Cyber Law Internet and Technology Law Firm

The Senate approved a bill today that will finally provide some guidance on procedures for government eavesdropping under what the Bush Administration has dubbed its “terrorist surveillance program.” The bill provides that any future surveillance be approved by the non-public United States Foreign Intelligence Surveillance Court.

Of particular note in the bill is the fact that telecom companies were granted immunity for providing assistance to the Bush Administration so long as they can show that they were given assurances from the Administration that the eavesdropping was legal.

Opinions were mixed about this immunity. Senator Patrick Leahy noted that the bill “does not provide accountability for the six years of illegal, warrantless wiretapping initiated and approved by this administration.” Others note that telecommunication firms were placed in difficult positions; either obey the administration or suffer the political consequences. Of course, AT&T and Verizon Communications, among others, have very large legal departments that could easily have vetted the issue by asking for clarification from the federal courts in a protected, non-public manner. The fact that these firms turned a blind eye to their customers’ civil rights is problematic.

If blanket immunity is not appropriate, what is? Appreciating the unique circumstances, perhaps Congress could have split the baby, capping economic damages, but allowing lawsuits to continue. There is little question that civil liberties were violated in this case. Granting a total pass on liability for telecommunications companies that turned a blind eye to these issues was not the best policy choice.

---

Was this CyberLaw article useful? Please share it:

The FBI is renewing its push for legislation that would mandate that ISPs keep records of its users’ activities for longer periods of time. Records retained would be available for review by police in cases where a search of such records is warranted. The FBI’s proposed length of time for retention of records is two year. Types of data retained could be as minimal as IP addresses assigned to each customer or more detailed information such as web sites visited, instant messaging logs, and more. The devil is in the details, of course, and the amount of time for retention time and types of data requiring retention would likely be modified if any serious legislation began to move forward.

The question: is this good policy? The Justice Department has its points. More comprehensive records would allow a case to be built more quickly against a potential terrorist or other online criminal. It’s hard to argue that a greater pool of data would not be effective in deterring crime.

On the other hand, the privacy problems are enormous. The vast majority of ISP customers will never need to be investigated by law enforcement for any reason. Regardless, these customers’ actions would be retained by ISPs for quite some time.

ISPs, already inundated with spam, additional resource loads, and a host of other problems, would also bear a much greater burden. While hardware for data storage is less and less expensive by the day, it is nonetheless an additional cost. The increased administrative burden of related to management of the data is also a strain that few ISPS will welcome.

While the FBI may get its way in part, privacy interests and the preferences of ISPs will likely lead to less than the FBI is seeking.

---

Was this CyberLaw article useful? Please share it:

Microsoft is reassessing security systems that disable pirated programs on users' computers in favor of the approach employed by “trialware” and “shareware:” constant nagging.

While the current version of Microsoft’s Genuine Advantage tool will disable pirated software, the newer version being released with Vista’s first Service Pack will instead display warnings, constant reminder bubbles, and similar “nags” to a user, but will not disable the software.

Microsoft says it wants to create “opportunity” for customers to “get legal” with the new policy, even offering very substantial price-cuts on Vista Home Premium to users of pirated software. While that is likely some part of the story, the very apparent “unspoken” reason is Microsoft’s fear of driving customers to competitors, such as Apple and open source alternatives like Ubuntu, with their current policy.

Microsoft understands that much of its success depends on Windows® being the de facto OS in the marketplace, even when it is illegally employed by users. The more Windows® users, the more likely that third party software will be developed with Windows® as the standard operating system. The more third party software available for Windows®, the more likely a user will purchase Microsoft’s OS.

Given its change in direction, Microsoft seems to have now correctly determined that being a standard in an industry has greater value than a few million additional paid licenses. Settling for being a standard is better than having nothing if users, even the illegal ones, move competing operating systems.

---

Was this CyberLaw article useful? Please share it:

About 140 foreign intelligence organizations are trying to hack into the computer networks of the U.S. government and U.S. companies, a top counterintelligence official has reported. The official, Joel Brenner, warned that hackers could create chaos by manipulating information in electronic systems the government, military and private industry rely on.

The number of hackers worldwide has been growing at an alarming rate. Even more alarming is the continued ineffective policies of United States security provisions. While governments such as France and others are taking positive steps to improve their security, the U.S. has inefficient laws that take a “reactive” stance.

Particularly given the United States’ status as a primary hacking target, U.S. law and policy must be more “proactive” in finding such organizations. More particularly, the U.S. must understand that cutting the finding sources for these groups will provide a good start.

Bottom Line: The United State must understand that the next September 11th type of attack will be electronically based. Setting standards of security for networks and critical computer systems is not a convenience, but a necessity.

---

Was this CyberLaw article useful? Please share it:

As CyberLawg previously discussed the dominant iTunes is beginning to see substantial competition buoyed by Apple’s restrictive digital rights management (DRM) on its downloads.

The newest competitor is Wal-Mart, which has the power to redefine a market based on its massive retailing power. The retail giant has announced that it will begin selling music online that is DRM free for much less than that offered by iTunes. While iTunes sells its DRM free music for $1.29, Wal-Mart’s current pricing has DRM free music at only 94 cents; even less than the price charged by iTunes for DRM protected music.

Bottom Line: While Wal-Mart’s entry is likely “promotionally priced” and the library is more limited than other services, it is increasingly apparent that DRM protected music will likely not win out in the marketplace unless it is priced LESS than similarly available DRM-free music. Whether iTunes and the major labels will react to this shift in the marketplace is less a question of “if” and more a question of “when.” Consumers have made it clear that DRM is not palatable to their needs, and certainly when it is sold at a premium price.

---

Was this CyberLaw article useful? Please share it:

A new study suggests that certain phishing and spamming operations are filtering their proceeds directly into terrorist cells that plan to attack the United Kingdom and United States.

The men behind the operation in the study used stolen credit cards, obtained via phishing schemes, to purchase necessary materials. The men then used the stolen credit cards to launder money through online gambling sites, including AbsolutePoker.com, BetFair.com, BetonBet.com, Canbet.com, Eurobet.com, NoblePoker.com and ParadisePoker.com and others.

Investigators estimated that the practices led to as much as $3.5 million in fraudulent charges on credit cards obtained through phishing schemes. Other funds were obtained through the distribution of Trojan horses, which are typically sent via spam e-mail and allow the schemers to take control over end-users' computers.

While this is concerning enough, one investigator is quoted in the story as stating:

There is no law enforcement agency in the world that, if this wasn't a terrorism financing case, would follow up on this. They just don't have the resources.

This story brings salience to the largely misguided cybercrime policy in the United States.

First, despite there being numerous private parties capable of tracking and analyzing the patterns of such criminals, the policy of the United States has largely destroyed incentive for private parties to pursue these networks. Proposals for "bounties" paid by government to private investigators have been rejected, and stronger state laws providing statutory damages and incentives for "private attorney generals" have been gutted by inferior laws such as CAN-SPAM. This despite the fact that law enforcement knows that it simply cannot investigate every cyber crime matter alone, as the quoted investigator admits.

Second, the United States' recent decision to effectively ban online gambling for American citizens, in violation of WTO rules, has meant that these online gambling sites have been forced into the proverbial shadows. In addition to rejecting the very large pool of income that would come from regulating and taxing these sites, the U.S. policy means that gambling sites become much more palatable to terrorism because the transactions are unregulated and the sites already actively seek to avoid the auspices of law enforcement.

Bottom Line: While cyber criminals are taking advantage of unregulated technology and underfunded authorities, the United States is letting simple and effective procedures for combating these schemes lie untapped. One can only hope that regulators recognize the easily implemented opportunities to combat such schemes before another major terrorist attack, funded via similar means, strikes the United States or United Kingdom.

---

Was this CyberLaw article useful? Please share it:

Yet another example of the United States’ weakness in protecting its citizens from cybercrime and cyberwarfare is the Defense Department’s recent report on China’s growing ability to challenge the United States in "electromagnetic dominance" in conflicts.

China has (correctly) identified the power of viruses, denial of service attacks (DOS) and network security as critical in wars or conflicts.  The Chinese army has established information warfare units to develop viruses to attack enemy computer systems and networks and has also developed electronic countermeasures and defenses against electronic attack, including infrared decoys, angle reflectors and false-target generators.

China’s current development has been attributed to a mix of criminals, hackers and "nation-state" forces. The report also notes that China and most other U.S. networks were constantly attempting to access US networks for trade and defense secrets.

Bottom Line: The United States has been lax on cyber-security for too long. The inefficient and ineffective regulations have mostly affected businesses and consumers to this point, but it is apparent that national security risks should become more salient to lawmakers and military when considering cybersecurity policy.

---

Was this CyberLaw article useful? Please share it:

The House of Representatives recently passed the Internet Spyware (I- SPY) Prevention Act of 2007. The bill amends the federal criminal code to prohibit intentionally accessing a protected computer without authorization, or exceeding authorized access, by causing a computer program or code to be copied onto the protected computer, and intentionally using that program or code: (1) in furtherance of another federal criminal offense; (2) to obtain or transmit personal information (including a first or last name, physical address, Social Security number or other government-issued identification number, a bank or credit card number, or an associated password or access code) with intent to defraud or injure a person or cause damage to a protected computer; or (3) to impair the security protection of that computer.

The Bill goes on to express the Sense of Congress that the Department of Justice should vigourously pursue claims against. Unfortunately, the bill also prohibits civil actions under state law.

Bottom Line: Congress is correct to continue addressing cybercrimes and cybertorts via legislation. The decision to prevent civil actions under state law, however, is misguided. Instead of allowing consumers to address their losses in a private fashion victims of spyware must depend on already overburdended law enforcment authorities under this legislation.

---

Was this CyberLaw article useful? Please share it:

A bill has been introduced in the United States Congress to shore up penalties and provide additional funding for fighting cyber crimes. The bill, HR 2290 in the 110th Congress, expands the scope of 18 USC 1030, entitled “fraud and related activity in connection with computers.” That section provides ramifications, both civil and criminal, for unauthorized computer access. The proposed bill would expand and redefine several portions of 1030 to allow for greater enforcement of cybercrimes.

First, 1030(a)(2) would prevent an unauthorized user from obtaining “(D) a unique electronic identification number, address or routing code, or access device (as defined in section 1029(e)(1)), from a protected computer.” This means that liability would attach if someone accessed your bank account details, social security number or similar electronic identification information via unauthorized access to a protected computer.

The bill also expands the use of full interstate and foreign commerce power for criminal penalties. The current version of 1030 requires that the conduct involve an interstate or foreign communication, which typically requires communications traveling between different states or countries. The bill would amend this provision to require that the communication only “affect” interstate commerce. This expands the applicability of 1030 to communications occurring within the same state, for example.

The proposed legislation also requires that damages or fines shall be any benefits obtained as a result of the conduct. If a hacker stole $10,000 via a protected computer that would be the amount of the fine, in addition to any jail time or other ramifications.

Furthermore, damage affecting ten or more protected computers during any 1-year period would now be actionable, in addition to previous provisions, which required $5,000 or more to one person in one year, or “clear and present dangers” such as personal safety or injury or threats to public safety. This is a particularly good provision because it addresses some of the most prevalent cyber security problems such as phishing, spamming and spyware. Now, if as few as 10 computers are affected in interstate commerce Section 1030 would be a tool against a wrongdoer.

The bill also expressly defines any activity under 1030 to be a “racketeering activity” under RICO, expands liability to conspirators, and expands the cyber extortion provisions of 1030. Finally, the bill provides $10,000,000 to the Director of the United States Secret Service, $10,000,000 to the Attorney General for the Criminal Division of the Department of Justice and $10,000,000 to the Director of the Federal Bureau of Investigation for purposes of stepping up enforcement of cybercrime.

Bottom Line: The proposed Cyber-Security Enhancement Act of 2007 is an excellent bill that would make simple changes to existing law but would allow for powerful new legal tools to combat cyber crime. While presently in the early stages of House consideration Congress would be wise to give this bill the attention that it deserves as it moves through the chambers.

---

Was this CyberLaw article useful? Please share it:

The union representing most of the airport safety screeners of the nation have filed a class action suit against the Transportation Security Administration for its negligence in allowing an external hard drive to be stolen from TSA Headquarters. The hard drive contained 100,000 records of past and current employees, including social security numbers, banking details and other sensitive data.

The suit seeks injunctive and monetary relief, including any financial losses for the breach and additional safeguards to prevent against future privacy thefts.

The breach of security is especially troubling in this case because the agency robbed is one that is primarily responsible for managing the safety of the oft-targeted air travel industry.

The suits were not unexpected. Such a high profile loss of data is often followed by a lawsuit. The Union’s lawsuit, however, is very appropriate in this matter. First, the Union’s demand are reasonable. The plaintiffs ask for injunctive relief, that is, relief that will improve the TSA’s future protection of data. The relief requested includes encryption of data and electronic monitoring of data. The plaintiffs also request monetary relief for any losses resulting from the breach. Second, the lawsuit is appropriate because it helps to bring attention to the need for greater security protections in any size organization, government or private.

Unfortunately, most organizations, big or small, would do well to reevaluate their data security policies. Many times, taking small steps to protect sensitive data can make a substantial difference, even in situations where sophisticated encryption and other technology is not used.

For example, setting your computer to require a password to access data after about 5-10 minutes of inactivity is an easy step to prevent prying eyes from taking “quick peeks” at your data. Don’t use the same password for all of your accounts, and be aware of the roster of people that have access to your sensitive data at all times.

Bottom Line: The TSA mishap could likely have been averted by following simple steps such as these. The union lawsuit brings salience to the value of data and the increasing need for all of us to makes small changes in our daily behavior in the interest of greater protection of sensitive data.

---

Was this CyberLaw article useful? Please share it:

In a move that will be welcomed by consumers, Apple announced that it would offer certain files from a major record label without the digital rights management (DRM) typically included on files downloaded from iTunes. “Digital rights management” refers to certain protections placed on digital files that prevents consumers from modifying them or easily sharing them with others. DRM is widely considered to be anti-consumer, but major record labels and intellectual property (IP) owners usually used the protections to avoid returning to the height of illegal peer-to-peer file sharing.

While successful for a short while, Apple certainly has to see that the end is near. The increasing competition and cry for more freedom would have eventually affected Apple’s bottom line, and failing to produce files free of DRM when other options exist would have incentivized many consumers to return to the peer-to-peer method of collecting music or moving more rapidly to subscription services.

The music labels, of course, are subject to a similar analysis. While the labels initially resisted the (less profitable) subscription services and endorsed DRM, the power of the consumer has led to these new products and services being introduced.

Of course, the new DRM-free files are going to cost you more. The non-DRM files are currently priced at $1.29, or 30 cents more than the customary 99 cent per song rate. Certainly, the labels expect that some of these files will appear in peer-to-peer networks, and the increased price seems to anticipate that loss. The increase in price also comes more in line with a “store bought” CD price and is also likely designed to “prepare” consumers for likely price increases in the future, even for DRM protected content.

Bottom Line: While Apple may be lauded in certain circles for “listening to the consumer” it is important to remember that this is also a savvy business decision given the changing competitive and consumer environments. Apple likely stemmed the tide of consumer movement from iTunes, laid the groundwork for an increase in prices and positioned itself to compete with new competing services in the future.

---

Was this CyberLaw article useful? Please share it: