacer.ca4.uscourts.gov/opinion.pdf/031226.U.pdf

On December 15th, ICANN issued a Request for Proposal (RFP) for new sponsored top-level domains (TLDs). It was issued in response to a directive to ICANN staff by the ICANN Board of Directors. The authorizing resolution can be found at http://www.icann.org/announcements/advisory-31oct03.htm. The RFP requires a non-refundable $45,000 deposit. The deadline for submissions is March 16, 2004. Further information may be found at http://www.icann.org/tlds/new-stld-rfp/new-stld-application-parta-15dec03.htm

On December 3rd, the 9th Circuit Court of Appeals denied an application for a rehearing in the Batzel v. Smith case, which involves the application of the intermediary statutory immunity provided by the Communication Decency Act, Section 230. Several judges dissented from the opinion, arguing that the interpretation is wrong in light of Congress's intent and that it will harm persons defamed on the Internet. The decision may be found at http://caselaw.lp.findlaw.com/data2/circs/9th/0156380pv2.pdf

On December 4th, President Bush signed legislation giving consumers new protections against identity theft, including free annual credit reports and a national fraud-alert system to minimize damage once a theft has occurred. The legislation renewed the Fair Credit Reporting Act, which set a national credit reporting standard to make it easier for people to get credit cards, loans and mortgages. The text of the Act, entitled the National Consumer Credit Reporting System Improvement Act of 2003, may be found by entering the bill number (H.R. 2622) at http://thomas.loc.gov/

On December 10th, the 3rd Circuit Court of Appeals ruled that an employer's decision to search through an employee's e-mails in computer storage does not violate any provisions of the Electronic Communications Privacy Act since the law bans an interception only if it occurs at the time of transmission and exempts the owner of an e-mail system from any claim alleging an illegal seizure of stored e-mails. The decision in Fraser v. Nationwide Mutual Insurance may be found at http://caselaw.findlaw.com/data2/circs/3rd/012921p.pdf

A Connecticut District Court has dismissed a suit against AOL for unfairly disclosing the identity of a subscriber on the basis of AOL's forum selection clause. A Connecticut resident sued the company after it revealed his identity to law enforcement authorities on the basis of a defective warrant. AOL successfully argued that the man should have brought the suit in Virginia. The decision in Freedman v. AOL may be found at http://www.ctd.uscourts.gov/Opinions/120503.PCD.Freedman.pdf and further information may be found at http://hartfordadvocate.com/gbase/News/content?oid=oid:47678