IBLS Speaker's Corner

Could you share your experiences and information regarding the regulations for export and import through e-commerce?

IBLS Editor — Fri, 16 May 2008 20:03:00 GMT

A working group on e-commerce was established to guide the public authorities adjust the legislation especially regarding the foreign trade in Turkey. Our purpose is to review legislation related to exports and imports through e-commerce, to facilitate the practices in customs relating to electronic commerce and to foster cross-border trade conducted on the internet. Our working group's agenda covers international retail sales in e-commerce (consumer-to-consumer-C2C, business-to-consumer-B2C and consumer-to-business-C2B). We kindly ask you to share your experiences and information regarding the regulations for export and import through e-commerce. If you have such a regulation on e-commerce in your foreign trade legislation in your country we would be happy to hear from you about the legislative information.

Turkish Prime Ministry.

Does the US CAN-SPAM Act Preempt Spam-Related State Regulations?

IBLS Editor — Wed, 14 May 2008 16:59:00 GMT

Decisions in several United States ("US") federal cases suggest that the US CAN-SPAM Act does not preempt spam-related state regulations. State universities and other government institutions across the US have implemented anti-spam policies and adopted spam-blocking systems. Spam-blocking systems are commercial or specifically-designed software developed to block unsolicited commercial e-mails. Blocking spam has not been considered a violation of the Freedom of Speech under the US Constitution. Further, some private networks, following their in-house IT policies, may inadvertently provide differential treatment when blocking unsolicited e-mails. This differential treatment of spam has not been considered a violation of the Equal Protection clause. These three issues, the preemption clause of the CAN-SPAM Act, the First Amendment Freedom of Speech, and the Equal Protection Clause, have been considered in the context of state anti-spam actions.

The Parties & Facts

White Buffalo Ventures, LLC v. Univ. of Tex at Austin, (2004) is an example of how federal courts have dealt with the issue of differential treatment of spam by private networks. In Buffalo, the University of Texas, the defendant, had internal anti-solicitation and anti-spam policies that required blocking spam. Yet, some spam reached the students and faculty school e-mail addresses. This circumstance was caused by imperfections in the spam-blocking system, school officials claimed. E-mails sent to utexas.edu were stored on computer servers owned and operated by the University of Texas. The school used commercial spam filters that triggered an alarm when a large amount of e-mails come from one IP address. Sometimes the filters did not alert of spam but faculty of students raised spam complaints.

White Buffalo Ventures, the plaintiff, was a commercial enterprise that promoted its website to members of the University of Texas by sending unsolicited e-mails to them (allegedly, over 55,000 unsolicited e-mails were sent). The University of Texas added a filter to its spam-blocking system to stop spam from White Buffalo Ventures, after the school had amicably requested White Buffalo Ventures to stop its spam practice. Consequently, White Buffalo Ventures filed a lawsuit against the University of Texas at Austin.

The Complaint

In its complaint, White Buffalo Ventures sought to enjoy the U. of Texas from blocking White Buffalo's massive e-mails because, plaintiff argued, it violated its Free Speech rights under the First Amendment and Equal Protection rights under the Fourteenth Amendment to the US Constitution. Additionally, the spammer plaintiff complained that the U. of Texas could not block its unsolicited e-mails under the US CAN-SPAM Act (15 U.S.C.S. 7701 et seq) for two reasons. First, the plaintiff contended that its unsolicited e-mails complied with the CAN-SPAM Act. Second, Plaintiff claimed that CAN-SPAM, a federal law, preempted any state from regulating unsolicited electronic e-mails; including the school anti-spam policy. Plaintiff argues that no state can place further limitations on unsolicited e-mail beyond those established by CAN-SPAM.

The Law

The US Constitutes guarantees Freedom of Speech under its First Amendment, and Equal Protection of the Law under its Fourteenth Amendment. Extensive case law establishes the requirements to successfully claim violation of any of these Constitutional rights.

The US CAN-SPAM Act of 2003 was enacted to deal with the challenge posted by spamming practices. It prohibits sending deceptive or misleading information to promote businesses; using deceptive hearings in commercial e-mails; and sending e-mails after the recipient has indicated that it does not want to receive more e-mails. It also requires senders to include return e-mail addresses in their e-mail messages.

Section 7707(b)(1) of the CAN-SPAM says: [this law] "supersedes any statute, regulation, or rule of a State or political subdivision of a State that expressly regulates the use of electronic mail to send commercial messages, except to the extent any such statute, regulation, or rules prohibits falsity or deception in any portion of a commercial mail message or information attached thereto."

The Court's Decision

Regarding plaintiff's interpretation of CAN-SPAM Act (that it preempts any state action), the court admitted e-mail communications, as per the US Congress interpretation, are inherently interstate in nature. Hence, the Court reasoned, the plaintiff ignores Congress' acknowledgment of the CAN-SPAM Act limitations as stated in §7701(a)(12): "the problems associated with the rapid growth and abuse of unsolicited commercial email cannot be solved by Federal legislation alone." "The "development and adoption of technological approaches… will be necessary as well."

More importantly, this District Court clarified that within the CAN-SPAM preemption rule, Congress introduced a commentary affirming that the Act does not preempt application of state laws, not specific to e-mails, like contract, torts, trespass, computer crimes, and fraud. The court directly quoted the following section from CAN-SPAM: [the Act should not be] "construed to have any effect on the lawfulness or unlawfulness, under any other provision of law, of the adoption, implementation, or enforcement by a provider of Internet access service of a policy of declining to transmit, route, relay, handle, or store certain types of electronic mail messages." 15 U.S.C. § 7707(c)."

Regarding the First Amendment claim, the court held that the U. of Texas had asserted substantial government interest in protecting its network from spam. Indeed, the U. of Texas had substantial interest in protecting the productivity of its faculty and students by blocking unsolicited messages. This decision was rendered under the precedent in Commercial Hudson Gas & Electric Corp. v. Public Service Commission and without deciding whether a university Internet network constitute public forum.

In reference to the Equal Protection claim, the court held the plaintiff did not prove that spam from White Buffalo Ventures was treated differently than spam from other sources. The U. of Texas had a policy requiring blocking 'all spam' but due to 'imperfections' in the system some spam were not blocked. The U. of Texas proved that it blocked all spam that was brought to their attention, including White Buffalo Ventures' spam, of which faculty and student complained.

Do Internet Licenses Constitute a 'Possession' under Art. 1 of the EU Convention on Human Rights?

IBLS Editor — Wed, 14 May 2008 04:09:00 GMT

Yes, according to a recent decision by the European Court on Human Rights, Internet licenses constitute 'a possession' under the meaning of article 1 of the European Union ("EU") Convention on Human Rights. This decision was rendered on April 8th, 2008, when the Government of Moldova arbitrarily invalidated 2 Internet licenses held by a Moldovan company- supposedly the biggest Internet company in that country. After being defeated in the national courts, the Moldovan company filed a complaint before the European Court on Human Rights alleging violation of art. 1 of the Convention on Human Rights; and this Court has finally ruled on its favor. Following, there is a brief recount on this interesting EU/internet related case.

The parties to these proceedings before the European Court on Human Rights are the Government of Moldova- as defendant - and Megadat.com- as plaintiff. Megadat.com was a Moldovan company, incorporated and operating within the territory of Moldova, and holder of 2 Internet licenses whose expiration dates were April and May 2007. It is alleged that Megadat.com held over 70% of the Internet service in Moldova.

In 2002, Megadat.com moved its headquarters offices and informed the respective Moldovan Tax and State Registration Chamber authorities; yet, it failed to inform the Internet national regulatory agency as it was required by this agency's administrative rules. The regulatory agency rules required that holders of Internet licenses communicate any change of address within the following 10 days of the change.

On September 2003, the government Internet agency cited 91 companies, including Megadat.com, and warned them to pay annual registration fees and/or inform this agency of any change of address within 10 days, or they could face suspension of their Internet licenses for up to 3 months. Megadat.com received this letter on September 24th, 2003, and immediately sent the change of address notification. Hence, on October 2003, the Internet agency questioned Megadat's office lease and requested additional documents, and without providing additional time for submission of the requested documents, the Internet agency invalidated Megadat's Internet licenses. Megadat's company was closed, its assets were taken, and its Director arrested for a pacific-silent protest. A year later, the agency rules were modified and it required a waiting period of 6 months for those companies whose licenses were invalidated and that were seeking to re-apply.

After unsuccessful legal attempts before national courts, Megadat filed its complaint before the European Court on Human Rights. As legal basis, Megadat argued that invalidation of its Internet licenses constituted violation of art. 1 of the First Protocol of the Convention on Human Rights because its Internet licenses were possessions under this article. Additionally, Megadat argued that invalidation of its licenses was an unjustified and disproportionate action and it was not justified by any policy consideration. In fact, Megadat proved that other companies cited were merely suspended and their licenses were not invalidated and that the law was suspiciously changed after its license was invalidated.

Art. 1 of the Convention on Human Rights says:
"Every natural or legal person is entitled to the peaceful enjoyment of his possessions. No one shall be deprived of his possessions except in the public interest and subject to the conditions provided for by law and by the general principles of international law.

The preceding provisions shall not, however, in any way impair the right of a State to enforce such laws as it deems necessary to control the use of property in accordance with the general interest or to secure the payment of taxes or other contributions or penalties."
After lengthy arguments from both parties, the European Court on Human Rights held that it was undisputed that the company's Internet licenses constituted a possession for the purposes of art. 1 of the Protocol 1 to the Convention on Human Rights and that the invalidation of the license constituted interference with the right to the peaceful enjoyment of possessions guaranteed by art. 1 of Protocol 1 to the Convention. Yet, invalidation of the Internet licenses, the Court said, was not a deprivation of possession according to the second sentence of art. 1 but a measure of control of use of property, which deserved analysis under the second paragraph of the art. 1.

The Court considered that the measures taken by the Government of Moldova were disproportionate. The government knew the new address of the company (its citation was directed there) and it had not problem in communicating with the company at its new address. The court also pointed the irregularities it found in this case like the fact that the Internet agency had issued a third license to Megadat with the 'old address' on it despite Megadat's information about the new address; the denial of time to provide the additional documents requested; the abrupt change on the re-application procedures; and the extremely harsh consequences to whish Megadat was subject (contracts cancelled, forced to sale assets in short term, and additional tax sanctions).

Thus, the Court held that there was a violation of art. 1 of Protocol 1 to the Convention on Human Rights when the Government of Moldova invalidated these two Internet licenses.
The European Convention of Human Rights is definitely a legal tool being used by counsels on Internet and privacy related issues in the European Union when domestic laws cannot properly address their legitimate controversies.

Copyrighted Material v. University-Provided Digital Copies

IBLS Editor — Mon, 12 May 2008 23:56:00 GMT

This could be one of those IP-IT (Intellectual Property- Information Technology) land-marking cases in the United States ("US"): Oxford University Press, Cambridge University Press, and SAGE Publications, supported by the Association of American Publishers (hereafter "the Publishers"), have sued Georgia State University ("GSU") for copyright infringement. The Publishers claim GSU is infringing upon their copyrights by providing digital copies of the Publishers' courses to GSU students.

The Publishers filed this copyright infringement lawsuit in a US District Court in Atlanta. The Publishers argue that GSU allows its faculty to upload copyrighted material in what the school calls "course packs." Course packs contain six-months reading material for the students and can be accessed electronically. The Publishers claim the GSU faculty does not obtain permission to upload their copyrighted work in this electronically-accessed library. Students get the course material 'without ever setting foot in a bookstore or spending money for them,' the publishers' complaint states. The Publishers are only demanding GSU to cease its practice; they are not seeking monetary damages.

Is this case covered by the 'fair use' doctrine? 17 U.S.C. § 107 establishes a list of cases in which reproduction of a particular work is 'fair' under the law. Indeed, reproduction for news reporting, teaching, scholarship, education, and research purposes may be considered 'fair use' under § 107 of the US Copyright Act. Section 107 also establishes four factors to determine whether reproduction of a particular work is fair under the law. These factors are: (1) whether the purpose of the reproduction is commercial in nature or it is for nonprofit educational purposes; (2) the nature of the copyrighted work; (3) 'amount and substantiality of the portion used in relation to the copyrighted work as a whole'; and (4) 'the effect of the use upon the potential market for or value of the copyrighted work'.

The Publishers found, and stated in their complaint, that GSU copied large excerpts from multiple copyrighted works and a great number of chapters from the publishers' books. They found over 6,700 works listed in GSU's electronically-accessed library and available for over 600 school courses.

Thus, the critical analysis in this complaint may be centered in factors 3rd and 4th above. Is the amount of the GSU copied material protected by the 'fair use' doctrine? And what is the effect of the GSU's action upon the Publishers' potential market? These are important questions and common to many other educational institutions that provide 'electronic-libraries.' Referring to the issue of the fair use doctrine, the Attorney for the publishers said that payment of permission fees for the use of the copyrighted works by GSU is not going to affect the legitimate exercise of the fair use doctrine. In fact, "To the contrary, it will in fact ensure that those works continue to be produced and available to current and future generations of students."

The decision in this case will establish a relevant precedent to a widely-used system in American schools: E-reserves. E-reserves are those digitally-kept library systems that allow students to download or simply read assigned course materials without having to buy a specific text book. Some schools and universities using this system obtain legal permission from publishers before indexing any copyrighted material in their E-reserve system. Others do not seek permission to reproduce and make these works electronically accessible to their students without any legal permission or compensation.

The closest case found in the American jurisprudence is found in Basic Books v. Kinkoʼs Graphics Corp. (1991). In this case Basic Books, a text book publisher, sued Kinkos for copyright infringement for Kinkos' sale of 'coursepack' systems. The court in this case held that Kinkos was required to obtain permission from the text publisher and pay the appropriate fees for those courses used in their 'coursepack' product. Indeed, the court said that copying a whole chapter is "quantitatively" and "qualitatively substantial" under the US Copyright Act. Yet, the difference between Kinkos and the GSU case is that Kinkos is not an educational institution and it does not seem to fit in any of the exempted fields listed in § 107 of the Copyright Act.

The European Convention on Human Rights & Minors' Right to Privacy in UK

IBLS Editor — Mon, 12 May 2008 23:53:00 GMT

The Civil Division of a United Kingdom ("UK") 'Court of Appeal' decided on May 7th, 2008, that a complete trial must be conducted on the issue of right to privacy, under the EU Convention on Human Rights and Data Protection Act of 1998, for a minor whose photograph was published without parental authorization. This is article informs on this recently-decided UK case and the interesting use of the European Convention on Human Rights rules to protect the privacy of a minor.

Murray v. Express Newspapers plc, Et. (EWCA Civ 446 (2008)) is a case recently decided by the Civil Division of the UK 'Court of Appeal.' Plaintiffs are the famous parents of a minor child who was photographed without their parents consent and whose photograph was published by one of the defendants to this complaint. The child mother is Mrs. Joanne Murray, author of the well known series of Harry Potter. There are two defendants to this complaint, one is the photographer who took the picture of the minor and his parents; and the other defendant is the newspaper that published this picture. The newspaper settled with the plaintiffs and the case continued against the photographer.

Plaintiff alleged that one of the defendants took a non-authorized photograph of the minor (when the minor was over 1 year old) and the second defendant later published this photograph in a local newspaper, all without parental consent. The photograph was taken in a public street and "It showed him [the minor] being pushed along in a buggy by his father with his mother walking alongside." It is well stated in the record that the famous mother/plaintiff zealously protects her privacy and keeps her family outside the public eye. Indeed, the complaint affirms that the mother never takes her children to public events.

Plaintiff sought an injunction to restrain further publication of this photograph or any other minor's photograph without the parents' consent. They claim the minor has the right to privacy under Article 8 of the European Convention on Human Rights and, as alternative relief, they claim protection under the UK Data Protection Act 1998.

The Judge ruled for the defendants and the plaintiffs appealed. The judged framed the legal question to be decided as whether a minor, who was not a public figure himself but the son of a public figure, was entitled to protection from being photographed in a public place, even though the photograph has nothing embarrassing or untoward but contains a mere family scene with the minor parents.

The judge decided this question by holding that the facts of this case were not sufficient to bring a claim under article 8 of the European Convention on Human Rights. Indeed, the judge said, the publishing defendant was entitled to freedom of speech under article 10 to the Convention on Human Rights. Further, the judged held that there was not expectation of privacy in this case by saying: "I start with a strong predisposition to the view that routine acts such as the visit to the shop or the ride on the bus should not attract any reasonable expectation of privacy."

On appeal, plaintiff's arguments prevailed. The Court of Appeal reversed the decision and ordered that a complete trial be conducted.

The Court of Appeal held that, subject to the facts of this case, the law should protect children from 'intrusive media attention.' Children have a reasonable expectation of privacy that they would not be targeted by the photographers in public places. After establishing that children have the right to claim reasonable expectation of privacy, the court said, a balance should be reached between the child's right to respect for his private life under article 8 of the Convention on Human Rights and the publishers' right of freedom of expression under article 10 of the Convention.

Then, depending on the decision of whether article 8 to the Convention applies, the trial court may consider whether the claim under the Data Protection Act 1998 should be entertained. In fact, if the court decides that article 8 of the Convention triumphs article 10; then the trial court will have to consider whether the publishers' processing of the minor's photograph constitutes the processing of unlawful personal data.

The Court of Appeal considered that the judge of first recourse centered its analysis on the famous parents' right rather than on the minor's rights. The Court of Appeal said this was a claim filed by the parents on behalf of their minor son to protect the rights of their son. It was not a claim from the parents to protect their right to family privacy.

As per this decision on May 8, 2008, and if the parents and defendant do not reach any out-of-court agreement, this case will go to trial; if it does, once decided it could be a great precedent on the application of the Convention on Human Rights and the UK Data Protection Act 1998.

Can Expedited Discovery be Applied to Obtain Information from ISPs?

Martha L. Arias — Wed, 07 May 2008 19:03:00 GMT

U.S. Federal Rule of Civil Procedure ("Fed. R. Civ. P.") 26(d) and (f) requires parties to a lawsuit to confer before any discovery can be conducted. Yet under precedent decisions, some previous to the enactment of Fed. R. Civ. P. 26, U.S. courts may conduct expedite discovery upon a showing of good cause. Can this expedited discovery be applied to obtain information from Internet Service Providers? Arista Records LLC. v. Does 1-4, (M.D. Ga. Feb. 25, 2008) addressed the issue of expedited discovery to obtain information from Internet Service Providers ("ISP") in a P2P copyright infringement. Following, you may find an answer the above question.

In Arista Records LLC. v. Does 1-4 (hereafter "Arista Records") a Michigan District Court granted expedited discovery, as requested by plaintiff, to obtain information about the defendants from the ISPs.

Plaintiffs were members of the music record industry that filed a copyright infringement action against four unknown defendants. Plaintiffs argued that the unknown defendants used P2P (Peer-to-Peer) file sharing to download or distribute plaintiffs' copyrighted music. Plaintiffs were able to identify the computers used to commit the infringement by tracking the Internet Protocol ("IP") address that is commonly assigned to each computer. The ISP in this case was Michigan State University. Plaintiffs filed a motion to leave and take immediate discovery under Fed. R. Civ. P. 26 and 45 (including subpoena to the ISP). Plaintiffs intended to obtain the identity of the four defendants based on the IP addresses available. Plaintiffs concretely requested information on the defendants' names, current and permanent addresses, phone numbers, e-mails, and Media Access Control address.

The Michigan District court granted plaintiff's motion to leave and take immediate discovery. The court based its decision on case law from other jurisdictions that authorized courts to conduct expedite discovery for good cause. The Michigan court specifically cited to In re Paradise Valley Holdings, No. 03-34704, 2005 WL 3841866 (Bankr. E.D. Tenn. Dec. 29, 2005) and Whitfield v Hochsheid, No. C-1-02-218, 2002 WL 1560267 (S.D. Ohio 2002). Additionally, the court said: "A number of district courts have found good cause to permit expedited discovery where the recording industry has IP addresses for individuals who have illegally distributed or downloaded music, but do not have the name of the person whose computer was assigned that address."

The Michigan court held that good cause is found upon: "(1) allegations of copyright infringement, (2) the danger that the ISP will not preserve the information sought, (3) the narrow scope of the information sought, and (4) the conclusion that expedited discovery would substantially contribute to moving the case forward."

Further, the Michigan court acknowledged that expedited discovery had been denied by other courts in cases involving petitions for subpoena to ISPs. In most of those cases, denials were based on the Cable Communication Policy Act ("CCPA") and The Digital Millennium Copyright Act (DMCA).
Thus, it seems that US courts favor expedited discovery, including request for subpoena to ISP, in copyright infringement cases. The four-prompt test used by the Michigan court can be a good tool for those seeking expedited discovery. On the other hand, opposing parties can resort to the DMCA and the CCPA, the US Privacy Act, and similar laws to support their arguments against expedited discovery involving ISPs.

NY Libel Terrorism Protection Act 2008

IBLS Editor — Wed, 07 May 2008 16:51:00 GMT

A new law has been enacted by the New York Congress and signed into law by Governor Paterson designed to protect American journalists and authors from foreign lawsuits that disregard First Amendment rights. New York State enacted the "Libel Terrorism Protection Act" (S.6687/A.9652), on March 31, passed by the state's Assembly and Senate unanimously. Upon signing the Bill, Governor Paterson said, "New Yorkers must be able to speak out on issues of public concern without living in fear that they will be sued outside the United States, under legal standards inconsistent with our First Amendment rights. This legislation will help ensure of the freedoms enjoyed by New York authors." The new law has important implications for Internet publications and the laws of Defamation. The bill was sponsored by Assemblyman Rory Lancman (D-Queens) and Senate Deputy Majority Leader Dean G. Skelos (R-Rockville Centre).

The legislation is also known as Rachel's Law after Dr. Rachel Ehrenfeld, an Israeli-American terrorism scholar and globally recognized counter-terrorism authority. The law was drafted and passed after Dr. Ehrenfeld's was sued regarding a book she had written, called "Funding Evil: How Terrorism Is Financed and How to Stop It." The tome identified Khalid bin Mahfouz, banker to the Saudi royal family and one of the wealthiest men in the world, as a leading terrorism financier.

The Act is a direct countermeasure against what some have named “Libel Tourism,” in which a person who feels they have been defamed goes not where the statements occurred, but instead to the country that has the most liberal defamation laws to file their case. This has caused many problems, and called into question whether such law can be applied fairly between regimes. For instance, the United States has very liberal laws regarding Free Speech, whereas Great Britain frames defamatory acts much more narrowly. So if a person who publishes in America can be sued in England, the plaintiff stands a much better chance of triumphing, especially when bearing in mind how the Internet has complicated the definition of “publication.”

Dr. Ehrenfeld's book made several claims regarding the banker, such as claiming, “As far back as 1996, French, British and US intelligence believed bin Mahfouz had erected a banking system to benefit Osama bin Laden.” Also, “Bin Mahfouz's bogus Muwafaq (Blessed Relief) "charitable foundation" fronted for several other terror groups, including Makhtab al-Khidamat, al Qaeda, Hamas and Abu-Sayyaf. The "charity's" head was Yassin al-Qadi, later designated by the State and Treasury Departments as an international terrorist.” It was these statements that caused Mahfouz to sue Dr. Ehrenfeld.

Despite there having been only a handful of copies of the book sold in the U.K., Mahfouz sued Ehrenfeld under Britain's easy-to-prove Defamation regime, and won. Britain's High Court ordered Ehrenfeld to pay over $225,000 in damages and legal fees to Bin Mahfouz, apologize and destroy all copies of her books. But instead of paying, in November 2006, Dr. Ehrenfeld went to get a U.S. federal court order to protect her constitutional rights. Dr. Ehrenfeld filed suit in the U.S. in Ehrenfeld v. Mahfouz, which moved to New York State's highest court. The NY Supreme Court ruled it could not protect Dr. Ehrenfeld from the British lawsuit filed by the Saudi billionaire.

Th New York Court of Appeals ruling surprised many analysts and alarmed publishers, authors, news groups and many online websites. The New York court ruling would have undermined U.S. journalists' ability to write upon terrorism, as it effectively ruled the court lacks jurisdiction to protect Americans, on U.S. soil, from foreign court defamation judgments that legally contradict the First Amendment to the United States Constitution. It was after this that New York decided it must pass a new law to fight the danger of foreign government and courts defining U.S. Law.

The pertinent part of the law is section 8, that states the law of any foreign regime must give at least as much free speech rights per defamation as the NY & U.S. Constitutions afford:

THE CAUSE OF ACTION RESULTED IN A DEFAMATION JUDGMENT OBTAINED IN A JURISDICTION OUTSIDE THE UNITED STATES (cannot be held as binding), UNLESS THE COURT BEFORE WHICH THE MATTER IS BROUGHT SITTING IN THIS STATE FIRST DETERMINES THAT THE DEFAMATION LAW APPLIED IN THE FOREIGN COURT`S ADJUDICATION PROVIDED AT LEAST AS MUCH PROTECTION FOR FREEDOM OF SPEECH AND PRESS IN THAT CASE AS WOULD BE PROVIDED BY BOTH THE UNITED STATES AND NEW YORK CONSTITUTIONS.

On the Bill's import, Manhattan District Attorney Robert M. Morgenthau said: "Terrorism and terrorist financing are matters of vital interest to all New Yorkers, in no small part because New York City remains a target of significance for international terrorists. New York authors must have the freedom to investigate, write and publish on terrorism and other matters of public importance, subject only to limitations that are consistent with the U.S. Constitution. This legislation will help to ensure such freedom."

Beijing Puts First-Ever Piracy Criminal in Jail

IBLS Editor — Wed, 07 May 2008 13:28:00 GMT

After promising for years to start cracking down on rampant piracy, a Chinese court has now handed down a one-year jail sentence to a Beijing man for selling fake DVDs. This marks the first time a person in the Capital has been convicted and sentenced to prison for the crime of theft of intellectual piracy, according to the Chinese Xinhua news agency. The pirate is Zhou Cheng, 40, who was also fined 10,000 yuan ($1,430) for selling illegally-mastered DVDs at a store in Beijing's Chaoyang district where authorities found 10,000 illegally copied discs. China is the world's biggest source of pirated goods.

The West has long been exasperated by the lawless nature of the Intellectual Property Rights regime in the world's most populace country. When in China, it is common to find a myriad of faked goods from designer handbags to computer software sold on street corners, in markets and in higher-end shopping areas. The country has been struggling to take a stand against intellectual property piracy, which has been a top priority for Beijing ahead of the upcoming Olympics in August. Washington filed a WTO complaint in April 2007, stating Beijing was violating its trade commitments by failing to stop piracy.

The top court in China has made easier prosecution of those discovered manufacturing or selling fake goods, by lessening the amount needed for conviction. Now, anyone making 500 or more faked copies of movies, CDs, software or other copyrighted items can receive up to seven years in prison. Also, a China has created a tip program to reward those who turn in pirates, and these informants will be paid 100,000 yuan or almost $15,000. A hotline has been setup for citizens to snitch on copyright violators and also an email address for residents to send in names.

The law covering Copyright protection is broadly covered by the Act: Implementing Regulations of the Copyright Law of the People's Republic of China, in Article 47. This says:

Audio and video recordings produced and distributed in the territory of China by foreign producers shall be protected by the Law.

The punishment for copyright violation is found in: CHAPTER VI, Administrative Sanctions Article 50. This states:

Infringements against copyright shall be liable to the administrative sanctions to be imposed by copyright administration departments in the form of warning, injunction in relation to the production and distribution of infringing copies, confiscation of unlawful gains and seizure of infringing copies and equipments used for making infringing copies, as well as fine.

The related fines involved are found in Section 51, and can run anywhere from 100 to 100,000 yuan in RMB.

But faux DVD's are just the tip of the iceberg, as China’s piracy economy is bigger than almost any foreigner can imagine. There is a robust and growing industry of fake motorcycles, cars, designer clothing, cell phones and every conceivable electronics product. In China, even items that would not immediately strike the imagination as profitable to fake are copied, such as razor blades, toothpaste and drugs. And the copycats are done so well they are normally indistinguishable from the original. Analysts believe piracy contributes a third to China’s GDP.

But the Government is showing a different face ahead of the Olympics. Yi Xintian, a spokesman for the State Intellectual Property Office said, "The Chinese government has taken concrete steps and its success is there for all to see. We are extending comprehensive and strict protection to Olympic intellectual property. The Chinese government has the resolve and capability to make sure that during the Olympic Games we create a favorable climate for intellectual property."

Obviously there are some in the Chinese Government who are reluctant to crackdown on an industry that needs almost no influx of research and development funding, and produces a massive return. But China will realize that the rewards of protecting Intellectual Property are greater than those for lawlessness for an up and coming economy like China.

Does US Patent Law have Extraterritorial Application?

Martha L. Arias — Mon, 05 May 2008 17:26:00 GMT

The US Patent Act (title 35 U.S.C) is the legal framework for patent protection in the US. The US Patent Act § 101 defines what is patentable in the US: "Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefore…" Section 271 of the US Patent Act sets the requirements for a valid cause of action on patent infringement. Within section 271, literal (f) is one of the ones raising controversy because §271(f) seems to invite for extraterritorial application. This article analyses § 271(f) of the US Patent Act in light of its most relevant court interpretation in AT&T v. Microsoft.

The US Congress enacted section 271(f) after the decision on Deepsouth Packing Co. v. Laitram Corp. In this case, defendant, a US corporation, was accused of patent infringement under the US Patent Act. Yet, defendant was not found liable of patent infringement because even though it manufactured parts of the patented invention in the US, these parts were shipped overseas and assembled abroad. Thus, no real patent infringement occurred in the US because manufacturing 'parts' of a patented invention in the US did amount to infringement as long as the parts were not assembled in the US territory.

Currently section 271(f) states:

(1) " Whoever without authority supplies or causes to be supplied in or from the United States all or a substantial portion of the components of a patented invention, where such components are uncombined in whole or in part, in such manner as to actively induce the combination of such components outside of the United States in a manner that would infringe the patent if such combination occurred within the United States, shall be liable as an infringer.

(2) Whoever without authority supplies or causes to be supplied in or from the United States any component of a patented invention that is especially made or especially adapted for use in the invention and not a staple article or commodity of commerce suitable for substantial non-infringing use, where such component is uncombined in whole or in part, knowing that such component is so made or adapted and intending that such component will be combined outside of the United States in a manner that would infringe the patent if such combination occurred within the United States, shall be liable as an infringer."

A simple reading of § 271(f), may infer that manufacturing 'parts' of a patented invention for a later assembly abroad may constitute infringement under the US Patent Act. The next questions are how the US courts have interpreted the wording of § 271(f)? Have US courts taken steps in deciding on the extra-territorial application of the law or have they left this sensitive issue to the US legislator?

AT&T Corp. v. Microsoft Corp., (414 F.3d 1366 (Fed. Cir. 2005), cert. granted, 127 S. Ct. 467 (U.S. Oct. 27, 2006)) is the US case that concretely addressed the interpretation of § 271(f). AT&T was the holder of software patent 32,580 (a speech compression code). Microsoft shipped a 'master copy' of this compression code abroad for later installation in Microsoft computers manufactured in foreign countries. AT&T sued Microsoft for patent infringement under 35 USC § 271(f). AT&T alleged Microsoft violated § 271(f) of the US Patent Act by supplying the master copy of its patented product to different countries and by installing copies in Microsoft foreign assembled products.

Before the District Court, Microsoft alleged that the 'master copy' sent abroad were not a 'component' within the meaning of § 271(f) and the electronic transmission of the master copy abroad was just a mere 'intangible information' that could not amount to patent infringement under this section of the Patent Act. The District Court held for AT&T and ordered Microsoft to pay damages. Even though the damages issue was settled at this level, Microsoft reserved its right to appeal the District Court's interpretation of § 271(f).

On appeal, the court held that the master copy was a component within the meaning of § 271(f) because it was the actual software product that did not require further codification abroad. Regarding the supply issue, the court held that sending (transmitting) a master copy of the software abroad via electronically means constituted 'supply' within the meaning of the statute and as envisioned by the US Congress.

The Supreme Court granted certiorari on October 2006 and decided on April 30, 2007. Before the Supreme Court, Microsoft reiterated its argument that the master copy did not constitute a 'component' within the meaning of § 271(f) and that the electronic delivery of the copy did not constitute 'supply' under the same section of the Patent Act.

The Supreme Court held that the copies installed in computers assembled abroad were not 'supplied' by Microsoft 'from the US' according to the exact meaning of § 271(f). The Supreme Court held:

"Because Microsoft does not export from the United States the copies of Windows installed on the foreign-made computers in question, Microsoft does not “suppl[y] . . . from the United States” “com-ponents” of those computers, and therefore is not liable under §271(f)as currently written."

First, the Supreme Court held that the master copy, agreeing with Microsoft, is not a component as required by § 271(f). The Supreme Court's reasoning seems to suggest that an extra step or requirement is needed. A combination or codification in the case of software of the components is required for the infringement. "Combinable part of a computer; easy or not, the extra step is essential. Moreover, many tools may be used easily and inexpensively to generate the parts of a device. Those tools are not, however, “components” of the devices in which the parts are incorporated, at least not under any ordinary understanding of the term “component,”" the Court said.

Regarding the issue of 'supply' under § 271(f), the Supreme Court held that the copies installed in those foreign assembled computers were not shipped from the United States. Indeed, those copies were "supplied from outside the United States." The Supreme Court does not agreed with the Appellate court when it said that the act of copying is subsumed on the act of supplying.

Thus, judgment was reversed. Microsoft position prevailed under the shade of a legitimate argument against extra-territorial application of the US Patent Law. This is the Supreme Court's statement regarding extraterritorial application of § 271(f):

"Any doubt that Microsoft’s conduct falls outside §271(f)’s com-pass would be resolved by the presumption against extraterritoriality. Foreign conduct is generally the domain of foreign law, and in the patent area, that law may embody different policy judgments about the relative rights of inventors, competitors, and the public. Applied here, the presumption tugs strongly against construing §271(f) to encompass as a “component” not only a physical copy of software, but also software’s intangible code, and to render “sup-plie[d] . . . from the United States” not only exported copies of software, but also duplicates made abroad. Foreign law alone, not United States law, currently governs the manufacture and sale of components of patented inventions in foreign countries. If AT&T de-sires to prevent copying abroad, its remedy lies in obtaining and en-forcing foreign patents."

RECORD U.K. INTERNET LIBEL CASE YIELDS $200,000 AWARD

IBLS Editor — Mon, 05 May 2008 02:41:00 GMT

An executive in the British property sector has been awarded record Internet libel damages by a British court in one of the first-ever cases regarding online harassment by a business rival in the U.K. The recipient was Peter Walls 55, a social housing company chief executive at Gentoo Group. He won after it was proved he was scurrilously defamed while at his business Sunderland Nothern England. He received an award of $198,000. Walls explained to the judge how he, his staff and family were abused via Internet over a period of two years. Walls described the case as centering on a hate campaign which he called “a nightmare.” Walls' company, Gentoo Group Ltd, and several other unnamed people had already accepted almost 20,000 pounds in damages, previous to this case.

Wall's opponent at law was John Finn, who admits to being behind the offending website called “Dad's Place Publications” that posted false stories about Walls and fellow colleagues, ranging from charges of corruption and nepotism to the promotion of women employees in exchange for sexual acts. Finn had an interest in many properties in areas chosen for demolition and rebuilding by Gentoo. Finn agreed to pay £100,000, being the largest-ever Internet libel settlement in England.

Walls, his family and 30 Gentoo employees were subjected to "vicious and unpleasant anonymous, defamatory attacks," High Court judge David Eady was told. His house had to be fitted with police alarms after it was repeatedly attacked, while his paramour, Caroline, 40, and their children were gripped with fear for their safety.

The High Court was detailed as to how the website sustained a "malicious, unpleasant and relentless campaign of libel and harassment against Gentoo and various persons associated with it." Said Walls, "It has not just been a single time, it has been day after day and that has been very difficult to live with. It is terribly intimidating and frightening and I think the people that did this knew that."

The court was informed that the two-year harassment campaign began in April 2004 when John Finn, a prominent businessman and fierce competitor to Walls, created a site called "Dad's Place” via his company, Pallion Housing Ltd. Finn, a housing landlord then directed other persons to use the now-disabled website, its anonymous forum areas, and an associated newsletters to create and publish a multitude of false accusations, the court was told. The fake stories included one claiming Walls was a pedophile, another that he was a thief and corrupt, that he had hired assassins to execute hits, and that he regularly preyed upon his harried staff for sexual favors, while bullying the rest. Wall's family also became alarmed when they realized their every move was scrutinized and then detailed online.

Wall's family then became subject of local gossip and scorn when the website's contents spilled out across the the community, especially after Finn took great pains and expense to publicize the scabrous charges. Walls insists the site was begun to blackmail him to cause his company to pay more for homes that Finn was selling to Gentoo. Finn, who was sued by Walls for libel, originally denied responsibility for the Internet content. But the court found there was abundant evidence to prove he was responsible, and he was found guilty of publishing the material during a trial last year. Walls has demanded an overhaul of current Internet Defamation law to help future victims to receive a "quicker and more effective route to justice."

Barrister Hugh Tomlinson, representative for Walls and his company, described the Internet published material as "seriously defamatory, abusive and scurrilous." He added, "From behind their cloak of anonymity, Dad's Place used their publications and in particular the Web site to conduct a malicious, unpleasant and relentless campaign of libel and harassment. Mr Walls was forced to withstand an almost daily barrage of anonymous allegations, threats, and abuse and suffered very serious damage to his professional and personal reputation. Many other Gentoo employees were subject to wholly unacceptable levels of harassment and abuse."

Defamation law expert Rod Dadak of Lewis Silkin, claims that "The substantial payout is a useful reminder of the need to show extreme care in posting material on the Internet. Reputation Management is increasingly important and the Internet plays a big part or can play a big part in promoting and destroying reputations. Internet vets are an increasingly essential protection to be used to ensure that rogue defamers are not at work."

To better understand the law of Libela, U.K. Law on this is found in the Defamation Act 1996 CHAPTER 31

The Act states:

Responsibility for publication
1 Responsibility for publication
(1) In defamation proceedings a person has a defence if he shows that—
(a) he was not the author, editor or publisher of the statement complained of,
(b) he took reasonable care in relation to its publication, and
(c) he did not know, and had no reason to believe, that what he did caused or contributed to the publication of a defamatory statement.
(2) For this purpose “author”, “editor” and “publisher” have the following meanings, which are further explained in subsection (3)—
• “author” means the originator of the statement, but does not include a person who did not intend that his statement be published at all;
• “editor” means a person having editorial or equivalent responsibility for the content of the statement or the decision to publish it; and
• “publisher” means a commercial publisher, that is, a person whose business is issuing material to the public, or a section of the public, who issues material containing the statement in the course of that business.
(3) A person shall not be considered the author, editor or publisher of a statement if he is only involved—
(a) in printing, producing, distributing or selling printed material containing the statement;
(b) in processing, making copies of, distributing, exhibiting or selling a film or sound recording (as defined in Part I of the [1988 c. 48.] Copyright, Designs and Patents Act 1988) containing the statement;
(c) in processing, making copies of, distributing or selling any electronic medium in or on which the statement is recorded, or in operating or providing any equipment, system or service by means of which the statement is retrieved, copied, distributed or made available in electronic form;
(d) as the broadcaster of a live programme containing the statement in circumstances in which he has no effective control over the maker of the statement;
(e) as the operator of or provider of access to a communications system by means of which the statement is transmitted, or made available, by a person over whom he has no effective control.
In a case not within paragraphs (a) to (e) the court may have regard to those provisions by way of analogy in deciding whether a person is to be considered the author, editor or publisher of a statement.
(4) Employees or agents of an author, editor or publisher are in the same position as their employer or principal to the extent that they are responsible for the content of the statement or the decision to publish it.
(5) In determining for the purposes of this section whether a person took reasonable care, or had reason to believe that what he did caused or contributed to the publication of a defamatory statement, regard shall be had to—
(a) the extent of his responsibility for the content of the statement or the decision to publish it,
(b) the nature or circumstances of the publication, and
(c) the previous conduct or character of the author, editor or publisher.
(6) This section does not apply to any cause of action which arose before the section came into force.

New FTC “Red Flag” Rules Mean Online Deals with Criminals Can Be Punished

IBLS Editor — Wed, 30 Apr 2008 15:14:00 GMT

According to new rules promulgated by the U.S. Federal Trade Commission (FTC), companies are now on the hook for their business dealings, even with customers on the Internet, should what they sell be used for criminal or terrorist activities. The punishments include six-figure fines and even jail time. The new standard is known as the FTC's “Red Flag” rules, which have already been passed and are due to go into law January 2009, but businesses must be compliant to them by November 1, 2008^S. Yet many businesses are still in the dark about this new regime.

Some analysts believe these rules must go through a period of public enforcement before they become commonplace knowledge. Says Brian Bradley, executive vice president of strategy and emerging markets at MicroBilt, a company doing business compliance advising: "With all of the focus put on compliance and security breaches, it's easy to overlook these requirements around identity and law enforcement. It's another level of compliance that a lot of companies don't even know about."

The FTC has sent out these rules to federal financial institution regulatory agencies what are described as “final rules on identity theft “red flags” and address discrepancies.” These final rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. The President’s Identity Theft Task Force has detailed the impact of identity theft, which cause billions of dollars in losses each year to individuals and businesses.

The FTC describes its Red Flag rules:

The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable a financial institution or creditor to:

1. Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the Program;

2. Detect red flags that have been incorporated into the Program;

3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and

4. Ensure the Program is updated periodically to reflect changes in risks from identity theft.

The real purpose of these rules is not to simply fight ID theft, as noble a cause as that may be. Instead, the rules are really another brick in the wall of the United State's goal of building better defenses against terrorism. So fighting money laundering is a key goal of these rules, as is keeping fake ID”s away from terrorists. According to the FTC, the rules are designed to force financial institutions to be more careful with whom they do business.

According to the FTC, the rules “require credit and debit card issuers to develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. In addition, the final rules require users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a consumer reporting agency.”

The entities that most need to learn about these rules are small businesses. For example, if a small used car company sells a vehicle that is used a month later in a crime, they could be held responsible. Bradley says, "The Red Flag rules are basically there to help protect consumers from identity fraud, and to help prevent businesses from making bad loans or extending credit to criminals. But a lot of security people don't know much about them yet, and most small businesses -- the ones that are too small to work with the big credit bureaus -- don't know anything."

Bradley continued, “However, many organized terrorists and criminals know that small businesses can't afford to work with the big credit bureaus, which makes these mom-and-pop shops prime targets for illegal purchases and money-laundering scams. And the worst part is that the small business can be held liable if it does do business with the bad guys, even if it isn't aware of the regulations. I haven't seen any cases yet, but the Red Flag rules won't be enforced until November, so we're just beginning to deal with those."

Online Payment Scams Growing in Europe According to EU Report

IBLS Editor — Wed, 30 Apr 2008 14:00:00 GMT

As the Internet increases in range and wealth of business opportunities, so do criminals up their efforts to develop more sophisticated and effective ways to scam online. Net credit card fraud is growing in Europe, according to an official European Commission report on the web sector, called “Report on fraud regarding non cash means of payments in the EU: the implementation of the 2004-2007 EU Action Plan.” The report sums up the problem, saying: “Fraud against means of payment (payment fraud) remains a threat to the success of the internal market for payments. Payment fraud affects the consumer confidence in non-cash means of payment and ultimately the real economy.”

While new laws fighting cyber crimes have been passed by many EU members, the European web remains a dangerous place for business, according to the Report. The details are eye-catching, including a figure of 10 million fraudulent web transactions costing EU merchants a 1.5 billion Euros ($2.2 billion) in losses per annum. The Report offers a snapshot of the activity in Net fraud and countermeasures taken between 2004 and 2007, which shows that while the number of fraud cases is a small percent, this illegal shadow still damages overall confidence for online buyers in the EU states.

One of the most problematic areas was the so-called "skimming fraud." The Report details this, saying, “In this situation, the magnetic stripe (not the chip) of cards is copied in payment terminals or, more often, in ATMs or unattended payment terminals (for example those in petrol stations). The copied data (in some cases the PIN code is also captured) are used for the production of counterfeit cards which are then either used in non-EMV terminals (in Europe or in countries where the EMV technology has not been implemented) or for non-face to face payments (e.g. mostly Internet transactions).”

Further, electronic payment fraud has evolved from interpersonal interactions to non face-to-face situations like Internet payments, says the report, with “card-not-present" type of fraud leading the way for growth. The EU is fighting back with several legislative actions addressing these cybercrime issues. One emphasis is meant to fight money-laundering. On this directive, the Report states, “The new directive on the prevention of money laundering of 2005 has introduced more detailed obligations for financial institutions in relation to customer due diligence which at the same time are more flexible and better adapted to the level of risk involved. The implementation of a sound "know your customer" policy by financial institutions should lead to a better management of the fraud risks involved, notably regarding identity theft type of fraud (e.g. when accepting new customers) or non-face to face situations (e.g. When monitoring customers' transactions).”

The second directive is for services in the internal market (PSD) which was adopted in
2007. The Report states this is aimed at “ensuring that payments within the EU – in particular credit
transfer, direct debit and card payments – become as easy, efficient, and secure as domestic
payments within a Member State are today. By setting up a harmonised legal framework for
payments within the EU, the PSD will provide more transparency and will reinforce the rights
and protection of all the users of payment services (consumers, retailers, large and small
companies as well as public authorities).”

The Report describes these types of online credit card fraud and ID theft crimes as “a moving target,” which occurs in many various ways. While identity theft/fraud is an enormous issues, a larger problem has arisen regarding “identity management.” In association with the 10 million fraudulent transactions are 500 000 merchants being hit badly. If it becomes ingrained in the average European resident's mind that online transactions are inherently dangerous, it will effect consumer confidence and put the goal of a non-cash economy in danger. Therefore the EU must make sure it is tackling Internet fraud as aggressively as possible.

NATO Agrees to Create Cyber Defence Management Authority

IBLS Editor — Wed, 30 Apr 2008 13:43:00 GMT

The North Atlantic Treaty Organisation has finally gotten around to finalizing plans for fighting cyber-attacks against its members. It has committed to creating a cyber-defence command to shield allies against crippling online assaults on national infrastructures. This group is named the Cyber Defence Management Authority and will function by co-ordinating NATO member defenses from a central command, according to the NATO summit in Bucharest. Leading the new cadre will be Major General Georges D'hollander, already chief of the NATO agency of cyber-defence. This move shifts strategy away from NATO's normal policy of stressing defense of its own internal systems, by employing the NATO Computer Incident Response Capability (NCIRC) unit. The meeting released the “Bucharest Final Declaration” on cyber defense, which reads: "NATO remains committed to strengthening key Alliance information systems against cyber attacks. We have recently adopted a Policy on Cyber Defence, and are developing the structures and authorities to carry it out. We look forward to continuing the development of NATO's cyber defence capabilities and strengthening the linkages between NATO and national authorities." One reason NATO leaders agreed to a common policy on cyber defense at the Bucharest summit is to create a command center to coordinate NATO's "political and technical" reactions to cyber attacks. NATO decided to act after the troubling Internet attack launched on NATO member Estonia in spring 2007, which had apparent political and military motivations, and threatened to take down entire economic sectors. Such massive distributed denial-of-service attacks (DOS) are fairly easy to launch and can create massive damage and chaos. The Net incursion occurred immediately after Estonia relocated a Red Army soldier statue to the Estonian capital Tallinn. The cyber-attack targetted key public and private infrastructures such as banks and telecom servers. It was a simultaneous blast from thousands of computers delivered to the same Estonian servers which resulted in crippling essential services based on the Internet, such as payment of salaries. The Brussels-based CDMA will augment member cyber-defences by reinforcing national systems and creating new lines of communication and developing strategies for future threats. In a show of support, a “Center of Excellence” for training cyber-defense professionals will be set up in Estonia, educating NATO's extensive civilian and military staff. A NATO spokesman spoke abut the new team, saying "It has become clear that the challenge we face has become quite significant and needs a more comprehensive approach. We need to be ahead of the bad guys; the threat can come from many sources: cybercrime, cyberterrorism or state activity." The legal warrant for the new group springs exclusively from Article 4 of the North Atlantic Treaty. This is a very important fact. It means that members will "consult together" in case of cyber attacks, but are not duty bound to aid each other as described in Article 5 of the Treaty. The EU communicated full support for the new group. Martin Selmayr, spokesperson for EU Information Society Commissioner Viviane Reding, made clear the EU welcomed the goals of the new cadre, and will support every initiative drafted to defend security of state networks. Selmayr claimed the Commission's goal is to strengthen existing EU agency which is dedicated to telecommunications security, named the European Network and Information Security Agency (ENISA), based in Crete. Selmayr said, "We need a rapid reaction force. What ENISA is doing now is sitting around a table and drafting reports. They are very accurate but this is not enough. We need a body that operationally deals with the security.” The move by NATO will be welcomed by Washington, as the Bush administration is now lobbying Congress to earmark $6 billion for cyber security in 2008, according to the Wall Street Journal.

Between Einstein and Mueller's Plan, Will the FBI Monitor the Cyber-highways?

Martha L. Arias — Mon, 28 Apr 2008 17:07:00 GMT

The current FBI Director, Robert Mueller, is suggesting an Internet surveillance plan that would allow the FBI to monitor Federal-government networks and private-sector networks. The plan was presented to the House of Representative Judiciary Committee last week and it seems to have the support from some U.S. Congressmen. This article describes Mueller's "Omnibus Internet-Monitoring" proposal and its possible Constitutional concerns.

Current FBI Director, Robert Mueller, is proposing a federal law that would allow the FBI to monitor both federal-government and private-sector networks. The proposal was presented before the US House of Representative Judiciary Committee and as Mueller explained, this law would "balance on one hand, the privacy rights of the individuals who are receiving the information, but on the other hand, given the technology, the necessity of having some omnibus search capability utilizing filters that would identify the illegal activity as it comes through and give us the ability to preempt that illegal activity where it comes through a choke point." Even though this Internet monitoring plan is just a suggesting law from the FBI, it seems to have support from some Congressmen, especially after consideration of the current Einstein Program.

The hearing at which this monitoring plan presented was held to discuss President's Bush Einstein Program. The Einstein Program is a cyber-security initiative that proposes to assign $152 million into cyber-security to protect federal-government networks. Einstein Program is going to be handled by the U.S. Computer Emergency Readiness Team and it will monitor the network gateways of 13 federal government agencies (including the FBI, Department of Homeland Security, etc.) to detect any illegal traffic or suspicious activity. The Einstein Program looks for malicious codes in e-mails attachments and orders collection of traffic flows that are later analyzed by government experts.

Mueller's proposed Omnibus Internet-monitoring plan (still at its conception stage) raised concerns about its constitutionality and effects on the privacy rights of the American citizens just as President's Bush Einstein Program does. If the Einstein Program, specifically designed to protect federal-government networks, has raised concerns about its effects on the rights of the American citizens, Mueller's far reaching monitoring program will definitely raised more privacy concerns.

Mueller's proposed Internet surveillance law will challenge the Constitutional Fourth Amendment right from unreasonable search and seizures. Currently, American citizens enjoy protection against unreasonable searches, even related to communications, without a search warrant order. Hence, just as this proposed surveillance law deserves careful drafting as to compromised-privacy rights, it also requires additional 'thoughts' (as Mueller expressed) on the specific networks that would be monitored or protected.

Will Mueller's proposal follow Einstein's and are American ready for this type of monitoring? This will definitely be the topic of the century. Are American ready to be monitored in this way? Americans are not probably eager to be scrutinized on this way at this time but they may be willing to claim Internet protection or security some years from now. Internet has become so much part of our lives that it is not hard to envisioned 'cyber-patrols' in the near future. As any police or government intervention in a democratic nation, rules are to be placed; including a re-design of Miranda rights for this cyber-era.

Internet Economy Surges Despite Global Slowdown

IBLS Editor — Mon, 28 Apr 2008 13:48:00 GMT

Despite repeated reports of bad economic news in many sectors, the Internet continues its global expansion, giving great comfort to those still trying to understand what a world marketplace with a dwindling oil supply will look like. While some segments of the U.S. economy are slowing, online sales are growing, and recent figures show that e-commerce transactions are growing four or five times faster than traditional retail, according to Rob Atkinson, president of the Information Technology and Innovation Foundation. Atkinson made his comments at a recent forum on the state of the Internet economy at Google's brand new Washington D.C. office.

Bearing in mind the Web as a major player is not yet two-decades old, Information Technology (IT) which includes the Internet, is now the major driver of economic growth in the U.S., according to Atkinson. Dismissing the idea that Net commerce suffered a wild collapse in the early 2000's from an “Internet Bubble,” Atkinson said, "The Internet is not a bubble. A lot of dumb, bad companies went out of business [earlier in the decade], but the industry continued to grow." Atkinson added, "There's absolutely no evidence that somehow, we're at the end of the IT revolution. I think we've got a minimum of 10 or 15 years, maybe a lot longer."

Despite fears of another Internet slowdown, the state of the Internet economy is strong. Online retail sales, excluding travel, reached $175 billion in 2007, up 21% over 2006. According to analysts, online sales to exceed $200 billion this year and should exceed $300 billion by 2011.

Hal Varian, a Professor turned in-house Goggle economist spoke at the forum. Said Varian, "The lesson you learn from looking at query patterns on Google is, yes, we're seeing an economic slowdown, but no, that's not an Internet slowdown.. The Internet is still looking pretty strong, compared to most of these other sectors." Varian says an analysis of search queries at Google shows insightful data about the state-of-mind of Net users. For example, job-related searches have increased while real-estate and luxury goods searches are down. This is exactly what you'd expect to find in a "recessionary environment," claims Varian. Yet, overall, the sum total number of searches on all topics is growing "very dramatically," states Varian.

Panelist Edwin Garrubbo, chairman of the Electronic Retailing Association, claims there is no slowing down the rapid growth of the Web. While online sales currently account for only a fraction of total U.S. retail sales, being 3.5% in 2007, over 2.6% in 2006, Garrubbo's claims are not just idle boasts. For instance, marquis retailer Saks Fifth Avenue currently does more sales volume from its flagship Manhattan store, yet its Web business ranks second. Garrubbo predicts "it's only a matter of time before the potential for that online business is going to far exceed New York's," and will eventually be greater than "all of its other stores combined." Garrubbo also believes the current recession could actually prove a boon for online businesses, as consumers are motivated to find better deals because of a smaller wallet, as he said, "A recession forces smarter decisions, and there's an increased desire to go online.”

Atkinson believes the growth and the potential of the Internet still baffles many politicians in Washington. He said the officials, "still don't understand how much of a driving force information technology and the Internet are in the economy, responsible for a lot of growth." Atkinson calls personalized online ads "economic rocket fuel" that could further boost growth. On this he warned that the Government should not unnecessarily hamper commerce with efforts to protect consumer privacy online, a topic currently under discussion by the Federal Trade Commission and the U.S. Congresss.

London Agreement Patents Law to be Enacted May 2008

IBLS Editor — Mon, 28 Apr 2008 13:38:00 GMT

“LONDON AGREEMENT” PATENTS LAW TO BE ENACTED MAY 2008

Getting patent coverage across Europe is set to get easier and cheaper on May 1, 2008 when a new protocol called the “London Agreement” goes into affect. The London Agreement negotiations have been ongoing for some years, and the final details hammered out October 17th, 2000. The purpose was to make getting translations of European patents easier and lessening the costs. The new rules should halve costs for UK businesses toiling to protect their intellectual property rights across all 31 European states.

The reason it took the agreement awhile to be put put into place was the French were working on their end of the details, and it took them some time to ratify it. On 26 September 2007, the French Assembly finally voted in favor of the Agreement while the French Senate approved the bill on October, 10th 2007.

According to the European Patent Office, the patent process will become extremely easy on May 1st. The EPO writes, “One big advantage of this system is that the applicant can get a European patent by filing just one patent application in any of the three EPO official languages, in English, French or German. Another advantage is that the application is examined by a single patent office.”

The details of the agreement is for member states to waive certain requirement for translation of already granted patents into their native tongues. There is still a requirement to file translations into English, French and German under the Agreement, but considerable savings will result from skipping translation into the many official EU languages as the current law demands.

Yet, there is a significant but completely rational exception to the new rule. For countries waiving a translation of patent descriptions, such a translation into that member state’s language will be necessitated if the patent becomes subject to court proceedings in that member state. Some countries are still holding off completely embracing the Agreement. Spain and Italy are withholding support and so full translations of patents will be required there.

In 2005, there were 60,762 patent applications and 67,917 Euro-PCT applications filed with the European Patent Office. European patent applications are published 18 months after the filing date, unless a priority has been claimed, then 18 months after that. The three official languages of the European Patent Office are English, French and German, meaning patents can be filed in any of these tongues. Patents still need to be translated into the other two languages before a European patent is granted.

For U.K. Businesses, the change is welcome indeed. Patent translations for the EU, meaning at least seven European languages on average, makes translating per application costs of over $10,000. Such a reduction will encourage companies and individuals to file more extensive EU patents for protection beyond the the UK, freeing more budget for research, development and promotions. As a result, the UK Intellectual Property Office predicts that British businesses could easily save over $20 million a year in patent translation costs.

If one examines the new law further, it becomes clear that while money is being saved, the big winner may be Patent protections and Intellectual Property (IP) itself. The less patent applications cost, the more likely inventors and companies are going to follow through and protect their inventions and IP rights. This in turn lessens the chances of an unscrupulous or even ignorantly innocent person from trespassing onto these rights. It therefore increases the value of patents across the EU.

Considering that patent proprietors who currently want to protected their IP in all 31 member states of the EPO would need to have their European patent fully translated into 22 languages at a cost of approximately 31,000 euros, this change cannot possibly come soon enough.

New US National Cyber Investigative Joint Task Force Will Be Led by FBI

IBLS Editor — Wed, 23 Apr 2008 14:46:00 GMT

Since 2007, the FBI has very quietly put together a cadre of professionals with U.S. intelligence and other agencies to help battle crime on the Internet to help identify and respond to cyber threats against the United States. The name of the group is the National Cyber Investigative Joint Task Force (NCIJTF), and the FBI has a number of persons training together at an unnamed location near Washington. The leader of the new group is Shawn Henry, the FBI's deputy assistant director of the cyber division. Henry has stated the group is made up of intelligence, law-enforcement and other agencies from the U.S. government.

The FBI claims in a press release about the group that they plan on, “Expanding the National Cyber Investigative Joint Task Force (NCIJTF), to include representation from the U.S. Secret Service and several other federal agencies. This existing cyber investigation coordination organization overseen by the Federal Bureau of Investigation will serve as a multi-agency national focal point for coordinating, integrating, and sharing pertinent information related to cyber threat investigations.”

About the joint project, the Department of Homeland Security says the task force is being enlarged to include the U.S. Secret Service and other federal agencies. The Secret Service claims that part of the job of fighting counterfeiting will be to investigates "computer-based attacks on our nation's financial, banking, and telecommunications infrastructure."

FBI Director Robert Mueller describes the force as a partnership between agencies to counter cyber threats from foreign intelligence. He wrote, “We are also uniquely positioned to investigate counterintelligence threats in the cyber arena. The FBI is partnered in the National Cyber Investigative Joint Task Force with elements of the intelligence community to investigate and respond to counterintelligence cyber threats.”

The FBI says the NCIJTF will have several parts, being “two complimentary components, the Information Operations Group (IOG) and the Analytical Group (AG).” The leadership, being the NCIJTF AG, will proceed by seeking to “synthesize a common operating picture of hostile intrusion related activity to aid investigations, reviews all-source data, and produces quarterly reports. The NCIJTF IOG provides a forum for de-conflicting and collaborating on investigations and provides centralized coordination of operational initiatives.”

The FBI describes the structure and approach of the NCIJTF, saying it will work by using shared investigation and resources, and will have six goals it follows:

“1) serve as the primary interface among the participating agencies and other agencies; 2) develop a global view of information warfare activity; 3) identify intelligence gaps; 4) create a strategic framework to develop operations; 5) de-conflict investigations and operations among participants; and, 6) generate timely intelligence to support operations and to allow targeted entities to harden their networks.”

The FBI budget asks for: “211 positions (35 Agents and 113 Intelligence Analysts) and $38,648,000 in personnel and non-personnel funding in support of investigative, intelligence, and technical requirements of the Comprehensive National Cybersecurity Initiative.”

These funds will be used for, “infrastructure requirements, cyber training, intelligence/information sharing and analysis resource requirements, equipment funding for the continued operations and maintenance costs of its Consolidated Collection CALEA Cell Site Server and Carrier Records Digital Interfacing efforts”

The Government says the purpose of the NCIJTF is to mitigate and eliminate cyber threats. The FBI plans to do this by approaching the threats from many different angles, employing, “sufficient numbers of investigators to identify, monitor, disrupt, and eventually predict additional hostile activity. Identifying the threat requires responding to all computer network intrusions affecting U.S. national security and collecting intelligence that provides insight into the tradecraft and command and control. Effectively predicting and disrupting the threat requires targeting the organizations and people behind this activity. The FBI must leverage current authorities, technology, and IC partnerships to expand current and develop new operational initiatives designed to identify the methods of attack, prove state sponsorship, and proactively disrupt the foreign exploitation of U.S. computer networks.”

As to the U.S. attitude towards cyber terrorism, Henry replied: "Our response has to constantly change and grow because the threat is constantly changing and growing."

NJ SUPREME COURT SAYS SUBPOENA NEEDED FOR INTERNET RECORDS

IBLS Editor — Wed, 23 Apr 2008 14:36:00 GMT

The New Jersey Supreme Court has given a huge victory to Internet privacy advocates by ruling that the Government needs a valid subpoena before it can get private user information from an Internet Service Provider (“ISP”). The case was, State of New Jersey v. Shirley Reid (A-105-06), and was argued October 22, 2007 and decided April 21, 2008. The case came up on appeal and was argued as an amicus brief with the help of the American Civil Liberties Union, Electronic Frontier Foundation and the Electronic Privacy Information Center, among other groups that filed friend-of-the-court briefs in the controversy. The victors claim it is the first ruling in the U.S. to recognize a “reasonable expectation of privacy for Internet users.”

The case dealt with a business named Jersey Diesel, whose owner became convinced that an unauthorized Internet user had come in and changed the company's website. The owner, Timothy Wilson, found out the mystery user was registered to Comcast. Wilson contacted Comcast and asked for the subscriber information so that he could discover who made the unauthorized changes. But Comcast refused to help without a subpoena. Wilson then reported the incident to the Lower Township Police Department and suggested claimed that Ms. Shirley Reid, a Jersey Diesel employee on disability leave might have made the changes. Reid had come back to work, argued with Wilson, then left. Wilson claimed Reid was the only employee who knew the company's computer password and ID.

Police did obtain the information on who accessed the website, which was the same woman Wilson suspected. They got her identity through her Internet provider, Comcast Corp., by tracing the Internet “fingerprint” that her computer left behind. This fingerprint consists of the Internet protocol address, also known as an IP address, identifiable only by Comcast. While the police obtained a subpoena for the data from a local court, the higher courts ruled a grand jury subpoena was necessary given an indictable offense was claimed. The fight for the ID then moved through the NJ court system.

The court ruled Police need a criminal grand jury subpoena for such information, claiming the woman's 2005 charge for theft by computer would not stand unless prosecutors had enough proof without the evidence. But the evidence from Comcast was suppressed without a subpoena.

The New Jersey Supreme Court based their decision on the fact that the NJ state constitution affords greater protection against unreasonable searches and seizures than the U.S. Constitution, and that Internet providers should therefore not disclose private information to any entity without a subpoena.
Grayson Barber, a lawyer representing the American Civil Liberties Union, Electronic Frontier Foundation and the Electronic Privacy Information Center said it was the first ruling in the nation to find a genuine and defensible expectation of privacy for Internet users. Barber said, "The reality is that people do expect a measure of privacy when they use the Internet."

As to the privacy issue, the court said:

“Both the Fourth Amendment to the United States Constitution and Article I, Paragraph 7, of the New Jersey Constitution protect the right of the people to be secure against unreasonable searches and seizures. Federal case law interpreting the Fourth Amendment has found no expectation of privacy in Internet subscriber information. On multiple occasions, however, this Court has held that the New Jersey Constitution affords greater protection than the Fourth Amendment.

It is well-settled under New Jersey law that disclosure to a third-party provider, as an essential step to obtaining service altogether, does not upend the privacy interest at stake. In order to access the Web, individuals must obtain an IP address from an ISP. Users make disclosures to ISPs for the limited goal of using the technology and not to promote the release of personal information to others. IP address information can be used to track a person's Internet usage, revealing intimate details about his or her personal affairs. Because current technology renders the user's identity anonymous to all except the ISP, users have reason to expect that their actions are confidential when they surf the Web from the privacy of their homes. Therefore, the Court holds that Article I, Paragraph 7, of the New Jersey Constitution protects an individual's privacy interest in the subscriber information that he or she provides to
an ISP. (Pp. 15—21).”

A Washington lawyer who litigates Internet cases, Megan E. Gray, said the ruling "seems to be consistent with a trend nationwide, but not a strong trend. It's contrary to what is happening with rights of privacy at the federal level. But it's all over the board for the states, with a mild trend toward protecting this information."

Over a Million Viruses now Infect the Web, up 500%

IBLS Editor — Wed, 23 Apr 2008 14:27:00 GMT

According to premier IT security providers Symantec, the number of computer viruses in circulation has passed well-beyond one million for the first time, and shows no sign of abating anytime soon. Symantec claims over 700,000 new viruses were identified in 2007, an increase of almost 500% over the number identified last year. Symantec reported this in its twice-yearly Global Internet Security Threat Report.

Most viruses originate from the US, accounting for 25% of all malware. Madrid, Spain is the city with the largest number of so-called 'zombie' computers, being machines co-opted into performing illegal tasks remotely by criminals based elsewhere. Overall, there are an average of 62,000 zombie computers operating every day around the globe, up 17% over last year.

While never has the need to trust one's Government ever been greater, it is from the government sector that most "identity exposure” come in the way of theft or loss of personal information from compromised databases, totaling 60% of the sum of the last half year. Educational institutes are also prime spots to steal ID's and the like, as 24% were lost from there, while healthcare was the third greatest source, losing 16%.

Criminals using unique phishing messages, being e-mails crafted to fool bank customers into entering fake websites where they unwittingly are made to hand over personal details grew by 5% to over the 200,000 of last year. There were, on average, 1,134 new messages sent out each day and 66% of all phishing websites were fake financial sector businesses. Social networking sites have also been invaded by phishers. Symantec said, “The report also found that attackers are seeking confidential end-user information that can be fraudulently used for financial gain and are less focused on the computer or device containing the information.”

China is now right behind the U.S. as the second-ranked state for phishing websites, possibly related to an attempt to exploit the upcoming Olympic Games, being held in Beijing in August. The Russian Business Network (RBN) was also heavily linked to distribution of malicious code, but they suddenly disappeared overnight in November after the company had become synonymous with graft and corruption.

On how to stay safer when online, Stephen Trilling, vice president of Symantec Security Technology and Response, said “Avoiding the dark alleys of the Internet was sufficient advice in years past. Today's criminal is focused on compromising legitimate Web sites to launch attacks on end-users, which underscores the importance of maintaining a strong security posture no matter where you go and what you do on the Internet.”

Overall, it is clear that a robust, large and financially strong underground economy has grown up to buy, sell and trade in stolen ID's and information. Just like any other developing economy, this underground colossus is characterized by a number of common traits. Just as Adam Smith would point out, the old definers of marketplace price -- supply and demand, decide how much the market grows and in which direction, as well. Stolen information, such as credit card numbers, which is now commonplace, made up for 13% of all advertised stolen items, with the price slumping 22% from the period previous, selling for as little as $0.40. The location of the associated bank of a stolen credit card also influences price. Credit cards from banks in the EU are worth more than those emanating from the United States; due to the smaller supply of E.U. credit cards in circulation, meaning the card is more valuable to criminals. Bank account credentials are now the most frequently advertised stolen item, composing 225 of all stolen goods, listed for as little as $10 a piece.

On how to view the coming need for IT security, Adriano Diaz, VP and information security manager of BankUnited, said, “Remaining vigilant and informed on the latest evolutions in the threat landscape is critical to maintaining a strong security posture.”