Issue 98 August 2005	BYTES IN BRIEF® by Editors: Sharon D. Nelson, Esq. and John W. Simek. Associate Editor: Brooke M. Weitz Editor Emeritus: G.V. Nelson. 10000 + subscribers worldwide.® 2005 Sensei Enterprises, Inc. All rights reserved. This newsletter may not be reproduced or redistributed in any manner except with consent of the copyright owner. Distributed by this site under license.

ADULT SITE SUES AMAZON OVER IMAGES

On June 29th, adult magazine publisher Perfect 10 sued Amazon.com, alleging that Amazon’s search engine violates copyright law by returning and displaying thousands of images from its Web site without permission. Perfect 10 had filed a similar lawsuit against Google in November 2004. The suit was filed in U.S. District Court in Los Angeles. A motion for preliminary injunction asks the court to prevent Amazon's A9.com search unit from displaying and distributing the images. The lawsuits allege infringement of more than 1,000 images. Under U.S. copyright law, defendants could be liable for up to $150,000 for each infraction. The Google lawsuit has thus far been tied up in discovery disputes. Further information may be found at http://news.zdnet.com/2100-9588_22-5772128.html

On July 1st, it was announced that Microsoft would pay IBM $775 million and give it another $75 million in credit under an antitrust settlement announced by the two companies. The settlement resolves all discriminatory pricing and overcharging claims stemming from the U.S. government's mid-1990s antitrust case against Microsoft. The settlement also resolves most other IBM antitrust claims, including those related to its OS/2 operating system and SmartSuite products. IBM's claims of harm to its server hardware and server software businesses are not covered by the settlement, however. The settlement focuses only on the desktop-related antitrust issues addressed in the U.S. government's antitrust case against Microsoft. Both companies pronounced themselves pleased with the settlement. As part of the settlement, Microsoft will extend $75 million in credit toward deployment of Microsoft software at IBM. IBM will not make claims for server monetary damages for two years and will not try to recover damages on server claims made before June 30, 2002. Further information may be found at http://www.microsoft.com/presspass/press/2005/jul05/07-01msibmsettlepr.mspx

On June 30th, the United States announced that it will keep control of the Internet’s "root," the master file that lists which top level domains are authorized. In the past, the U.S. had indicated that it would transfer that responsibility to the Internet Corporation for Assigned Names and Numbers (ICANN). The new principles say the U.S. government will "maintain its historic role in authorizing changes or modifications to the authoritative root zone file." In addition, the principles say the U.S. government will continue to maintain oversight of ICANN and prevent its focus from straying from technical coordination. A recent report by a United Nations Panel failed to achieve consensus on Internet governance, but did concur that no country should dominate. The announcement by the U.S. is expected to be controversial. The U.N. panel’s report may be found at http://www.wgig.org/docs/WGIGREPORT.pdf

On June 30th, the Department of Justice announced an 11-nation crackdown on Internet piracy organizations responsible for stealing copies of the latest Star Wars film and other movies, games and software programs worth at least $50 million. FBI agents and investigators in the other nations conducted 90 searches, arresting four people, seizing hundreds of computers and shutting down at least eight major online distribution servers for pirated works. Called "Operation Site Down," the crackdown involved undercover FBI operations run out of Chicago, San Francisco and Charlotte, N.C., and involved help from authorities in Australia, Belgium, Canada, Denmark, France, Germany, Israel, the Netherlands, Portugal and the United Kingdom. Further information may be found at http://www.usdoj.gov/opa/pr/2005/June/05_crm_353.htm

On June 29th, Senators Patrick Leahy and Arlen Spector introduced the Personal Data Privacy and Security Act, which creates many new regulations governing data security and severe penalties for those who gain unauthorized access to private data. One portion of the bill restricts the sale or publication of Social Security numbers. Also, businesses would be prohibited from requiring SSNs except in a narrow set of circumstances such as obtaining credit reports and applying for a job or an apartment. Among other things, the Personal Data Privacy and Security Act would:

1) Erect a complex regulatory infrastructure around "data brokers," defined as any company or nonprofit that is "collecting, transmitting, or otherwise providing personally identifiable information" of 5,000 or more people that are not customers or employees. Data brokers are required to follow European-style guidelines, including mandatory disclosure of a record to that individual.

2) Revise computer crime laws to create new penalties for database intrusions. The punishments: Fines and 10 years in prison for trespassing in a data broker's system, and five years in prison if a company or individual willfully conceals certain types of serious security breaches.

3) Mandate a comprehensive personal data privacy and security program for most businesses and individuals acting as sole proprietors.

The text of the bill may be found by entering the bill number (S. 1332) at http://thomas.loc.gov/

On June 29th, the Business Software Alliance announced that it had joined other entities, including VeriSign, InfraGard and the Cyber Security Industry Alliance, in sending a letter to Senators urging them to ratify the world’s first treaty targeting cybercrime. According to the letter, "The cybercrime convention will serve as an important tool in the global fight against those who seek to disrupt computer networks, misuse private or sensitive information, or commit traditional crimes utilizing Internet-enabled technologies." It requires countries to adopt similar criminal laws against hacking, infringements of copyrights, computer-facilitated fraud, child pornography and other illicit cyberactivities. Because U.S. law already includes much of what the convention requires, the Senate's vote would be mostly symbolic. The treaty requires nations to adopt laws governing search and seizure of stored data, surreptitious Internet wiretapping, cross-border assistance, and retention of Internet provider records upon police demand. The treaty also includes stiff copyright-related penalties. It says participating nations must enact criminal laws targeting Internet piracy and circumvention devices when acts "are committed willfully, on a commercial scale and by means of a computer system." The Electronic Privacy Information Center sent a letter to the Senate Foreign Relations Committee last year saying the treaty should not be ratified because it "would create invasive investigative techniques while failing to provide meaningful privacy and civil liberties safeguards." So far, the treaty has been ratified by 11 nations, including Denmark, Hungary, Romania and Bulgaria. President Bush has asked the Senate to follow suit. Further information may be found at http://www.bsa.org/usa/press/newsreleases/Cyber-Crime-Treaty.cfm

On July 7th, it was reported that Florida police arrested a man for using someone else’s wireless network without permission, charging him criminally for a practice that is extremely common. Benjamin Smith III, 41, was arrested and charged with unauthorized access to a computer network, a third-degree felony. Police say Smith admitted using the Wi-Fi signal from the home of Richard Dinon, who had noticed Smith sitting in an SUV outside Dinon's house using a laptop computer. Why Smith was using Dinon's network was not reported. Further information may be found at http://www.infoworld.com/article/05/07/07/HNwifiarrest_1.html

On June 30th, tax officials, state lawmakers and industry representatives agreed to establish an 18-state network for collecting taxes on Internet sales, a compact they hope will encourage online retailers and Congress to endorse a mandatory national program. Meeting in Chicago under the auspices of the Streamlined Sales Tax Project, the officials agreed that 11 states will oversee the project and outlined incentives to encourage retailers to participate. Forty states have been negotiating since 2000 to create a framework for collecting sales taxes on all remote transactions, whether through regular mail or online. Starting October 1, software vendors contracted by the Streamlined Sales Tax Project will begin providing free tax collection and remittance software and services to online merchants who voluntarily agree to collect taxes on all online sales on behalf of the 18 participating states. Under the states' plan, Internet retailers that agree to collect and remit taxes will do so for online sales originating in any of 11 states that have amended their state laws to fully comply with standards developed by the sales tax project. In the other seven states, the Internet sales tax collection would be optional until their tax codes are brought into full compliance. In both cases, any taxes the retailer collected would be based on the rates in effect where the buyer lives, and the retailers would be compensated for the cost of collecting and remitting that revenue to the states. As an incentive, the states will offer a one-year amnesty for e-commerce companies that may owe taxes on past online sales to any of the participating states. The amnesty offer could prove attractive for several major retailers that are currently involved in legal disputes over whether they owe taxes on Internet sales. Further information may be found at http://www.streamlinedsalestax.org/

On June 29th, the federal government began seeking comments on its new guidelines for voting systems, designed to keep pace with technology and rampant security concerns. The guidelines call for vendors to follow better programming practices and make some suggestions for addressing problems with vote integrity. The guidelines do not require systems to produce a voter-verified paper audit trail, which would allow voters to confirm their vote. The comment period will end on September 30th, after which the government will revise them, if needed, and release them for states to adopt. The new guidelines were created by the Technical Guidelines Development Committee, headed by the acting director of the National Institutes of Standards and Technology, and composed of election officials and people with varying technical abilities. Further information may be found at http://www.glynn.com/eac_vvsg/intro.asp

On July 5th, chipmaker Broadcom filed an antitrust lawsuit against Qualcomm alleging that the San Diego company's licensing policies block rivals from selling competing chipsets for use in next-generation mobile phones. The suit, filed on July 5th in the U.S. District Court for the District of New Jersey, claims that Qualcomm (QCOM ), which holds key patents for the so-called Wideband Code Division Multiple Access (WCDMA) technology used in the next generation of wireless networks, is not licensing its patents under fair, reasonable and nondiscriminatory terms. Broadcom claims that Qualcomm will license its WCDMA patents only in exchange for "a wide array of terms that are aimed to cripple Broadcom as a competitor." According to the suit, a Qualcomm license would have required Broadcom to sell chipsets only to cell phone makers that are also Qualcomm licensees. Further information may be found at http://www.broadcom.com/press/release.php?id=726224

It was reported on July 13th that federal law enforcement agencies are seeking enhanced surveillance powers over Internet service on airplanes in an effort to counter possible terrorism. Authorities want the ability to intercept, block or divert e-mail or other online communication to and from airplanes after obtaining a court order. Internet providers would have to allow government monitoring within 10 minutes of a court order being granted, be able to electronically identify users by their seat numbers and be required to collect and store records of the communications for 24 hours. Such capabilities would far exceed the government's current ability to monitor Internet traffic on the ground. The FBI, Department of Justice and Department of Homeland Security jointly made the requests in early July with the Federal Communications Commission. The agencies say they support giving travelers the ability to surf the Web and communicate via e-mail or instant messaging in the air but also fear that terrorists could use the services to coordinate an attack among themselves on a single plane, between aircraft or with people on the ground. The government also fears terrorists could use Internet-connected devices to detonate explosives via remote control. Further information may be found at http://newstandardnews.net/content/?action=show_item&itemid=2091

Healthcare Advocates has sued both the Philadelphia law firm Harding Earley and the Internet Archive, saying their access to its old Web pages, stored in the Internet Archive's database, was unauthorized and illegal. Harding Earley had accessed the Web pages as part of defending its client, Health Advocate, a company in suburban Philadelphia that helps patients resolve health care and insurance disputes, against a trademark action brought by a similarly named competitor. The Internet Archive was created in 1996 as the institutional memory of the online world, storing snapshots of always-evolving Web sites. The Internet Archive’s Web page database, searchable with a form called the Wayback Machine, is routinely used by intellectual property lawyers to help learn when and how a trademark might have been historically used or violated. The lawsuit, filed in Federal District Court in Philadelphia, seeks unspecified damages for copyright infringement and violations of two federal laws: the Digital Millennium Copyright Act and the Computer Fraud and Abuse Act. The Internet Archive's repository now has approximately one petabyte, roughly one million gigabytes, worth of historical Web site content. The suit contends that representatives of Harding Earley should not have been able to view the old Healthcare Advocates Web pages, even though they now reside on the archive's servers, because the company, shortly after filing its suit against Health Advocate, had placed a text file on its own servers designed to tell the Wayback Machine to block public access to the historical versions of the site. Such a file, called robots.txt, dictates what parts of a site can be examined for indexing in search engines or storage in archives. Most search engines program their Web crawlers to recognize a robots.txt file, and follow its commands. The Internet Archive goes a step further, allowing Web site administrators to use the robots.txt file to control the archiving of current content, as well as block access to any older versions already stored in the archive's database before a robots.txt file was put in place. But on at least two dates in July 2003, the suit states, Web logs at Healthcare Advocates indicated that someone at Harding Earley, using the Wayback Machine, made hundreds of rapid-fire requests for the old versions of the Web site. In most cases, the robot.txt blocked the request. But in 92 instances, the suit states, it appears to have failed, allowing access to the archived pages. In so doing, the suit claims, the law firm violated the Digital Millennium Copyright Act, which prohibits the circumventing of technological measures designed to protect copyrighted materials. The suit further contends that among other violations, the firm violated copyright law by gathering, storing and transmitting the archived pages as part of the earlier trademark litigation. The Internet Archive is accused of breach of contract and fiduciary duty, negligence and other charges for failing to honor the robots.txt file and allowing the archived pages to be viewed. Further information may be found at http://www.redherring.com/Article.aspx?a=12748&hed=Internet+Archive+Gets+Sue d+&sector=Industries&subsector=Computing

On July 12th, the Anti-Spyware Coalition released a document entitled "The Anti-Spyware Coalition Definitions and Supporting Documents" for public comment. The document intends to provide an agreed-upon definition of spyware for purposes of legislation and having a standard to refer to in litigation. Comments on the document are due by August 12th. The document defines spyware as: "Technologies implemented in ways that impair users' control over: Material changes that affect their user experience, privacy, or system security; Use of their system resources, including what programs are installed on their computers; Collection, use, and distribution of their personal or otherwise sensitive information." A former attempt at a spyware-related industry coalition, the Coalition of Anti-Spyware Technology vendors (COAST) dissolved several months ago after the inclusion of adware makers in the group led to insurmountable differences. The new coalition does not include such members. The document may be found at http://www.antispywarecoalition.org/definitions.pdf

On July 18th, the Federal Bureau of Investigation (FBI) released the 2005 CSI/FBA Computer Crime and Security Survey, produced by the Computer Security Institute (CSI) and San Francisco FBI's Computer Intrusion Squad. The report indicated that while average losses from cybercrime declined dramatically in 2004, Web site incidents, such as denial of service attacks, rose between 2003 and 2004, as did unauthorized access incidents at Web sites. The average dollar loss per survey respondent from a security breach was $204,000 in 2004, a 61 percent drop from the previous year's figure of $526,000. The leading cause of financial loss was viruses, judging by the losses incurred, which totaled $42.8 million, or 32 percent of all reported losses.

Unauthorized access came in second at $31.2 million in total reported losses, representing 24 percent of all reported losses. Unauthorized access skyrocketed by almost six fold year-over-year, from a reported $51,545 in average losses per respondent in 2003 to $303,234 in 2004, a rise of 488 percent. Theft of proprietary info was the third leading cause of financial loss at $30.9 million and also reported a significant average dollar loss per respondent increase to $355,552 in 2005, up from $168,529 in 2004, a rise of 111 percent. The remainder of the survey's list of dollar losses by type were: Denial of service ($7.3 million), insider 'Net abuse ($6.9 million), Laptop theft ($4.1 million), financial fraud ($2.6 million), misuse of a public Web application ($2.2 million), system penetration ($841,000), abuse of wireless network ($545,000), sabotage ($341,000), telecom fraud ($242,000) and Web site defacement ($115,000). Ninety five percent of respondents reported more than 10 Web site "incidents." The 2004 survey found that only 5 percent had experienced more than 10 incidents. Further information may be found at http://www.fbi.gov/page2/july05/cyber072505.htm

On July 7th, the Electronic Privacy Information Center (EPIC) filed a complaint with the Federal Trade Commission (FTC) asking the FTC to investigate whether Web sites advertising investigative services capable of digging up personal information such as phone call records are violating federal laws. The complaint is directed against Encinitas-based Intelligent e-Commerce Inc., which runs bestpeoplesearch.com, but EPIC wants the FTC to begin an industry-wide investigation into such practices. EPIC contends that Intelligent e-Commerce’s services and that of hundreds of similar online investigation firms constitute unfair or deceptive business practices. The Web site offers to find a wide scope of personal information on individuals ranging from unlisted phone numbers and addresses to detailed phone records, employment history, and motor vehicle data. The firm also offers to identify the owner of a post office box and advertises packages for information on an individual's criminal record. A recent list of the firm's most popular searches included Social Security numbers, name, and address from a cell phone number and a "Cell Phone Report," which includes name, address and list of calls made. The EPIC accuses Intelligent e-Commerce and similar companies of procuring private information on phone records, for instance, by pretexting, or posing as their target to gain access to their online billing sites or to get copies of bills. The complaint in the case may be found at http://www.epic.org/privacy/iei/ftccomplaint.html

On July 21st, the House of Representatives reauthorized the Patriot Act by a vote of 257-171, mostly along party lines. The Act makes permanent governmental powers invoked after September 11th to investigate suspected terrorists. Sixteen provisions of the 2001 law are due to expire at the end of 2005 unless renewed by Congress. President Bush has repeatedly asked Congress to make the entire law permanent. The House reauthorized the act but with several changes designed to increase judicial and political oversight of some of its most controversial provisions. The House also passed an amendment requiring the director of the FBI to personally approve all requests for library or bookstore records and a number of other amendments designed to add civil liberty safeguards to the bill. The Senate judiciary committee voted unanimously to recommend its own version of the act on July 21st. The full Senate is expected to take its bill up in the fall. The text of the Act may be found by entering the bill number (H.R. 3199) at http://thomas.loc.gov/

On July 20th, the Federal Trade Commission (FTC) announced it had taken action against seven companies, accusing them of hiring others to send illegal e-mails with pornographic messages to tempt consumers to visit adult Internet sites. The government said four of the firms already agreed to pay nearly $1.2 million to settle the charges, making it one of the most aggressive government crackdowns on pornographic e-mail operations. The FTC describes the practice as "electronic flashing" and said at least some of the unwanted e-mails were sent to children. The FTC said the messages were not prominently marked "sexually explicit," did not include instructions for consumers to block future e-mails and did not include a postal address, all required under federal law. The FTC said the seven companies did not send e-mails directly to consumers but operated affiliate programs, paying others to send unwanted messages to drive Internet traffic to adult websites. Under the "Can Spam" law, defendants in such cases are liable because they paid others to send e-mails on their behalf. The FTC said it directed the Justice Department to file civil lawsuits against three of the companies: T.J. Web Productions LLC of Henderson, Nevada; Cyberheat of Tucson, Arizona; and Impulse Media Group of Seattle, Washington. The lawsuits seek unspecified payment to the government for every violation of the federal anti-spam law. Further information and the complaints may be found at http://www.ftc.gov/opa/2005/07/alrsweep.htm

On July 14th, the New York City Police Department (NYPD) announced that it is launching an $11 million Real Time Crime Center at a facility adjacent to the NYPD's Emergency Operations Center in lower Manhattan. The Center is expected to make access to information contained in millions of local, state, and national records available to the city's 4,000 crime investigators via their cell phones and pagers. The center is expected to let detectives accomplish in minutes what typically takes them hours, days, or weeks to accomplish. The Real Time Crime Center has been set up with 15 computer workstations and staffed by 26 analysts and investigators who will work around the clock in shifts. Once a detective working a homicide or a shooting makes a request for information, the crime center gets to work and either returns the detective's phone call or sends data to a handheld device used by the detective. The dialogue can continue between the detective and the center as needed. For those who have privacy concerns, it was noted that access to the center's operations is restricted to NYPD employees who are audited by the department's internal-affairs division. Further information may be found at http://www.nyc.gov/html/om/html/2005b/pr273-05.html

On July 11th, Cisco Systems announced that it had, along with partners Yahoo, Sendmail, PGP, and others, proposed a standard for antispam technology that focuses on identifying forged e-mail addresses. The partner companies announced that they have submitted their DomainKeys Identified Mail (DKIM) specification to the Internet Engineering Task Force (IETF). The IETF, a standards setting body, began discussing the possible standard in late July. With DKIM, which relies on public key cryptography, a digital signature is attached to outgoing e-mail so recipients can verify that the message comes from its claimed source. The idea is to make it easier to eliminate spam or phishing e-mails with spoofed addresses by marking out legitimate messages. The specification merges two earlier proposals, Yahoo's DomainKeys technology and Cisco's Internet Identified Mail system. The specification calls for e-mail domain owners to create a pair of public and private cryptographic keys. The public key is published in the Domain Name System record, while the private key is stored on a DKIM-enabled mail server. Each outgoing message is then signed, with the signature stored in the e-mail header. On the receiving end, a DKIM-enabled mail server extracts the signature and uses the public key to verify that the signature was generated by the sending domain. Further information may be found at http://newsroom.cisco.com/dlls/2005/prod_071205b.html