Thursday, October 12, 2006

Perhaps the Courts don't understand the Internet?

ICANN: We can't shut down Spamhaus

Jaikumar Vijayan and Linda Rosencrance

October 11, 2006 (Computerworld) The Internet Corporation for Assigned Names and Numbers (ICANN) said in a statement today that it does not have the ability or authority to comply with a proposed court order that it suspend the Internet service of The Spamhaus Project Ltd. Spamhaus is a volunteer-run antispam service.

In a proposed order last Friday, Judge Charles Kocoras of the U.S. District Court for the Northern District of Illinois called on the organizations responsible for registering the Internet address to suspend the organization's Internet service. Both ICANN -- the nonprofit organization set up to manage the domain name system of the Internet -- and Toronto-based Tucows Inc., the registrar, are named in the order.

... Spamhaus, based in London, issued a statement yesterday saying that it ignored the judgment because it can't be enforced in the U.K.

Privacy groups rap DHS plan to limit access to clearance information

By Jonathan Marino October 10, 2006

Privacy advocates have voiced strong opposition to the Homeland Security Department's proposal to scale back the amount of information that security clearance applicants can access about government investigations of their background.

"It needs to be thoroughly revised," Pam Dixon, executive director of the World Privacy Forum, said of DHS' proposed rule change. Members of the public have until Oct. 12 to submit comments on the draft regulation.

DHS argued in its proposal that more information that comes up during background checks -- central to employment in many positions at the department -- must be kept secret to avoid compromising national security or revealing that an individual is being investigated.

Dixon responded with a four-page letter, in which she argued that DHS' move to "commingle" systems of records that come up during investigations -- including those on terrorism-related inquiries and criminal investigations -- and then exempt them from the 1974 Privacy Act creates an overly broad category of documents that are unavailable to applicants. Provisions in the Privacy Act currently give applicants the right to view their materials.

"The commingling of the records in a single system will only result in confusion on the part of DHS staff and -- especially -- on the part of individuals who are subject of the records in the system," she wrote. "That confusion may result in the denial of rights that the Privacy Act ... was intended to grant."

The result, Dixon said in an interview, could make as much as half of the information included in any clearance applicant's file exempt from the Privacy Act, and therefore unavailable to that person.

"They will have to undo this one," she said.

The World Privacy Forum is the only privacy advocacy group that has submitted comments thus far, but it is not the only one likely to oppose the proposed rule change.

"I was shocked," to see the proposed regulation, said Marc Rotenberg, executive director of the Electronic Privacy Information Center.

Rotenberg said one staffer is working nearly full-time researching the regulation, though he would not say whether EPIC will file a formal comment in opposition.

The proposed regulation lists Hugo Teufel, DHS' chief privacy officer, as one of two contacts. When approached by a Government Executive reporter at a recent hearing of DHS' Data Privacy and Integrity Advisory Committee, Teufel declined to comment on the issue. DHS also did not return repeated calls for comment.

Parents prepare to sue fingerprint grabbers

By Mark Ballard Published Friday 6th October 2006 11:47 GMT

Parents are preparing a legal challenge to schools that have fingerprinted their children without their consent.

Janine Fletcher, a solicitor and concerned parent who instigated the legal response, said she became concerned when she learned that 70 schools in her home county of Cumbria had taken childrens' fingerprints without seeking parental consent.

"It's a breach of human rights," she said. "Lots of parents are willing to take legal action. There's a clear case."

"We are trying to get a list of distressed parents together who are prepared to take group action," she said. "Every child has a right to privacy."

Richard Furlong, a barrister who has advised the campaign group Leave Them Kids Alone (, which is co-ordinating the action, said: "Once the kids fingerprints are taken, the schools are obliged in law to disclose the fingerprint to the police if they are investigating a crime. All of a sudden, police have a huge database to query. But the police only usually have access to your fingerprints when you are arrested."

"All of a sudden they've got this great database and in twenty years time they'll have everyone's fingerprints through the back door," he said.

"People say, 'if you've got nothing to hide, you've got nothing to fear', I always say, well how much do you earn then?" he added.

Many schools put their fingerprint systems in over the school holidays and informed parents by letter on the first day of term, said Fletcher. Parents weren't being given enough time to disagree with the scheme, let alone think through the ramifications of their children being fingerprinted.

The group are preparing to take a test case against a school that has fingerprinted children without parental consent.

Best Privacy Policy Ever?

October 04, 2006

Cory over at Boing Boing blogged last week about an online service that helps you manage bills and informal cash flows with your roommates and friends. The service, called BillMonk, is interesting, but what's even more interesting is BillMonk's privacy policy, which is the shortest, clearest, and most substantively protective policy we've read in a long while.

Disney Sees Piracy As Competing Business Model

Date Wednesday, October 11 @ 16:06:06

Giving the Keynote address at Mipcom, Disney co-chair Anne Sweeney has broken with studio convention and recognised piracy as a business model to compete with, as opposed to simply an illegal threat to be battled.

Sweeney's pragmatic conversion came after seing - within 15 minutes of the ABC network premiere of Despearate Housewives - a high-quality, ad-free version that had appeared on P2P networks.

We understand now that piracy is a business model,” said Sweeney, twice voted Hollywood's most powerful woman by the Hollywood Reporter. “It exists to serve a need in the market for consumers who want TV content on demand. Pirates compete the same way we do - through quality, price and availability. We we don’t like the model but we realise it’s competitive enough to make it a major competitor going forward.”

... Sweeney's address also pointed out:

- Eighty-four percent of those that used the on-demand service said that it was a “good deal” to get a free episode in return for watching an ad and, significantly for advertisers, 87 percent of those could recall the advertiser that sponsored the programme.

How would you prove that an identity thief got your information from Acxiom (or any specific source)?

Class action suit over ID theft tossed out

By Declan McCullagh Story last modified Thu Oct 12 04:24:24 PDT 2006

A federal judge in Arkansas has thrown out a class action lawsuit against Acxiom, which exposed massive amounts of Americans' personal information in a high-profile Internet security snafu three years ago.

Even though a spammer had downloaded more than one billion records from the company, U.S. District Judge William Wilson ruled that there was no evidence that Acxiom's purloined database had been used to send junk e-mail or postal mail.

Because the class action attorneys could not prove that anyone's information had actually been misused, Wilson dismissed the case and the request for damages on the grounds that any harm would be entirely speculative. "Because plaintiff has not alleged that she has suffered any concrete damages, she does not have standing under the case-or-controversy requirement," he wrote.

The decision (PDF), published on Oct. 3, could prove influential in other identity fraud cases where breaches have exposed personal information such as home addresses and Social Security numbers, but there's no proof that the information has been misused.

"If this case is not the first, it's certainly one of the first to deal with these issues," said David Kramer, a partner at the law firm of Wilson Sonsini Goodrich & Rosati, who represents Acxiom.

It's not entirely clear what information was downloaded from Acxiom. It provides databases for direct marketers, including InfoBase, described by the company as "the largest collection of U.S. consumer and telephone data in one source," and Personicx, which features the "specific consumer and demographic characteristics" of tens of millions of American households. Acxiom also provides information to law enforcement agencies, and once counted former presidential candidate Wesley Clark as a board member.

The class action lawsuit arose out of a security breach at Acxiom in 2003 in which the company did not adequately protect a server used for file transfers (FTP). Earlier this year, Scott Levine was sentenced to eight years in prison after a federal jury convicted him of 120 counts of unauthorized access to Acxiom's computers.

Levine is a native of Boca Raton, Fla. and former chief executive of a bulk e-mail company called, which had been dubbed a spammer by the Spamhaus Project. But federal prosecutors said there was no evidence that Levine used the downloaded data for identity fraud.

According to court documents, Levine and others broke into an Acxiom server used for file transfers and downloaded an encrypted password file called "ftpsam.txt" in early 2003. Then they ran a cracking utility on the ftpsam.txt file, prosecutors said, discovered 40 percent of the passwords, and used those accounts to download even more sensitive information.

The revelations raised eyebrows, in part because Acxiom Chairman Charles Morgan had offered public assurances about the company's security, including in testimony click here for PDF) to the Federal Trade Commission. Morgan said that his company takes "exceptional security measures to protect the information we maintain for our own information ensure that information will not be made available to any unauthorized person."

No decision about an appeal

An attorney who is co-counsel on the lawsuit against Acxiom said on Wednesday that the plaintiffs have not yet decided whether to appeal. "We're going to consider what our potential avenues are over the coming week or so, and then make a decision," said Scott Poynter of the firm Emerson Poynter in Little Rock, Ark.

Emerson Poynter describes itself as a firm that has "specialized in class action litigation for over 15 years" and says all of those cases are handled on a contingency-fee basis. It has filed class-action lawsuits against companies including AOL Time Warner, Nortel Networks and Coca-Cola, typically alleging securities fraud. It has indicated it will target companies that are accused of stock option backdating as well.

"Our client tried to find out from Acxiom if her information was compromised, and they wouldn't tell her," [They probably would not know. Not part of their business model. Do they have an ethical responsibility here? Bob] Poynter said. "We think the consumers that have their private information stored by a company should have that right...But maybe the law needs to catch up with the Internet and the way people's privacy is being invaded today."

In the lawsuit that Emerson Poynter and a second law firm filed against Acxiom in April, they raised two vague arguments: That the data-broker was negligent, and that its actions "caused an unreasonable intrusion on the privacy" of people whose records were exposed. Those legal claims require someone to have suffered actual harm beyond a possibly increased risk of identity theft, Judge Wilson concluded. (The lawyers asked for "compensatory and punitive damages" and attorneys' fees of an unspecified amount.)

"This may lead attorneys looking to bring these sorts of claims to ensure their clients have suffered actual harm rather than speculative injury before filing suit," said Kramer, Acxiom's attorney.

But Chris Hoofnagle, a senior fellow at the University of California at Berkeley's law school who has been critical of Acxiom, thinks that the outcome might have been different if the attorneys had filed the suit in California. State law (AB1950) requires businesses that own or license personal information about Californians to "implement and maintain reasonable security procedures."

"I would hope that one could think of more causes of action other than identity theft and negligence," Hoofnagle said.

Levine's was not the first prosecution to stem from the security practices on Acxiom's FTP server. An Ohio man named Daniel Baas previously pleaded guilty to illegally entering Acxiom's FTP site. That investigation led federal police--including the FBI and Secret Service--to Levine, according to the Justice Department.

October 10, 2006

Guidelines for State Trial Courts Regarding Discovery of Electronically-Stored Information

Guidelines for State Trial Courts Regarding Discovery of Electronically-Stored Information, Conference of Chief Justices, Approved August 2006.

Is this the first government blog? I doubt it, but they can't be that common yet...

October 11, 2006

FTC Launches Blog in Advance of Upcoming Tech-Ade Hearings

Press release: "The Federal Trade Commission is hosting a blog to provide information and a forum for feedback about its public hearings on "Protecting Consumers in the Next Tech-ade," to be held November 6-8, 2006, in Washington, DC. The public hearings will examine how evolving technology will shape and change the habits, opportunities and challenges of consumers and businesses in the coming decade, and will feature experts from the business, government and technology sectors, consumer advocates, academicians, and law enforcement officials."


October 11, 2006

New Coalition Website Takes Aim Against Cybercrime

Launched today, the Take a Byte Out of Cybercrime website: "Led by the beloved McGruff character, the National Crime Prevention Council, the CMO Council and FAME have joined forces to bring together one of the largest and most influential coalitions of private and public companies whose primary goal is to teach millions of consumers how to identify, report and protect themselves against cyber crime." [download the tip sheets]

I think this points out a potentially serious problem. How can government get by network filters to inform us of danger? (“There is a man with a gun in your building...”) Similar to “reverse-911” calls

When You Can't Tell The Phishing Emails From The Legit Ones, Just Ignore Them All

from the smart-security dept

Phishing is a common way for criminals to try and steal people's passwords or other personal information, and it depends on phishers crafting emails and fake sites that look enough like the real thing that people will willingly surrender their information. Banks and authorities are obviously aware of phishing, but that doesn't stop them from undermining their online security efforts, as well as their online products, by sending out legit emails that look like phishing attempts. The latest instance sees some British cybercrime police attempting to notify more than 2,000 people in the country that their personal information, including credit card numbers had been stolen. They get an A for effort, but an F for execution, since they're letting people know by sending them an email, and asking them to get in touch -- which plenty of people aren't doing, because it sounds an awful lot like a phishing scam. The rise of phishing has made consumers loathe to trust anyone they don't know from whom they receive emails asking for contact or personal information -- and rightly so. But if banks and authorities are going to tell people that's the right thing to do, they shouldn't be at all surprised when their emails go ignored as well.

Another tool for displaying your expertise?

Announcing The Techdirt Insight Community -- Bringing Together The Smartest Bloggers Around To Provide Their Insight To Businesses

from the something-new dept

We may be a bit slow in posting today, as we're at the Office 2.0 conference to announce our new Techdirt Insight Community. Over the past few years, we've seen an amazing growth in smart, insightful bloggers, who really know their market, and provide great opinions and analysis about a variety of topics on their blogs. At the same time, through our Techdirt Corporate Intelligence service, we've heard about how companies are really looking for good, fast and honest insight and analysis, while also trying to get a better grasp on what the blogosphere has to say about things. However, rather than just monitoring them or bombarding them with press releases, we believe there's an opportunity to bring together the smart bloggers into a community to help provide directed, confidential insight to companies.

Companies sign up to engage the Techdirt Insight Community to raise issues, get feedback, test ideas, review products, make strategy suggestions, help with purchasing decisions or any number of other services that require a dedicated group of experts. We take those issues and alert a group of qualified bloggers, who then can respond within our system. Techdirt analysts then review the responses, and deliver them back to the company. So, rather than setting up a focus group or hiring an expensive analyst firm for their input, companies get a wide variety of perspectives and insights very quickly, and can act on it. The company can also open up the discussion among those bloggers to get second and third-level analysis as they each respond to each other's analysis. In order to focus on honest responses, initially communication uses a double-blind anonymous system, so that people feel they can speak honestly and openly, and companies get the feedback they need to hear. There will, however, be additional opportunities to get like-minded bloggers together on various projects for companies. The service is already in beta testing with a variety of customers and bloggers, and you can see case studies with VeriSign and SAP here. If you are a blogger who regularly blogs about certain industries or technologies, please sign up to be considered for the community. If you represent a company that wants to get the perspectives of a group of very smart bloggers, please contact us to see about joining our beta program. Or you can just read more at the Techdirt Insight Community website.

What a great idea! (That's sarcasm people.)

New Surveillance Technology Monitors The Invisible

from the detection dept

There's little doubt that surveillance cameras are becoming increasingly ubiquitous, and that there's really no such thing as privacy in public. But monitoring images visible to the naked eye may one day look quaint compared to the next generation of surveillance technologies. One company is developing a new technology that uses UV rays to detect trace amounts of illegal substances on objects, like door handles. So, a cop walking through the hallway of an apartment building could quickly zap each door handle to get an idea of who might be in possession of illegal narcotics. You can probably imagine many different applications of this technology, like streetlights that can tell what drivers had alcohol touch their lips that night. The question isn't whether this technology is bad or good, it's whether it can be used without being abused. At the moment, the courts have ruled against the use of drug-monitoring technology without a warrant, but it's not like nobody ever ignored the law before. And please, don't bother with the argument "If you have no drug residue on your door handle, then you have nothing to hide."

I'm sure someone (perhaps the French?) will try this. Think of it as techno-balkanization.

The Internet Is The Internet Because Of The Inter Part

from the just-saying dept

The original idea of the internet is that it connected all of these networks. Hence the "inter-" part. However, as it's grown up, and we've seen things like China's "Great Firewall" and other countries trying to limit aspects of the internet, there's an increasing fear that the internet will get broken up into a series of separate networks, often country-based. It's certainly possible (if not likely), but it's not clear that it should really be a huge concern. Cutting yourself off from the larger internet seems like a strategy that's destined to cause problems long-term for those who choose to separate themselves from the larger network. Just like globalization is a pretty much unstoppable trend, so is a connected internet. You can cut yourself off from the world, but it doesn't make much sense to actually do so. It does a lot more damage to those who cut themselves off than to the rest of the network -- and should eventually lead to pressure to reconnect to the larger internet. Countries smart enough to recognize that they need to trade with the rest of the world, should also realize that communications networks are a part of that process and are unlikely to completely cut themselves off.

Imagine how long it would take to review all possible features of an operating system or to play every possible chess game.

Judge And Jack Thompson To Play Bully -- Will It Convince Them To Shoot Up A School?

from the just-wondering dept

As lawyer Jack Thompson continues his mission against video games, it was never clear why he felt the Take Two Interactive/Rockstar Games were required to give him early access to their latest game, Bully. However, he seems to have convinced a Florida judge, who has required that the game be played in its entirety in front of her and Thompson, so they can determine if it violates public nuisance laws. How a video game that is played in private can violate public nuisance laws is not entirely clear -- but apparently the judge will determine that over the next few days. Of course, every single review notes that the game is more social satire/humor than anything really violent -- but Thompson refuses to believe that's possible. However, if Thompson is so convinced that these games inspire people to go shoot up schools, shouldn't we be worried that he'll be inspired by the game to shoot up a school himself?

Clearly Google will replace schools in the next few years. Why go to school when you can stay home an play on the computer?

Teacher's helper

10/11/2006 10:33:00 AM Posted by Cristin Frodella, Product Marketing Manager

Create picture collages of famous Americans with Picasa. Find out what Virginia newspapers had to say about the Civil War in 1862 with Google News Archive Search. Check out the pyramids in Egypt with Google Earth, and then build your own with SketchUp.

We’ve been hearing about some pretty cool assignments from classrooms across the U.S. where teachers at all grade levels are using Google products to bring history lessons to life, illuminate new sources of information, and encourage sharing and collaboration. What we’ve also heard loud and clear is that teachers want more information about using Google products, and more connections to other educators who are using the web creatively. This is why we’ve launched a set of resources for K-12 educators today at the new Google for Educators site. Here you'll find teachers’ guides for 12 Google products, including basic information about each, examples of how educators are using them, plus lesson ideas. We’re also offering some additional multimedia content, including lesson plans and videos from Discovery Education that use Google Earth and SketchUp, and a series of podcasts at Infinite Thinking Machine on innovative ways to use the web in the classroom.

No comments: