CREATOR OF LOVERSPY SPYWARE INDICTED

On August 26th, United States Attorney Carol C. Lam of the Southern District of California and John C. Richter, Acting Assistant Attorney General for the Criminal Division, U.S. Department of Justice, announced the indictments of Carlos Enrique Perez-Melara, the creator and marketer of a spyware program called "Loverspy," and four others who used Loverspy to illegally intercept the electronic communications of others. Prospective purchasers, after paying $89 through a web site in Texas, were electronically redirected to Perez’s computers in San Diego, where the "members" area of Loverspy was located. Purchasers would choose an electronic greeting card to send to up to five different victims or email addresses. The purchaser would draft an email sending the card and use a true or fake email address for the sender. Unbeknownst to the victims, once the email greeting card was opened, Loverspy secretly installed itself on their computer. Thereafter, all activities on the computer, including emails sent and received, web sites visited, and passwords entered were intercepted, collected and sent to the purchaser directly or through Mr. Perez’s computers in San Diego. Loverspy also gave the purchaser the ability to remotely control the victim’s computer, including accessing, changing and deleting files, and turning on web-enabled cameras connected to the victim computers. Over 1,000 purchasers bought Loverspy and used it against more than 2,000 victims. The indictment charges Mr. Perez with: creating a surreptitious interception device; sending the program, hidden in an innocuous-appearing electronic greeting card, to victims; advertising the program; advertising the surreptitious use of the program; illegal wiretapping; disclosing illegally intercepted communications; and obtaining unauthorized access to the victim computers. Each count of the 35-count indictment carries a maximum penalty of five years in prison and a maximum fine of $250,000 per count. Several users of Loverspy were also indicted and charged with illegal computer hacking, through utilization of Loverspy, in furtherance of other criminal activity and with illegally intercepting the electronic communications of their victims. Each of the two counts carries a maximum penalty of up to five years in prison and a maximum fine of up to $250,000. Further information may be found at http://www.usdoj.gov/criminal/cybercrime/perezIndict.htm

On August 25th, the Motion Picture Association of America (MPAA) announced that it had filed 286 lawsuits against people around the United States accused of swapping movies online based on information acquired from file-trading sites shut down earlier in the year. Most of those sites were hubs connecting people using the BitTorrent technology, a peer-to-peer application designed for speeding downloads of large files. Studios launched a new campaign against individual file swappers and peer-to-peer services last December, in particular targeting the BitTorrent hubs that served as jumping-off points for downloading a wide array of software and movies. Many of the most popular sites have since shut down, either voluntarily or in the wake of lawsuits. Further information may be found at http://www.mpaa.org/MPAAPress/2005/2005_08_25.doc

On August 24th, New York Attorney General Eliot L. Spitzer’s office announced that America Online (AOL) agreed to pay a $1.25 million fine and change its practice of discouraging consumers from canceling service. Spitzer's office received about 300 customer complaints since 2000 and found that AOL's customer service personnel were given a financial incentive to prevent subscribers from leaving the service. AOL did not admit wrongdoing, but the Dulles company agreed to alter its practices and to use a third-party company to verify whether customers wish to continue getting the service. The company also agreed to refund up to four months' worth of service to all New York consumers who claimed harm based on improper cancellation procedures. According to Spitzer's findings, AOL customer representatives received bonuses of thousands of dollars if they managed to retain about half of the people who called trying to cancel service, which led some employees to fail to process such requests. Further information may be found at http://www.oag.state.ny.us/press/2005/aug/aug24a_05.html

On August 24th, the Fourth Circuit Court of Appeals ruled that a critic of Rev. Jerry Falwell can keep the domain name fallwell.com, reversing a lower court decision. Falwell’s attorney said he plans to seek a rehearing. Chistopher Lamparello registered Fallwell.com in 1999 after hearing Falwell give an interview containing what he considered to be offensive opinions about homosexuality, according to the appellate court opinion. The front page of the site asks visitors to explore the site "to see why Rev. Falwell is completely wrong about people who are gay or lesbian." The district court had enjoined Lamparello from using the domain name and required him to transfer it to Falwell. But the appeals court felt that that there was no trademark violation because there was no likelihood of confusion as no web site visitor would think Falwell was connected to the site. The opinion in Falwell v. Lamparello may be found at http://pacer.ca4.uscourts.gov/opinion.pdf/042011.P.pdf

On August 25th, the U.S. Department of Justice announced that a federal grand jury had indicted three individuals accused of sending pornographic bulk e-mail in a major international spam case. The unsolicited e-mails may have numbered in the tens of millions. The grand jury issued indictments against former Arizona resident Jennifer R. Clason, 32; Jeffrey A. Kilbride, 39, of California; and James R. Schaffer, 39, of Arizona. A fourth person involved in the case, Andrew Ellifson, 31, pleaded guilty last February to one count under the Can-Spam Act and one count of criminal conspiracy. His conviction marked the first related to the distribution of obscene spam e-mail. A nine-count indictment was issued against the three defendants. Each was indicted on two counts of fraud under the Can-Spam Act and one count of criminal conspiracy. Two of the defendants, Kilbride and Schaffer, also were indicted on two counts of interstate transportation of obscene material using a computer service, two counts of interstate transportation of obscene material and one count of money laundering. Further information may be found at http://www.usdoj.gov/opa/pr/2005/August/05_crm_431.htm

The next "big news" in e-mail security may be reputation filters. A new website called "The Trusted Source" is helping to determine which e-mail may be legitimate and which may be spam. Makers of spam-fighting tools collect data on e-mail senders and use that to assign "reputations" to computers sending e-mail and Internet domains. Those who send a lot of spam get a negative rating and their messages are more likely to be filtered out. CipherTrust is one of those e-mail security vendors. It has sold more than 4,000 of its IronMail appliances to customers worldwide. CipherTrust is now sharing some of the reputation data it has gathered through those machines with the public through the TrustedSource web site. The web site is designed to be a reference tool. Entering a domain name generates a list of the Internet Protocol addresses of machines that send e-mail for that domain. Users can then drill down and click on each sending address to see if the specific machine has been sending junk mail or legitimate messages. The web site may be found at http://www.trustedsource.org

On August 30th, the Electronic Privacy Information Center (EPIC) filed a petition with the Federal Communications Commission (FCC), urging it to better protect customers' private data, including records of calls made and received, from being bought and sold on the Internet. EPIC wants the FCC to create tougher rules for how and when landline and wireless carriers release customer information. The group argues that the active marketplace for telephone records demonstrates that security practices at telecommunications companies are lax. Dozens of web sites operated by data brokers and private investigators offer to sell detailed calling records for as little as $110 for the most recent billing cycle. The data is often collected by impersonating customers or paying off insiders, according to the petition. Buyers of the information include attorneys trying to find witnesses or suspects, debt collectors and suspicious spouses or lovers. EPIC included in its filing a list of more than 40 web sites that offer to sell call records, often within hours of receiving credit-card orders that are taken online. Further information may be found at http://www.epic.org/privacy/iei/cpnipet.html

Beginning this fall, 13 states will encourage (though not mandate) that online businesses collect sales tax just as brick and mortar stores do. More states are considering joining the effort. Right now, buyers are expected to pay sales taxes on Internet purchases themselves directly to the state when they pay their income taxes. But it's not widely enforced – indeed it’s honored mostly in the breach, and states say it costs them upwards of $15 billion a year in lost revenues, collectively. Organizers of the states' effort, known as the Streamlined Sales Tax Project, have sought to unify tax rules and definitions among the states. They hope to persuade federal lawmakers to pass a new law to require online companies to collect the taxes. To be accepted as part of the project, a state must change its tax laws to match up with the other states. So far, 13 states have come far enough to be part of the project. Five more are approved to join within the next few years, and others have made partial steps. The initial participating13 states are Indiana, Iowa, Kansas, Kentucky, Michigan, Minnesota, Nebraska, New Jersey, North Carolina, North Dakota, Oklahoma, South Dakota, and West Virginia. Five that will be added in the next few years are Arkansas, Ohio, Tennessee, Utah and Wyoming. The web site for the Streamlined Sales Tax Project may be found at http://www.streamlinedsalestax.org

On September 1st, the 8th Circuit Court of Appeals ruled that the Digital Millennium Copyright Act (DMCA) means that computer programmers do not have the right to reverse-engineer Blizzard Entertainment's video games to improve their playability. Hence, players may not alter Blizzard games to link with servers other than the company's official Battle.net site. In a 3-0 decision, the court upheld a trial judge's ruling from October 2004, concluding the programmers' "circumvention in this case constitutes infringement." The DMCA broadly restricts circumventing, or bypassing, antipiracy measures. Blizzard had included such measures to tie its games to the Battle.net site and detect pirated copies. The defendants in the case, Ross Combs and Rob Crittenden, reverse-engineered the Blizzard protocol using tools like "tcpdump" to listen to the software's communications with a game server. Eventually, their "bnetd" project let Blizzard games connect with unofficial servers, yielding benefits like faster response times. The 8th Circuit also cited a contractual agreement that Combs and Crittenden agreed to when installing Blizzard software. That agreement prohibits reverse-engineering. The decision in Blizzard v. Jung et al may found at http://www.eff.org/IP/Emulation/Blizzard_v_bnetd/20050901_decision.pdf

On September 8th, the Justice Department's antitrust division sued the National Association of Realtors (NAR), alleging that it is using its online multiple listing service policies to restrict competition from discount brokers offering lower prices. Discount brokerages are undercutting the traditional 6 percent commission rate that has continued to dominate even as home prices in some markets have doubled over the last five years. The realtors’ group announced that it was changing its online sales listing policy to make listings more widely available, but Justice Department officials said the changes do not go far enough. At issue in the lawsuit are Internet listing rules adopted by the Realtors in 2003 that allowed real estate brokers to opt out of having their listings appear on the Web sites of other brokers. The rules were controversial from the beginning and association officials said they were never fully implemented, but Justice Department officials said at a news conference that of about 1,000 affiliated multiple listing services, about 200 adopted the restrictive policy. Further information may be found at http://www.usdoj.gov/opa/pr/2005/September/05_at_461.htm. On the same date, NAR announced that it was adopting a new policy that ensures that all members of Realtor multiple listing services will receive exactly the same MLS property listings for display on their Web sites as their competitors. Further information about the new policy may be found at http://www.realtor.org/PublicAffairsWeb.nsf/Pages/NewMLSPolicy?OpenDocument

On September 7th, GEICO announced that it had settled a trademark infringement suit, which it had filed against Google over its online advertising practices. The lawsuit, originally filed in May 2004, had sought to hold Google responsible for trademark infringement for displaying advertising paid for by rival insurers when computer users searched for the word "GEICO" on the Google system. The complaint could have effectively prohibited a basic way Google sells online advertising, by linking keyword searches to ads. This is the source of the majority of Google's revenues. Terms of the settlement were not discussed but commentators suggested that some sort of payment to GEICO had likely been made by Google. Further information may be found at http://www.clickz.com/news/article.php/3547356

On September 7th, the Maryland Court of Appeals ruled against a common law enforcement tactic of having adult officers pose as children in Internet chat rooms to arrest potential sex offenders. The court held that the law does not allow the prosecution of people who merely believed they were dealing with children. The court unanimously overturned the Frederick County Circuit Court conviction of Richard J. Moore, saying he could not be found guilty of committing a crime with a nonexistent victim. The head of the Maryland State's Attorneys' Association said the ruling effectively guts efforts to catch people preying on children via the Internet. In explaining its reasoning, the court relied heavily on the General Assembly's intent in amending its child pornography laws since 1996. The opinion, written by Judge John C. Eldridge, noted that the legislature has tried but failed six times to broaden the law and make it illegal to proposition an adult who the suspect believes is a minor. When the General Assembly used the word "minor," the ruling said, it specifically meant "an actual person who is under the age of 18 years."

The LexisNexis data collection service has introduced CopyGuard, a program aimed at exposing plagiarists or spotting copyright infringement. According to John Barrie, chief executive of iParadigms, the company that developed the program with LexisNexis, CopyGuard can generate a report that calculates the percentage of material suspected of not being original, highlights that text and pinpoints its possible original source, all within seconds. CopyGuard, which is available by subscription, uses LexisNexis's database of more than six billion documents and several years' worth of web pages archived by iParadigm. In addition to checking newspaper and magazine articles, CopyGuard can be used by publishers to scan book manuscripts. Further information about CopyGuard may be found at http://www.lexisnexis.com/copyguard

The National Judicial College (NJC) predicts that more courts will turn to electronic filing to deal with ever-growing caseloads. The NJC referenced the recently released study, "Judicial Survey: Electronic Filing in U.S. State Trial Courts," in which more than 1,500 judges participated. More than 70 percent of the judges surveyed said that their caseloads continue to increase, and 85 percent said they believe the volume of paperwork they manage is a growing problem. Seventy-six percent said their clerks would support it, and 89 percent said lawyers would. While most judges said e-filing would improve access to information, increase efficiency for clerks and reduce the amount of storage needed for court records, 48 percent said they weren't familiar with it. The judges said they would like to learn more about rules and procedures regarding electronic systems. Only 16 percent said their courts have e-filing. E-filing has grown by 12-15 percent a year, according to the survey. The study may be found at http://www.lexisnexis.com/efiling/NJC-E-filing-Survey-060705.pdf

On September 13th, Microsoft proposed settling its lawsuit with Google over its hiring a former Microsoft executive in China by asking Google to agree to limit the executive’s duties until July 2006 when the non-compete agreement he signed with Microsoft expires. Earlier the same day, a Washington state judge ruled that Kai-Fu Lee could immediately begin recruiting staff for a Google development center in China rather than wait until after a January trial, but the judge severely limited the scope of his duties until then. "We can settle this lawsuit tomorrow if Google will agree to take today's preliminary injunction, keep every word without a single change and enter it as a permanent injunction that will last until July 18, 2006," said Brad Smith, general counsel for Microsoft. In his 13-page ruling, Judge Steven Gonzalez restricted Lee to recruiting for Google in China and to talking to government officials about getting a license to do business there but said Lee cannot work on technologies such as search or speech. Lee also cannot set budgets or salaries, or decide what research Google will do in China, according to the order. The ruling also prohibits Lee from recruiting Microsoft employees or using any confidential information he learned while working for Microsoft. In its findings of fact, the court said Lee misled Microsoft about his intention to return to the software company from a sabbatical and that he was instead contacted and hired by Google. The court also said Lee assisted Google while he was still employed at Microsoft. The preliminary injunction in the case may be found at http://download.microsoft.com/download/5/3/2/53239546-efee-460c-a583-11c20cdea9a b/Google%20Preliminary%20Injunction%20Order%20Sept%2013_05.pdf

On September 13th, the Colorado Supreme Court prohibited the release of hundreds of romantic and sexually explicit e-mails between a former Arapahoe County clerk and an employee, ruling they were not public records. The Rocky Mountain News and Arapahoe County commissioners had sought the release of the e-mails, arguing they were public records because they were written on county computers. The Supreme Court held that the e-mails between former clerk Tracy Baker and his deputy and girlfriend, Leesa Sale, were exempt from Colorado's open records law because they dealt with their private lives, not public business. The case returns to the Colorado Court of Appeals to decide which e-mails fall within the legal definition of public records under Colorado law. Further information may be found at http://www.law.com/jsp/article.jsp?id=1126528525303

On September 19th, Microsoft filed eight antipiracy lawsuits in five states against companies that allegedly are distributing counterfeit versions of its software or copies that infringe on Microsoft trademarks or copyrights. Lawsuits were filed against BWT Industry Technology Service, d/b/a Computer Max in Arizona; Data Day USA, MicroCity4Less.com and Winvtech Solutions Inc. in California; Global Computing Inc. in Illinois; Ion Technologies in Minnesota; and Compustar and Chips & Techs in New York. Microsoft identified the companies' alleged illegal activity by multiple means, including the new Windows Genuine Advantage program as well as customers reporting suspected pirated Microsoft software, according to a company attorney. Microsoft launched the Windows Genuine Advantage 1.0 program in July requiring customers to validate that they are running legitimate copies of Windows before they can use Microsoft's various software download services. Reportedly, all of the defendant companies had been notified previously that they were distributing copies of software that are counterfeit or infringe on copyrights or trademarks Microsoft owns. Further information may be found at http://www.microsoft.com/presspass/press/2005/sep05/09-19PiracyEnfSept05PR.mspx

On September 20th, the Authors Guild, which represents more than 8000 authors, filed a suit accusing Google of "massive copyright infringement." The suit charges that Google cannot put books in the public domain for commercial use without permission. The suit, filed in the U.S. District Court in Manhattan, asks the court to block Google from copying the books so the authors would not suffer irreparable harm by being deprived of the right to control reproduction of their works. It seeks class-action status on behalf of anyone or any entity with a copyright to a literary work at the University of Michigan library. The lawsuit said Google knew or should have known that copyright laws required it to obtain authorization from copyright owners of literary works to create and reproduce digital copies for its own commercial use. Further information may be found at http://www.authorsguild.org/news/sues_google_citing.htm

On September 22nd, free-speech advocate Reporters Without Borders published a guide for blogging in China, Iran and other countries that strictly censor the Web. The 87-page booklet, titled "The Handbook for Bloggers and Cyber-Dissidents," includes chapters on how to blog anonymously and on technical ways to get around censorship. The handbook is available online in English, French, Chinese, Arabic and Farsi. In addition to bloggers' personal stories, the booklet offers technical information for dodging government censors, including tips for thwarting filtering technology that can block access to selected web pages. The book also covers e-mail encryption, online pseudonyms and anonymous proxies, discussing ethics and how to attract an audience. The handbook may be found at http://www.rsf.org/rubrique.php3?id_rubrique=542

On September 22nd, the top three U.S. credit reporting companies said that they would adopt a single, shared encryption standard to better protect the massive amounts of sensitive electronic data they receive every day from banks, retailers and credit card companies. Equifax Inc., subsidiary Experian and privately held TransUnion LLC, which maintain huge databases on hundreds of millions of Americans, said the joint effort would involve the development and adoption of a data-cloaking code built on a minimum of 128-bit encrypted algorithm and secret-key technologies. According to a report released earlier this week by Symantec, the world's biggest maker of security software, programs designed to steal confidential information accounted for three-quarters of the viruses during the first half of 2005, up from 54 percent in the last six months of 2004. Further information may be found at http://www.transunion.com/Press/PressReleaseDetails.jsp?id=/releases/press/data/ 20050922Encryption.xml&page=FIRST

On September 21st, the Drug Enforcement Administration (DEA) announced that it had arrested at least 18 people and halted prescription writing by dozens of doctors and a pharmacist in a crackdown on illegal sales of medications over the Internet. Thirteen arrests were made in Texas and five in Florida. The Drug Enforcement Administration suspended the registrations of 20 doctors and 22 Internet pharmacies in the U.S., including Puerto Rico, to stop them from writing or filling prescriptions. Agents also shut down at least 4,600 Web sites the suspects controlled, and seized 2,400 checks and money orders written by individuals for $200 each. They also seized seven luxury cars and boxes of cash that had not yet been counted in the yearlong multi-agency investigation dubbed "Operation CYBERx." Further information may be found at http://www.dea.gov/pubs/pressrel/pr092105.html

On September 21st, the Federal Aviation Administration (FAA) said it plans to require that airlines provide a way for the cabin crew to "discreetly notify" pilots in the event of suspicious activity or security breaches in the cabin. The proposed regulation, which is not yet final, grew out of an advisory panel that the Transportation Department created after the Sept. 11, 2001 terrorist attacks. That panel recommended that cabin crews have a method for immediate notification to the flight deck during a suspected threat in the cabin that would permit pilots to take appropriate action, such as beginning an immediate landing. The FAA's proposal does not mandate wireless devices though it is thought likely that such devices would be the best solution. Other systems that the agency mentioned as possible alternatives to wireless devices include setting up an alarm procedure using an existing communications system, such as keying the intercom in a specific manner. Public comments on the proposal are due by November 21st. After final approval, airlines would have two years to comply. The proposed regulation may be found at http://a257.g.akamaitech.net/7/257/2422/01jan20051800/edocket.access.gpo.gov/200 5/05-18806.htm

Wisconsin U.S. District Court Judge John Shabaz ruled on September 13th that Internet Service Provider EarthLink cannot be held liable for incorrectly identifying the web site of a legitimate bank as a fraudulent attempt to snatch customers' identities. The case against EarthLink had been filed by Associated BankCorp claiming negligence and injury to its business reputation. EarthLink had warned its customers who installed a free "ScamBlocker" toolbar, and visited AssociatedBank.com, that the web site was "potentially fraudulent" and said that they should "not continue to this potentially risky site." The warning turned out to be wrong. Associated Bank, headquartered in Green Bay, Wisconsin, with more than 300 locations in the Midwest, operated a legitimate web site. However, Shabaz reasoned in his September 13th opinion that EarthLink was immunized from the lawsuit under a section of the 1996 Telecommunications Act that says an Internet provider can't be "treated as the publisher or speaker of any information provided by another information content provider." Because the company's list of "phishing" web sites had been licensed from a third party, Shabaz said that EarthLink could not be held liable. The court’s opinion may be found at http://www.wiwd.uscourts.gov/bcgi-bin/opinions/district_opinions/C/05/05-C-233-S -09-14-05.PDF

According to a new paper released by a trio of researchers, electronic equipment that costs less than $10 can sniff out what's typed on keyboards simply by recording keystroke sounds. In the paper, Doug Tygar, a professor of computer science at the University of California, Berkeley, and two PhD students, the husband-wife team of Feng Zhou and Li Zhuang, outlined how they came up with software and used off-the-shelf tools to record keystroke sounds, then turn them into a transcript that's accurate 96 percent of the time. Their research is based on the fact that each key makes a slightly different sound when struck, because of the angle at which it's pressed and its location above the keyboard supporting plate. Once the different sounds had been recorded, Tygar and his associates separated them into classes, then mapped them to the most likely keystrokes based on the English language's constraints, including the limited number of key combinations to make words and the limited number of words because of its grammar. Finally, they used spelling and grammar checking software to refine the transcriptions. A would be spy could use a wireless microphone in the user's area or snatch sounds with a parabolic microphone to escape detection. A copy of the paper may be found at http://www.cs.berkeley.edu/%7Etygar/papers/Keyboard_Acoustic_Emanations_Revisite d/preprint.pdf

On September 27th, the Federal Communications Commission (FCC) backed off again on enforcing a deadline for Internet phone service providers to disconnect all customers who haven't acknowledged that they understand it might be hard to reach a live emergency dispatcher when dialing 911. The agency explained that the status reports required from every Internet phone company last week showed that by "repeatedly prompting subscribers through a variety of means, the majority of providers … have obtained acknowledgments from nearly all, if not all, of their subscribers." The decision came a day before a deadline that would have required Internet phone companies to cut off at least 10,000 of the estimated 2.7 million users of the service in the United States. The FCC said providers that had received confirmations from at least 90% of their subscribers would no longer face the disconnection requirement, but still must continue seeking the remaining acknowledgments. All carriers below the 90% threshold will have until October 31st to reach that level and avoid the disconnection requirement. The deadline was intended as an interim safeguard while Internet phone companies work to comply with another FCC order that they add full 911 capabilities by late November. Further information may be found at http://hraunfoss.fcc.gov/edocs_public/attachmatch/DA-05-2530A1.doc

In a decision released on September 23rd, the FCC made it clear that broadband providers and Internet phone services have until spring 2007 to follow a new and complex set of rules designed to make it easier for police to seek wiretaps. The 59 page decision would apply to such companies as Vonage, SkypeOut and Packet 8. What remains unclear is what the Communications Assistance for Law Enforcement Act (CALEA) ruling means for companies, universities, nonprofits and individuals offering wireless or other forms of Internet access. Terrorism and homeland security concerns make such regulations necessary, the FCC said, repeating the arguments of Bush administration officials who have warned of VoIP services becoming a haven for terrorists, criminals and spies. The FCC's rule applies to any "Internet access service" that offers upstream or downstream speeds of at least 200kbps, which would certainly cover Wi-Fi hot spots operated by individuals or businesses. In a footnote, however, the FCC suggests that its regulations are not intended to cover hotels, coffee shops and bookstores that provide Wi-Fi service. Some answers are likely to come in a second regulation that the FCC promises to release by the end of the year. That's also expected to address whether taxpayers will pay for the cost of equipment upgrades and yield more details about deadlines. The FCC’s order may be found at http://www.fcc.gov/FCC-05-153A1.pdf

On September 28th, it was announced that the U.S. Patent and Trademark Office had reconfirmed a patent held by Eolas Technologies that allows interactive content to be embedded in a web site. Eolas is affiliated with the University of California and had filed suit against Microsoft, alleging the infringement of its patent. Microsoft has said it will continue to challenge the patent in court. Further information may be found at http://www.universityofcalifornia.edu/news/2005/sep28.html