COUNCILMAN DECISION REVISITED

On August 11th, the 1st Circuit Court of Appeals reinstated a closely watched criminal case against an e-mail provider accused of violating wiretap laws. The court ruled that the provider, who allegedly read correspondence meant for his customers, could be tried on federal criminal charges. That decision reverses a 2-1 vote by a three-judge panel last year. Privacy groups, civil libertarian and the U.S. Justice Department all argued that the case should not be dismissed. The case deals with an indictment of Bradford Councilman, formerly vice president of online bookseller Interloc, which is now part of Alibris. Interloc provided some of its customers, typically dealers of rare or used books, with e-mail addresses. Councilman allegedly ordered the creation of a Procmail script, which saved copies of inbound messages from Amazon.com sent to those specialty book dealers, in hopes of gaining commercial intelligence. The case revolves around the issue of whether these actions violate the federal Wiretap Act, which governs the interception of electronic communications. Because the law's definition can be interpreted to not cover e-mail stored in a mail queue, even temporarily, Councilman's lawyers argued that his alleged actions did not violate the law. The First Circuit disagreed. The judges said that the "statute contains no explicit indication that Congress intended to exclude communications in transient storage from the definition." The decision in U.S. v. Councilman may be found at http://www.ca1.uscourts.gov/pdf.opinions/03-1383EB-01A.pdf

Microsoft has now instituted the Windows Genuine Advantage 1.0 program, which ensures that customers using Windows Update, Microsoft Update for Windows, and the Microsoft Download Center run a program that checks that their Windows operating system is genuine before they can download updates or new content from those services. Customers who discover they have a counterfeit copy of Windows through the program either will be given a free version of the OS or can purchase it for a discounted price. To get a free version of Windows, a customer must fill out a counterfeit report identifying the source of the software, provide a proof of purchase, and send in a counterfeit CD of the software. If customers don't have all of that information, they can still fill out a counterfeit report and receive a copy of Windows XP Home Edition for $99 or a copy of Windows XP Professional Edition for $149. Microsoft estimates that more than one-third of all copies of its software are counterfeit, based on a recent joint report released by the Business Software Alliance and research firm IDC. Many users don't know that their copy of Windows is illegal. The Windows Genuine Advantage checking mechanism is anonymous. While counterfeit copies of Windows will be prevented from downloading updates, Microsoft is not including security updates in the lock-out. Further information may be found at http://support.microsoft.com/default.aspx?scid=kb;en-us;892130

On August 2nd, the U.S. Court of Appeals for the federal circuit upheld most of a patent infringement verdict against BlackBerry manufacturer Research in Motion (RIM), but ordered a lower court to reconsider part of the case and agreed that the entire appeals court would hear arguments that the long-running dispute is beyond U.S. jurisdiction. The decisions affirmed most of a 2003 lower court verdict against RIM, which serves 3.1 million users of the BlackBerry. The ruling found that the lower court was correct in allowing the jury to decide whether BlackBerry violated NTP's "system" patents for mobile e-mail technology, but wrongly defined a key term relating to "method" patents for such a system. As a result, the appeals court reversed some of the infringement findings and asked the lower court to review whether the error tainted the overall jury verdict. The jury's overall damage award of $53.7 million was not broken down in terms of the individual patent claims, so the appeals court ordered that the award be revised to reflect any change in the verdict. The ruling also instructed the lower court to determine whether the scope of its injunction ordering RIM to stop selling BlackBerrys needs to be revised as well. The decisions in NTP v. Research in Motion may be found at http://caselaw.findlaw.com/data2/circs/fed/031615rp.pdf

On August 5th, the Federal Communications Commission voted to reclassify DSL broadband service, thus freeing phone companies of regulations that require them to share their infrastructure with Internet service providers. DSL will now be considered an information service instead of a telecommunications service, a distinction that puts DSL on par with the classification of cable modem services. The phone companies say that the ruling will free up more of their resources to improve their broadband services. The FCC and the phone companies themselves believe that the new classification will put DSL providers on an even footing with the cable companies, allowing them to compete more aggressively. The result, they say, will be lower prices and more choice for consumers as well as higher penetration rates of DSL into communities throughout the United States. Further information may be found at http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-260433A1.pdf

On August 4th, the Justice Department announced that Missouri resident Curtis Salisbury had become the first individual charged with violating the Family Entertainment Copyright Act (FECA) by videotaping movies shown in theaters. Salisbury, 19, is charged with using a camcorder to make copies of recent releases of "The Perfect Man" and "Bewitched" and then distributing them through illicit computer networks that specialize in piracy. Salisbury faces up to 17 years in prison. Further information may be found at http://www.usdoj.gov/criminal/cybercrime/salisburyCharge.htm

On August 2nd, the 5th Circuit Court of Appeals ruled that White Buffalo Ventures (WBV), an online dating service, had no constitutional right that would prevent the University of Texas (UT) from filtering out tens of thousands of its e-mails. WBV claimed that it had complied with all anti-spam laws, including the federal CAN-SPAM law and argued that the university’s filtering violated its First Amendment rights. The court determined that White Buffalo complied with federal law, that its e-mails were not illegal, but that the law applies to UT as it would to an Internet service provider that employs protection measures and has its own policies regarding bulk e-mail. The decision in White Buffalo Ventures v. The University of Texas at Austin may be found at http://www.ca5.uscourts.gov/opinions/pub/04/04-50362-CV0.wpd.pdf

On August 3rd, the Federal Trade Commission (FTC) announced that it had reached a settlement with Advertising.com, an America Online subsidiary. Advertising.com had bundled its anti-spyware program with software that tracked consumers' online habits and gave them pop-up ads. Advertising.com, also known as Teknosurf.com, promoted its SpyBlast program as a way to protect users' computers from hackers, the FTC charged. SpyBlast is installed without the user’s knowledge by ActiveX drive-by download and contains a process that monitors online behavior and serves pop-up ads. The FTC alleged that Advertising.com didn't provide consumers with adequate notice that SpyBlast came bundled with the adware program. Further information may be found at http://www.ftc.gov/opa/2005/08/spyblast.htm

On August 2nd, research firm Gartner issued a report detailing the rise of thieves using the Internet to acquire account numbers and PINs in order to steal from ATMs and debit cards. About $2.75 billion was reportedly stolen in 2004. The problem, says Gartner, is that half of the country's banks don't use secondary security codes that can be placed on an ATM or debit card's magnetic strip. If ATM/debit card theft were not enough, another $1.9 billion was pilfered via checking account fraud. Crooks apparently prefer ATMs because then they don’t have to buy things with a forged credit card and then sell them or set up complicated systems to transfer cash advances from cards to other accounts. A simple solution, and one more and more banks are using, is to include PIN offsets and Card Verification Value (CVV) codes on track 2 of ATM and debit bank cards. Those numbers are unknown to the customer, so they can't be divulged in a phishing scam. Banks are often hesitant to employ this security because it requires customers to bring their cards to the bank and they prefer to allow customers to change their PINs using automated phone systems. Further information may be found at http://www.gartner.com/press_releases/asset_133138_11.html

On August 2nd, U.S. District Court Judge Carol Bagley Amon in New York City found that JetBlue had violated its agreement not to share passenger data by sharing the information at the behest of the Transportation Security Administration (TSA). But Judge Amon said the passengers could not prove damage and dismissed the class action suit. JetBlue was found to have violated customer privacy by turning over passenger lists, including addresses and phone numbers, to the government. The judge also rejected a claim that JetBlue unjustly enriched itself. The plaintiffs sued after learning that TSA, in July 2002, sent JetBlue a written request asking that it supply passenger data for a database being compiled by Department of Defense contractors. JetBlue ultimately delivered some 5 million passenger records to the government. Further information may be found at http://www.consumeraffairs.com/news04/2005/jetblue_suit.html

On July 27th, Senator Blanche Lincoln, an Arkansas Democrat, introduced "The Internet Safety and Child Protection Act of 2005." The bill would impose a 25 percent tax on the revenue of most adult-themed Web sites. Legal experts have said the bill is unlikely to be passed because the general rule is that if you cannot ban a certain category of expression, then you cannot selectively impose a tax on it. The text of the bill may be found at http://thomas.loc.gov/cgi-bin/query/z?c109:S.1507:

On July 29th, Internet Security Systems announced that the U.S. District Court in San Francisco had entered a permanent injunction, agreed to by the parties, barring former employee Michael Lynn and the Black Hat conference organization from disseminating the presentation Lynn gave at the conference. The research discloses how computer hackers can undermine Internet equipment made by Cisco Systems that the company says is vital to moving Internet traffic. Lynn made the presentation after he had tendered his resignation to Internet Security. The injunction forbids Lynn from making further use of, or disclosing, any of the research in the presentation that he conducted while employed by Internet Security. Atlanta-based Internet Security Systems provides protection for these Cisco vulnerabilities. The injunction also requires Lynn to return any materials and disassembled code related to Cisco. Further information may be found at http://www.iss.net/issEn/delivery/prdetail.jsp?type=&oid=28512

On July 25th, a special three-judge federal panel found that a photographer specializing in pictures of sadomasochistic sexual behavior, failed to provide sufficient evidence that the 1996 Communications Decency Act was unconstitutional. The law makes it a crime to send obscenity over the Internet to children. The panel noted that evidence was offered to indicate there are at least 1.4 million Web sites that mention bondage, discipline and sadomasochism but that evidence was insufficient to decide how many sites might be considered obscene. Nitke has said she will appeal. The ruling in Nitke v. U.S. may be found at http://wendy.seltzer.org/media/nitke_v_ashcroft.pdf

On July 28th, by voice vote, the U.S. passed "Dru’s Law" (Dru Sjodin National Sex Offender Public Database Act of 2005), which would set up an Internet-accessible national database of sex offenders and require strict monitoring of high-risk offenders for a year after their release from prison. The legislation is known as "Dru's Law" for Dru Sjodin, a 22-year-old University of North Dakota student who was abducted from a shopping mall and killed in 2003. The man charged with abducting Sjodin and killing her, Alfonso Rodriguez Jr., is a convicted sex offender who had been released from prison just six months before she disappeared. An identical version of the bill is pending in the House. The bill is designed to compensate for a patchwork of state laws that have hindered searches for sexual predators when they cross state lines. It would create a national sex offender registry that would allow the public to search by ZIP code across state lines. The text of the Act may be found at http://thomas.loc.gov/cgi-bin/query/z?c109:S.792:

On July 28th, the National Association of Securities Dealers (NASD) warned investors against using public WiFi connections for accessing online accounts, saying that they pose additional risks of confidential information being stolen by cyber criminals. The NASD, based in Washington, D.C., issued two formal alerts, one for investors and the other for brokerage firms, offering guidance for protecting personal information. The NASD advised investors to think twice about using the remember-my-username-and-password feature when accessing brokerage accounts. Further information may be found at http://www.nasd.com/web/idcplg?IdcService=SS_GET_PAGE&ssDocName=NASDW_014775

On August 10th, America Online Inc. won a $13 million judgment against a major spam operation in its first case filed under a law allowing seizure of spammers' assets. The judgment was issued by the U.S. District Court for the Eastern District of Virginia. AOL said it does not know how much of the $13 million award it will be able to recover. One spammer, Braden M. Bourneval, cooperated with AOL in the investigation and agreed to surrender gold, cash and a 2003 Hummer H2 to the company. The company has been unable to locate the other main spammer named in the suit, Davis Wolfgang Hawke. AOL will give property confiscated from Bourneval to its subscribers. AOL will give away the confiscated items through a free raffle on its site, which it dubbed the "AOL Spammer's Gold Sweepstakes." The Internet provider also said that it would donate tens of thousands of dollars worth of seized computer equipment to public schools in Northern Virginia. Bourneval's property was seized under the CAN-SPAM Act, which allows companies to take the assets of spammers when recovering damages. The act went into effect in January 2004. Further information may be found at http://media.timewarner.com/media/newmedia/cb_press_view.cfm?release_num=5525442 4

Security company Sunbelt Software announced on August 8th that it had uncovered a major identity theft ring that gathered data from up to 50 banks. The operation, which is being investigated by the FBI, is reportedly harvesting personal data from thousands of machines using keystroke-logging software. The data collected includes credit card details, Social Security numbers, usernames, passwords, instant-messaging chat sessions and search terms. Some of that data is then saved in a file hosted on a U.S.-based server that has an offshore-registered domain, according to Sunbelt. In two days of monitoring the file, the company said it had seen confidential financial details of customers of up to 50 international banks. The data theft is carried out by a Trojan horse download done at the same time as the CoolWebSearch program installation and also includes a mail zombie function. Further information may be found at http://www.sunbelt-software.com/Press.cfm?id=125

On August 9th, staffing firm Accountemps released a survey showing that employees spend an average of 56 minutes a day on personal Internet use. Over 150 senior executives of the nation's top companies were polled and claimed that employees spend too much of their day engaging in non-business related Internet use such as checking sports scores and instant messaging friends. Nearly two-thirds of those surveyed stated that these activities are known because their organizations monitor employee Internet activity somewhat closely. Thirty percent say Internet activity is monitored, although not very often. Only four percent claimed they did not monitor at all. Further information may be found at http://www.accountemps.com/PressRoom;jsessionid=DPLJdzkvnLXbwzYmX7NW3HTPF1f181MyjhM6lN2lSVlSvrbp2nyp!-1202084109!-2045944614?inTrack=pressRoom

On August 3rd, a proposed class action suit was filed in State Superior Court in Santa Clara, California, accusing Google of overcharging advertisers who use Google’s paid search advertising program, which accounts for most of Google's revenue. The suit alleges that Google charged in excess of advertisers' "daily budgets," under which Google allows an advertiser to limit how much it spends each day. The suit seeks unspecified monetary damages and was filed on behalf of CLRB Hanson Industries LLC in Minnesota and other advertisers. Google said the suit was baseless. Further information may be found at http://money.cnn.com/2005/08/08/technology/google_sued.reut/

Scott Richter, once accused of being one of the world's top three spammers has agreed to pay $7 million in a settlement with Microsoft Corporation. Microsoft announced the settlement on August 9th. The money from Scott Richter and his company, OptInRealBig.com LLC, will be used to boost efforts to combat the illegal sending of spam and other computer misuse according to Microsoft’s chief counsel. The settlement was conditional upon dismissal of bankruptcy petitions Richter and his 4-year-old company have pending in U.S. Bankruptcy Court in Denver. He and his affiliated businesses also agreed to comply with federal and state laws, including the CAN-SPAM Act, the federal Controlling the Assault of Non-Solicited Pornography and Marketing Act, and will not send spam to anyone who has not confirmed a willingness to receive it. Another provision calls for three years of oversight of Richter's operations. Further information may be found at http://www.microsoft.com/presspass/press/2005/aug05/08-09MSRichterSettlementPR.m spx

A group of students in Kutztown, Pennsylvania, charged with felonies for bypassing security with school-issued laptops, has become known as "the Kutztown 13." Supporters of the students say the authorities are overreacting, especially as no malicious acts are alleged. The Kutztown Area School District disagrees, saying that it reported the students to police only after detentions, suspensions and other punishments failed to deter them from breaking school rules governing computer usage. The administrative password that allowed students to reconfigure computers and obtain unrestricted Internet access was easy to obtain. A shortened version of the school's street address, the password was taped to the backs of the computers. The password was distributed and students began downloading forbidden instant messaging and other programs. At least one student viewed pornography. Some students also turned off the remote monitoring function and reversed the monitoring tool, using it to view administrators' own computer screens. The students have been charged with computer trespass, an offense state law defines as altering computer data, programs or software without permission. The youths could face a wide range of sanctions, including juvenile detention, probation and community service. Further information, from the defendants’ point of view, may be found at http://www.cutusabreak.org/

On August 18th, a judicial advisory committee in Florida recommended that Florida courts post most of their records online, but indicated that stricter data privacy laws are needed both in the state and nationwide. Many of the 24 formal recommendations released by the Florida Supreme Court's Committee on Privacy and Court Records revolve around the idea that access to public records, with appropriate redactions for confidentiality, is the key to ensuring government efficiency, accountability and transparency. At the moment, it is difficult to obtain court records in Florida. In November 2003, the Florida Supreme Court barred courts from releasing documents through the Internet or in "bulk electronic form" except in special circumstances. The moratorium came about because a couple of the state's court systems began placing a lot of documents online, including sensitive family law documents. As a response, the state Supreme Court convened a 15-member committee, composed of judges, lawyers, clerks and court administrators, to study the situation. In their final recommendations, about two-thirds of the committee supported putting the records online, but only with safeguards. They said that courts must first create new rules clarifying, among other things, what precisely needs to be redacted as confidential information and establishing limits on what can be released. Mental health, medical, drug treatment and family law records, for example, would not be authorized for release except in special circumstances. A minority in the committee supported making people come to the courthouse to get documents saying that publishing the records online would lead to "an immediate and pervasive loss of privacy." A copy of the report may be found at http://www.floridasupremecourt.org/pub_info/index.shtml#Privacy

On August 12th, Florida resident Scott Levine, 46, was convicted of stealing more than 1.5 billion data files from Acxiom Corp. in what federal officials said was one of the largest recorded cases of data theft. A U.S. district court jury found him guilty on 120 counts of theft by computer, two counts of fraud and one count of obstruction of justice. Each theft count carries a possible sentence of five years and a $250,000 fine while each fraud count could result in 10 years in prison and a $250,000 fine. The obstruction count could bring a 20-year sentence and a $250,000 fine. Jurors acquitted Levine of money-laundering and conspiracy charges. Levine will be sentenced January 6th. Further information may be found at http://www.usdoj.gov/opa/pr/2005/August/05_crm_417.htm

On August 17th, the Federal Trade Commission (FTC) announced that it had reached a $950,000 settlement with Consumerinfo.com, one of the largest firms marketing "free" credit reports to consumers. The deal is part of a crack down on so-called imposter sites of Annualcreditreport.com, where consumers really can obtain one free credit report each year. Consumerinfo.com, which operates several Web sites that shilled free credit reports, has also agreed to make refunds to consumers. According to the FTC, Consumerinfo.com used e-mail and Web ads, as well as TV and radio spots, to drive consumers to a pair of Web sites, freecreditreport.com and consumerinfo.com. At those sites, Consumerinfo marketed "free credit reports," but didn't properly disclose that consumers were automatically registered for a credit report monitoring service and charged $79.95 if they didn’t cancel within 30 days. The $950,000 fine will be applied to consumer education programs by the FTC. Further information may be found at http://www.ftc.gov/opa/2005/08/consumerinfo.htm

On August 15th, a VoIP provider called Nuvio announced that it had appealed the Federal Communications Commission’s (FCC) new requirement forcing VoIP companies to provide 911 service to all their customers by November. The rule was appealed to the U.S. Court of Appeals for the District of Columbia Circuit. Nuvio asked the court to accelerate its review of the FCC’s regulations so the process can be completed by Nov. 7th in light of the November 28th deadline for providing full 911 service or disconnecting subscribers. According to the regulations adopted in May, Internet phone operators must be able to steer 911 calls to the geographically appropriate emergency call center. In addition, the calls themselves must be accompanied by the originating address and phone number. Nuvio claims that the FCC's deadline is far too soon and that the process of making new contracts with vendors and deploying the necessary technology for compliance will take longer than 120 days. Further information may be found at http://www.nuvio.com/pressroom.php?action=fullnews&id=120
A copy of the rule may be found at http://hraunfoss.fcc.gov/edocs_public/attachmatch/DA-05-2085A1.pdf

GEICO AND GOOGLE BOTH CLAIM VICTORY IN COURT

A written opinion released August 8th by the U.S. District Court for the Eastern District of Virginia reiterated and expanded on a verbal opinion from last December that was viewed as a victory for Google. In Government Insurance Company v. Google, the court ruled that there was insufficient evidence to bar Google from displaying the banner ads of competitive insurers when Internet users conduct a search using the trademarked terms of the plaintiff, Government Employees Insurance Company (GEICO), such as the trademark "GEICO Direct." GEICO had alleged that by selling advertising space to its competitors based on searches of GEICO's trademarks Google was infringing on these trademarks and engaging in unfair competition under the Lanham Act. Despite noting many flaws in an expert survey submitted by GEICO, the Court did find GEICO's survey results to be sufficient to establish a likelihood of confusion regarding advertisements displayed in Google's ad program that included GEICO's trademarked terms in the actual advertisements next to the organic listings. Because of this remaining potential liability of trademark infringement, the Court left several legal questions unanswered, including whether Google itself is liable for any Lanham Act violations (the question of whether the advertisers themselves were in violation was not before the Court since they were not a party in the case), the time frame during which the violations occurred and the measure of damages or other relief that GEICO may be entitled to if Google is found liable. With regards to these issues, the Court decided to stay the proceedings for 30 days to give GEICO and Google time to consider the Court's written opinion and to determine whether the parties themselves can resolve the remaining issues of liability and damages. Google’s version of what happened may be found on its blog at http://googleblog.blogspot.com/

On August 4th, the 2nd Circuit Court of Appeals released a decision in U.S. v. Martin and, on August 18th, it rendered its decision in U.S. v. Coreas. The two decisions signal a clear division among judges in the 2nd Circuit over the constitutionality of search warrants used in the roundup of dozens of men nationwide in an anti-child pornography sweep. In both cases, the court dealt with the issue of a flawed affidavit submitted by a lead child porn investigator. The affidavit was used as the template for affidavits submitted by other agents to support search warrants under the initiative called "Operation Candyman." The affidavit, submitted by Special Agent Geoffrey Binney, was wrong in at least one critical respect: It stated that those who joined the so-called e-mail groups such as "Candyman e-group" automatically received e-mails containing child pornography. In fact, subscribers to the group could elect not to receive any automatic e-mails or accompanying visual files. In United States v. Martin, a divided panel ruled that even if the false statements were removed from an affidavit used to search the computer of a defendant who went from the Candyman e-group to a related group called "girls12-16," law enforcement officials still had probable cause. In United States v. Coreas, the panel agreed the affidavit used to obtain a warrant for defendant Willie Coreas, an affidavit based in part on information from Agent Binney, was fatally flawed but unwillingly found itself barred from finding that there was an absence of probable cause because of the Martin precedent. The panel noted that the central allegations of Binney’s affidavit were knowingly or recklessly false. The split of opinion among judges in the circuit sets the stage for a possible rehearing en banc in which all active judges on the court would resolve the issue. The decisions in both cases may be found at http://www.ca2.uscourts.gov/

In a declaratory judgment, the U.S. District Court for the Eastern District of Pennsylvania ruled that the federal E-SIGN Act does not obligate a mutual fund broker to accept transfer requests in electronic form. The purpose of the act is to insulate e-contracts from validity challenges, the court explained, and not to force an e-contract upon an unwilling party. The decision in Prudential Insurance Co. v. Prusky may be found at http://www.paed.uscourts.gov/documents/opinions/05D0871P.pdf