SUPREME COURT HANDS DEFEAT TO FILE SWAPPERS

On June 27th, the Supreme Court issued a decision, which represents a sweeping victory for movie studios and record companies, against file swapping companies such as Grokster. In a unanimous decision, the court said companies that build businesses with the active intent of encouraging copyright infringement should be held liable for their customers' illegal actions. "We hold that one who distributes a device with the object of promoting its use to infringe copyright, as shown by clear expression or other affirmative steps taken to foster infringement, is liable for the resulting acts of infringement." In the wake of the ruling, it is expected that the recording and movie industry will immediately move to file suits against file swapping companies. The court's ruling sends the case back to the lower courts, which will review the evidence against Grokster and co-defendant StreamCast in the light of the decision. The decision in MGM v. Grokster may be found at http://a257.g.akamaitech.net/7/257/2422/27jun20051200/www.supremecourtus.gov/opi nions/04pdf/04-480.pdf

On June 27th, the Supreme Court ruled that cable companies do not have to share their infrastructure with competing Internet service providers. In a 6-3 decision, the court overturned an appellate court decision that would have forced cable companies to open up their networks to Internet service providers such as Brand X and EarthLink. The decision is not expected to affect consumers immediately, since cable companies have been exempt from having to share their networks. However, Brand X and its supporters believe that over the long term, the decision will deter competition and lead to higher broadband prices. The case revolved around the definition of cable service. The FCC has defined cable broadband as an "information service," a definition that, under agency guidelines, frees cable companies of regulations that would require operators to share their networks with competitors, including ISPs such as Brand X. Brand X argued that cable networks should be regulated like phone lines, which, because they handle telecommunications service, fall under a different set of rules, rules that require carriers to allow competing services to ride over their networks. The court upheld the FCC’s interpretation saying that the case was so technically involved that it was reasonable to defer to the expertise of the FCC. The decision in The National Cable and Telecommunications Association v. Brand X Internet Services may be found at http://a257.g.akamaitech.net/7/257/2422/27jun20051730/www.supremecourtus.gov/opi nions/04pdf/04-277.pdf

On May 31st, in a unanimous opinion, the Supreme Court concluded "jury instructions at issue simply failed to convey the requisite consciousness of wrongdoing" in the Arthur Andersen conviction involving the destruction of e-mail. Chief Justice William Rehnquist wrote the opinion, saying, "Indeed, it is striking how little culpability the instructions required." The ruling remanded the case to lower federal courts to sort out, but it gave no indication whether Arthur Andersen would be granted a new trial. Andersen officials were convicted in June 2002 of obstruction of justice over the massive document destruction relating to its work for Enron. The opinion in Arthur Andersen v. U.S. may be found at http://a257.g.akamaitech.net/7/257/2422/31may20051130/www.supremecourtus.gov/opi nions/04pdf/04-368.pdf

On June 17th, MasterCard International Inc. announced that more than 40 million credit card numbers belonging to U.S. consumers were accessed by a computer hacker. Although the number of security breaches have become legion, this is by far the largest security breach reported to date. All credit card brands were affected, including 13.9 million cards bearing the MasterCard label. A spokeswoman for Visa USA Inc. confirmed that 22 million of its card numbers may have been breached. MasterCard officials said that sensitive personal data, such as Social Security numbers and birth dates, were not stored in the hacked system. The breach occurred late last year at a processing center in Tucson, Arizona operated by CardSystems Solutions Inc., one of several companies that handle transfers of payment between the bank of a credit card-using consumer and the bank of the merchant where a purchase was made. MasterCard said it has begun notifying banks that issue its cards, which in turn are responsible for notifying cardholders. The FBI is investigating the case. Further information may be found at http://www.mastercardinternational.com/cgi-bin/newsroom.cgi?id=1038&;

On June 27th, it was reported that a class-action suit had been filed in California Superior Court in San Francisco against CardSystems Solutions, Visa and MasterCard on behalf of California credit card holders and card-accepting merchants. The lawsuit accuses the companies of violating California law by neglecting to secure credit card systems and by failing to inform consumers in a timely manner about the security breach at payment processor CardSystems, which was disclosed publicly on June 17th by MasterCard. In the break-in, intruders got access to details on about 40 million credit cards. Records covering about 200,000 cards are thought to have been transferred out of CardSystems' network. Despite this, credit card companies have said they would not notify customers unless the accounts are actually abused. The lawsuit asks for CardSystems, Visa and MasterCard to inform consumers whose personal information was exposed and give special notice to those whose data was confirmed stolen. All involved should also get access to a credit-monitoring service, according to the suit. Further information may be found at http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=fc80 4218-d7bb-4d99-8c90-4e720f4563d7&newsType=News

In late May, the U.S. Secret Service and Carnegie Mellon University's CERT Coordination Center released a study advising companies that wish to avoid insider cyberbattacks to ensure that they have good password, account, and configuration management practices, as well as the right processes in place for disabling network access when employees are terminated. Also crucial are the need to have formal processes for handling employee grievances and negative events in the workplace as well as for reporting suspicious behavior, according to the report. The report is based on an investigation of 49 cases of insider attacks via computer systems in critical infrastructure sectors between 1996 and 2002. In the vast majority of cases, the primary motivation for the attacks appears to have been revenge and most attacks involved former employees who shouldn't have been able to access the systems after they left the company they worked for. About 57 percent of the attacks were carried out by systems administrators, while 33 percent were caused by privileged users. Many attacks involved the use of so-called logic bombs that were designed to corrupt data and delete files after a specified period of time. The report may be found at http://www.cert.org/archive/pdf/insidercross051105.pdf

On May 26th, the Government Accountability Office released a scathing report charging that the Department of Homeland Security has failed to live up to its cybersecurity responsibilities and is unprepared for emergencies. More than two years after its creation, Homeland Security has never developed a contingency plan to restore Internet functions in an emergency and has yet to create a vulnerability assessment of what could happen in a worst-case scenario, according to the report. The report may be found at http://www.gao.gov/highlights/d05434high.pdf

On June 1st, the Federal Trade Commission announced that a new data disposal law has gone into effect under the Fair and Accurate Credit Transaction Act of 2003 (FACTA). The new rule requires all businesses and individuals to destroy private consumer information obtained from credit bureaus and other information providers in determining whether to grant credit, hire employees or rent an apartment. Issued under orders from Congress, in an attempt to crack down on identity theft, the Federal Trade Commission's new rule requires that personal information be burned, pulverized, shredded or destroyed in such a way that the information cannot be read or reconstructed. The rule also applies to electronic files, which must be erased or destroyed, and covers credit report data, credit scores, employment histories, insurance claims, check-writing histories, residential or tenant history and medical information. Failure to properly dispose of the data could invoke a $2,500 federal penalty per violation, as well as lawsuits from people who could seek damages if personal information was misused as a result of improper disposal. The rule applies to large and small companies, to lenders and insurers, as well as landlords, car dealers, attorneys and private investigators. Individuals who use credit reports to hire domestic help or contractors, for example, also are subject to the new rule. The rule sets ground rules for disposal but not a time limit. It also does not say how securely data must be kept until it is destroyed, although some laws already provide such rules for financial and medical institutions. Further information may be found at http://www.ftc.gov/opa/2005/06/disposal.htm

The Annenburg Public Policy Center has released a study entitled, "Open to Exploitation," which concludes that most Americans have no idea that Internet merchants often charge different prices to different consumers for the same products. According to the study, nearly two-thirds of adult Internet users incorrectly believe it is illegal to charge different people different prices, a practice retailers call "price customization." The Web lets shoppers easily compare prices, but it also enables businesses to collect detailed records on a customer's behavior and preferences and set prices accordingly. Doing so is generally lawful unless it discriminates against race or gender or violates antitrust or price-fixing laws. First-time buyers at a retailer might see higher prices than a repeat customer. However, retailers may not offer discounts to repeat shoppers who buy the same brands regularly without even looking at alternatives on the site. A copy of the report may be found at http://www.annenbergpublicpolicycenter.org/04_info_society/Turow_APPC_Report_WEB _FINAL.pdf

On June 27th, Advanced Micro Devices (AMD) filed a federal antitrust lawsuit against Intel, alleging that Intel has a monopoly in the PC industry. The suit, filed in the U.S. District Court in Delaware, details alleged scare tactics and coercion that AMD claims Intel imposed on 38 companies, including large-scale computer makers, small system builders, wholesale distributors and retailers. Intel processors allegedly account for more than 80 percent of the computers running x86-based chips. The suit is based in part on information gleaned from a recent investigation of Intel by Japan’s Fair Trade Commission. In that investigation, the agency said that Intel's Japan unit stifled competition by offering rebates to five Japanese PC makers, Fujitsu, Hitachi, NEC, Sony and Toshiba, which agreed not to buy or to limit their purchases of chips made by AMD and Transmeta. The complaint in the case may be found at http://www.amd.com/us-en/assets/content_type/DownloadableAssets/AMD-Intel_Full_C omplaint.pdf

UTAH’S INTERNET PORNOGRAPHY LAW CHALLENGED

On June 9th, the American Civil Liberties Union joined a group of Internet service providers and other plaintiffs challenging the constitutionality of a new Utah Internet pornography law. The law requires the state attorney general to create a database of Web sites containing "material harmful to minors." Internet server providers are then required to use filters to keep children from seeing those sites. The filters must be in place by 2006. Failure to abide by the law can result in fines of up to $10,000 per day. Internet content publishers and ISPs would be subject to the state's harmful-to-minors law, which would expose them to felony charges if they violate it. Further information may be found at http://www.aclu.org/Privacy/Privacy.cfm?ID=18455&c=252

On June 9th, the Internet Corporation for Assigned Names and Numbers (ICANN) announced that it had selected VeriSign Inc. to run the Internet’s third-most popular domain name for six more years. ICANN had reviewed VeriSign’s contract after receiving recommendations from an outside panel and comments from the Internet community. U.S. Commerce Department approval is also required and expected to be given. The new contract should generate more than $20 million annually for VeriSign. There are currently about 5.8 million .net domain names. Further information may be found at http://www.icann.org/announcements/announcement-08jun05.htm

On June 7th, Symantec announced that it had filed a suit against Hotbar.com in the U.S. District Court for the Northern District of California. The move is actually a preemptive strike. In October of 2004, Hotbar contacted Symantec and complained about Symantec's enterprise antivirus products, which flag the Hotbar programs as adware. Hotbar has since reportedly threatened to sue Symantec. Symantec said it is not asking for money, but is seeking an affirmation that Hotbar products are indeed adware and can be treated as security risks. Hotbar offers toolbars for Microsoft's Internet Explorer Web browser and Outlook and Outlook Express e-mail clients. Symantec claimed in its lawsuit that the programs display ads based on keywords and logs information on the PC user's Web browsing habits, possibly for use in targeted marketing. Symantec customers have complained about Hotbar products because they were not clear on what the programs were doing and found that they could not get rid of the applications. Also, in some cases, the Hotbar programs were installed with other software or when a specific Web site was visited, unbeknownst to the user, according to the lawsuit. Further information may be found at http://www.symantec.com/press/2005/n050607.html

On June 15th, Macrovision Corp. announced that it had sued two companies for offering products that break its patented copyright protection technology and allow consumers to make unauthorized duplicates of commercial DVDs. The suit was filed in a federal court in New York, and alleges that the defendants, Sima Products Corp. and Interburn Enterprises Inc., infringe on Macrovision’s patented copy control technology and also violate the Digital Millennium Copyright Act. The suit is seeking an order to halt the sale of Sima and Interburn products. Further information may be found at http://www.macrovision.com/company/news/press/newsdetail.jsp?id=Wed%20Jun%2015%2 010:10:27%20PDT%202005

On June 14th, Intermix Media Inc. announced that it had reached an agreement in principle with New York Attorney General Eliot Spitzer in which the company has agreed to pay $7.5 million over three years to settle accusations that Intermix surreptitiously installed software on computers. A final agreement is reportedly two to three weeks away and must be approved by the court. However, under the tentative agreement Intermix would agree to cease ad-related downloads. Spitzer filed the civil suit in April 2004, alleging that Intermix secretly installed adware. Further information may be found at http://www.intermix.com/about_press_inthenews.cfm?id=749&startrow=1

On June 14th, the Federal Communications Commission (FCC) announced that it is launching a comprehensive review of the school and library Internet subsidy plan. The review is part of a broader inquiry into the overall operations of the Universal Service Fund (USF), the long-standing government initiative to provide affordable phone service in rural America. The USF also funds the E-Rate program in addition to financing telemedicine initiatives and assisting low-income families with their phone bills. Nearly 90 percent of U.S. schools and libraries receive subsidies from the fund. In a March 2004 report to Congress, the Government Accountability Office (GAO) concluded that despite the collection and expenditure of billions of dollars since 1998, the FCC has not developed any measure to track the program's effectiveness. The FCC oversees the program, but outsources administration to the private, nonprofit Universal Service Administrative Company (USAC). Further information may be found at http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-259330A1.doc

On June 3rd, the Federal Communications Commission (FCC) issued a report and notice of proposed rulemaking that would require, by October, that most U.S. voice over Internet Protocol (VoIP) telephones feature a sticker warning that anyone using the phone to call 911 may not get through to a live operator. Essentially, every VoIP service provider with customers in the United States, including Vonage and Skype, must offer 911 as a standard service and accompany those calls with the location and telephone number of the caller. The new rules apply to a VoIP service in which subscribers can receive calls from other VoIP service users, and in which callers can connect to traditional land lines and cellular phones. Further information may be found at http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-05-116A1.pdf

On June 16th, the Federal Trade Commission (FTC) announced that it had reached a settlement with BJ’s Wholesale Club over charges that BJ’s failed to take appropriate security measures to protect the sensitive information of thousands of its customers constituting an unfair practice that violated federal law. According to the FTC, this information was used by an unauthorized person or persons to make millions of dollars of fraudulent purchases. The settlement will require BJ’s to implement a comprehensive information security program and obtain audits by an independent third party security professional every other year for 20 years. Specifically, the FTC had alleged that BJ’s failed to encrypt consumer information when it was transmitted or stored on computers in BJ’s stores; created unnecessary risks to the information by storing it for up to 30 days, in violation of bank security rules, even when it no longer needed the information; stored the information in files that could be accessed using commonly known default user IDs and passwords; failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations. Further information may be found at http://www.ftc.gov/opa/2005/06/bjswholesale.htm

By the end of June, all federal agencies were required to submit to the White House Office of Management and Budget (OMB) plans for making electronic identity cards available to all employees and contractors, under the Homeland Security Presidential Directive 12 signed in August, 2004. The level of implementation differs widely among federal agencies. Some already use smart cards for building access, but many haven't yet extended that capability to computer-network access. To help agencies comply, OMB recommended that the CIO and heads of physical security and human resources at each agency develop a plan. All federal employees are expected to have electronic identity cards for facilities and network access by October 27, 2006. The White House wants a common definition of how the cards will work and has tapped the Secretary of Commerce to work with the State, Defense, and Homeland Security departments and the National Institute of Standards and Technology to meet that goal. A standard delivered in February, called the Federal Information Processing Standard 201, stipulates that the electronic IDs must be designed to verify a person's identity while being difficult to illegally duplicate; they also have to be machine-readable and issued only through an official accreditation process. The standard also specifies that smart cards contain a photograph, cryptographic keys, and biometric data so that a cardholder's identity can be verified either by security personnel or an automated card reader. Further information may be found at http://www.computerworld.com/securitytopics/security/story/0,10801,102778,00.htm l

On June 26th, Congress approved unsolicited fax legislation that allows businesses to send out unsolicited faxes in certain circumstances while protecting the rights of consumers to stop receiving them. The legislation reinstates a 1992 Federal Communications Commission (FCC) ruling that permits businesses and associations to send unsolicited faxes to those with whom they have an "established business relationship." It would eliminate a new FCC ruling, first drawn up in 2003, that required businesses and organizations to obtain prior written approval before sending a commercial fax. Under the bill, those sending faxes must alert recipients of their right to opt out of future faxes and must abide by such requests. The text of the bill may be found by entering the bill number (S. 714) at http://thomas.loc.gov/

On June 25th, the U.S. Court of Appeals of the Second Circuit reversed an earlier decision that prohibited WhenU from selling pop-ups triggered by 1-800-Contacts' trademarks, in violation of the Lanham Act, the U.S. trademark act. The court said, "We hold that, as a matter of law, WhenU does not 'use' 1-800's trademarks within the meaning of the Lanham Act when it includes 1-800's Web site address in an unpublished directory of terms that trigger delivery of WhenU's (ads) to computer users." 1-800 originally filed its lawsuit in December 2003. It charged WhenU and rival Vision Direct with infringement when the adware maker displayed pop-up ads of its competitor while Web surfers visited the 1-800 Web site. The decision in 1-800-Contacts v. WhenU may be found at http://www.ca2.uscourts.gov:81/isysnative/RDpcT3BpbnNcT1BOXDA0LTAwMjYtY3Zfb3BuLn BkZg==/04-0026-cv_opn.pdf#xml=http://10.213.23.111:81/isysquery/irla576/3/hilite

On June 15th, the House of Representatives voted 238-187 to terminate the portion of the Patriot Act which would allow the FBI and the Justice Department to look at library records and bookstore sales slips. The government would still be allowed to look at Internet use at libraries. The vote was part of a debate over a $57.5 billion bill covering the departments of Commerce, Justice and State. The Senate has yet to act on the measure, and it is possible that this action will be reversed during final negotiations, especially as the President has indicated that he may veto the bill. Congress is preparing to extend the Patriot Act, which was passed quickly in the wake of September 11, 2001. Under the Act, 15 of the law's provisions are to expire at the end of this year. Further information may be found at http://www.wired.com/news/print/0,1294,67880,00.html