Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Saturday, January 29, 2005

Lawsuit against Arab Bank

Here's another good reason for financial institutions to have strong anti-money laundering policies and procedures in place - litigation. This Bloomberg story details the lawsuit filed in federal court in Brooklyn by the families of 30 bombing victims against Arab Bank. [Coulter v. Arab Bank, CV-05-365]

The lawsuit claims that a "Saudi charity that has collected more than $100 million for Palestinians made payments to the relatives of suicide bombers through Arab Bank Plc." However, Arab Bank's attorney says that the banks "compliance procedures to block suspect transactions are significantly greater in the region than are required locally," and denies that the bank had any part in funding the terrorist.


Open Source patent search tool

PatentCafe press release on its free Open Source Software ("OSS") Patent Search engine.

Yuba City, CA (PRWEB) January 29, 2005 -- Initially populated with IBM's 500 pledged Open Source Software patents PatentCafe has announce the opening of its Open Source Software (OSS) Patent Search Engine devoted entirely to worldwide search access to OSS patents. Through PatentCafe's ICO Global Patent Search engine -- http://www.IAMcafe.com -- software developers are now able to accurately search the entire collection of the OSS patents to find the patents most related to their software

Previous post regarding IBM's patent pledge.


JACK would be a good name for this group

Celebrity jeweler Katherine Baumann is fighting mad ... against counterfeiters, according to this Jewelers' Circular Keystone article. Having successfully "defended her brand name and original jewelry-studded handbag designs against infringers," she is now spearheading the "formation of a new national coalition focused solely on protecting the intellectual property rights of U.S. jewelry designers and manufacturers."

Here's my 2 cents on what the new group should be called: JACK - "Jewlers Against Counterfeits and Knock-Offs" (please, no suggestions to include the word "off" in my proposed acronym : ))


USA is leader of legal technology

When it comes to legal technology, the United States is its "spiritual home," according to Kieran Flatt's story in Legal IT.

The oft-quoted axiom that "whenever America sneezes, the rest of the world catches ‘flu" holds as true for legal technology as it does for popular culture and international relations.

The article describes the U.S.'s leadership role in 1) electronic discovery, 2) outsourcing, 3) data centralization, 4) data warehousing, 5) collaboration tools, and 6) mobile computing.


Friday, January 28, 2005

That's one expensive head hunter

A federal jury in Columbus, Ohio awarded Chicago Title Insurance Co. $43.2 million after it ruled that its former employee, aided by rival First American Title Insurance Co., violated an non compete agreement and recruited 32 employees to join him.

Columbus Dispatch story here (paid supscription required).

Los Angeles Times story here (free registration required).

So, those little old non-compete agreements you signed when you first joined the company can really have some teeth behind them. Here's how Ohio views them.

With respect to non-compete agreements, the Ohio Supreme Court holds the following:

We hold that a covenant not to compete which imposes unreasonable restrictions upon an employee will be enforced to the extent necessary to protect the employer's legitimate interests. A covenant restraining an employee from competing with his former employer upon termination of employment is reasonable if it is no greater than is required for the protection of the employer, does not impose undue hardship on the employee, and is not injurious to the public. Courts are empowered to modify or amend employment agreements to achieve such results. Raimonde v. VanVlerah (1975), 42 Ohio St.2d 21, 325 N.E.2d 544.

With respect to whether a non-compete is reasonable, the court in Busch v. Premier Integrated Med. Assocs., Ltd. (PDF) (September 5, 2003), 2003 Ohio App. LEXIS 4255, 2003 Ohio 4709, stated the following:

We have held that factors to be considered in determining reasonableness of the restrictions a covenant imposes include[:]

(1) the existence of time and geographic limitations;

(2) whether the employee represents the sole contact with the customer;

(3) whether the employee possesses confidential information or trade secrets;

(4) whether the covenant seeks to eliminate competition which would be unfair to the employer or merely seeks to eliminate ordinary competition;

(5) whether the covenant seeks to stifle the inherent skill and experience of the employee;

(6) whether the benefit to the employer is disproportional to the detriment to the employee;

(7) whether the covenant operates as a bar to the employee's sole means of support;

(8) whether the employee's talent which the employer seeks to restrict was actually developed during the period of employment; and

(9) whether the forbidden employment is merely incidental to the main employment.


Don't believe the hype

If you want good Information Technology security, focus on strong access controls. That's the message of Illena Armstrong' article "We’ve had a fair share of over-hyped technology" in SC Magazine.


Thursday, January 27, 2005

Bank pleads guilty of violating AML laws

Riggs Bank plead guilty to violating the Anti-Money Laundering laws of the Bank Secrecy Act, clearing the way for PNC Financial to acquire Riggs.

Story in the Washington Business Journal.

Riggs Press Release:

Under an agreement with the U.S. Department of Justice and the U.S. Attorney's Office for the District of Columbia:

Riggs Bank N.A. will plead guilty to a single count of failing to file timely and/or accurate Suspicious Activity Reports as required by the Bank Secrecy Act and its implementing regulations. Riggs Bank N.A. will pay a $16 million fine to federal authorities, and has agreed to a five-year period of corporate probation, which will terminate immediately upon the closing of a sale of Riggs National Corporation or Riggs Bank N.A. or any other change of control transaction.

U.S. Attorney for the District of Columbia Press Release:

The guilty plea is in connection with Riggs' repeated and systemic failure accurately to report suspicious monetary transactions associated with bank accounts owned and controlled by Augusto Pinochet of Chile and by the government of Equatorial Guinea. ...

United States Attorney [Kenneth L.] Wainstein stated, "Riggs Bank was legally obligated to take steps to ensure that its services would not be used for illegal purposes. Despite numerous warnings from regulators, Riggs courted customers who were a high risk for money laundering and helped them shield their financial transactions from scrutiny. This long-term and systemic misconduct was more than simply blind neglect; it was a criminal breach of the banking laws that protect our financial system from exploitation by terrorists, narcotics dealers and other criminals. We welcome the bank's decision to accept responsibility, to implement internal processes to prevent future such violations, and to cooperate fully with our ongoing investigation."

"The sound business practice of ‘knowing your customers' (PDF) applies particularly to banks and financial institutions, which have an obligation under the law to report suspicious financial transactions that indicate evidence of money laundering or other illegal activity," said Assistant Attorney General Wray. "Such scrutiny is especially important where the customer is a high-profile foreign political figure. U.S. financial institutions must not serve as havens for funds looted from foreign countries, and institutions with weak compliance programs must not be rewarded for their lack of vigilance."

Note the broad use of the phrase "know your customer" by US Attorney Wainstein. In the press release he's talking about knowing your customers in general, as a good business practice for AML compliance. Given the facts surrounding the case, he does not appear to be referring to Section 326 of the Patriot Act.

Here's something from the Federal Reserve Bank of Philadelphia: Know Your Customer: It's Not Just a Good Idea, It's the Law!

Section 326 of the PATRIOT Act [Verification of Identification—more commonly referred to as "Know Your Customer"] requires each financial institution-including banks, savings associations, and credit unions-to have a Customer Identification Program (CIP) that describes processes the financial institution will follow to (i) verify the identity of new accountholders, (ii) ensure that the institution has a reasonable belief that it knows each customer's identity, and (iii) compare the names of new customers against government lists of known or suspected terrorists or terrorist organizations.


Watch these guys for future IP infringement suits

Warning to TomorrowNow and its customers, Oracle is wathcing. TomorrowNow is a third party maintenance provider of PeopleSoft software. PeopleSoft is now a part of Oracle. And TomorrowNow was just bought by SAP, Oracle's bitter rival.

According to an eWeek article:

The intent of the acquisition is to provide maintenance support for users of applications by PeopleSoft and J.D. Edwards & Co., which PeopleSoft acquired last year, while they migrate to SAP. (emphasis added)

The next paragraph quotes Oracle founder Larry Ellison:

"SAP has every right to provide support for PeopleSoft applications as long as they don't violate our intellectual and contractual property rights," Ellison said, in measured tones. "It might make it awkward for them. That's our intellectual property, and they should be cautious."

Translation: better call your lawyers before you start messing with our IP.

More eWeek coverage here.


Wednesday, January 26, 2005

Two Sides of Outsourcing

MIT's Technology Review describes the two sides of outsourcing. The article asks, with so many Silicon Valley start-ups, engineers, and venture capitalists tracing their roots to India, why doesn't India have a booming high-tech industry of it's own. Some speculate that India's outsoursing industry is too busy serving the needs of its well paying foreign clients that they don't have the time or capital to develop their own technology. However, outsourcing can have indirect benefits. The article points to the experience of Ittiam Systems. India's outsourcing experience gives people confidence and experience to venture out on their own and is gradually changing India's culture to where entrepreneurs are no longer viewed as loners who couldn’t hold down regular jobs.

Speaking of India and outsourcing: Peter McLaughlin will be chairing the "Competition in Licensing Models" forum at the CLA First International Asian Conference in Bangalore, India.


MT Law Blog is moving

The new web address for the MT Law Blog is www.mt-law.com/blog


Tuesday, January 25, 2005

My spyware url list not an original idea : )

Update on my Spyware url list post. TechRepublic article says that spyware is public enemy number 1 (registration required). Why? Bottom line is that "Spyware cost money."

In the discussion after the article, TechRepublic member Dr. Dij asks:

While it would not prevent all spyware, anti-virus and anti-spyware companies should use a network of PCs to browse sites automatically. Any registry changes or files created or changed or read outside of temp directories would trigger a listing in a black-hole list of sites that install spyware without asking. Spyware addon to browsers would warn end users that site had spyware and block it totaly or simply warn them, depending on settings of spyware blocking addon.

Member GDF says that the solution is unfortunately impractical:

I don't think your solution is practical. Too much spyware is coming from popups, on-page advertising, and other sources the target site has no control over.


Open Source Primers

The International Open Source Network ("IOSN") has a series of primers on Free/Open Source Software ("FOSS") here.

The primers are "in process" with more topics to come, so make sure to check the IOSN site frequently.

The IOSN is an initiative of the United Nations Development Programme's ("UNDP"), Asia Pacific Development Information Programme ("APDIP"), and supported by the International Development Research Centre ("IDRC") of Canada.


Monday, January 24, 2005

Music Utility proposed

David Kusek, Vice President, Berklee College of Music, and coauthor of The Future of Music Manifesto for the Digital Music Revolution has a piece in Forbes.com entitled Music Like Water. Mr. Kusek argues that the music industry should "establish a "music utility" approach to the distribution and marketing of interactive digital music, modeled after the water, gas and electricity utility systems."


First MGM v. Grokster Brief

The Video Software Dealers Association filed a "friend of the court" brief (PDF) with the United States Supreme Court on January 21, 2005 in the MGM v. Grokster case.

According to the VSDA Position Statement:

VSDA argued that courts should not turn a "blind eye" to the rampant copyright infringement that occurs over peer-to-peer file swapping services. VSDA's position supported its call for the Supreme Court to reverse the decision of the U.S. Court of Appeals for the Ninth Circuit in the MGM Studios v. Grokster (PDF) case.

Electronic Frontier Foundation resources on the Grokster case here.

Hat tip: Interaction Law, via the CNI-COPYRIGHT e-mail list.


Spyware url list

My previous Spyware on Blogspot? post got me thinking. Would it be too difficult for there to be a list of known url's that load spyware. This list could then be loaded in the Restricted Site zone in Internet Explorer. People can submit suspected sites to a central repository, who could then investigate. If a site proves to be one that loads spyware, then it could be added to the list. Users could then download the list and upload the list to the Restricted Site zone.

Simplistic? Too cumbersome? Already done? Let me know.


Spyware on Blogspot?

If you look to the upper right hand corner of this webpage, you will see an icon to go to the "next blog." Clicking on this icon will take you to a randomly selected Blogger blog. Yesterday I was surfing the web on my home computer and hit the "next blog" icon a few times to see what's out there. One of the hits was nana***.blogspot.com (the actual name has numbers in place of the astisks). Pop-ups immediately appeared on my computer immediately after I visited the nana blog, even though I have a pop-up blocker installed. I started getting messages about system resources, etc. I immediately closed all of my browsers, but it was too late. When I re-opened my browser it went to a different home page. My computer was hijacked!

Sure enough, Ad-aware (from lavasoft) indicated that my computer had been infected with the Search Miracle/Elite Bar virus.

I sent Blogger an e-mail to investigate. I will post their response. In the meantime, I will not be clicking on the "next blog" icon in the near future.


Saturday, January 22, 2005

Is Indemnification Microsoft's Savior?

IT Jungle story - Microsoft's Strong IP Protections Give Window's an Advantage

In the ongoing platform wars, it's not always enough to have a superior operating system or better technical support on your side. Increasingly, giving customers a more thorough intellectual property (IP) indemnification policy, and backing that with a gaggle of lawyers, is the key to winning over customers. This is an important area where Microsoft has held an advantage over Linux, its key competition in the entry and midsized server space. But how long will the advantage last?

Yankee Group report found on Microsoft's website - Indemnification Becomes Open Source's Nightmare and Microsoft's Blessing (the full report here (PDF)):

The Yankee Group advises all companies to thoroughly review the terms and conditions of their existing and proposed licensing contracts. This report provides recommendations for important checkpoints to help you get the strong intellectual-property protection you need.

Indemnification is a big-ticket item that is included as a standard component in proprietary software licensing contracts. That is not the case with Linux, where indemnification is limited or lacking altogether. The necessity of having to purchase outside indemnification for Linux could negate the perceived savings of the so-called "free" Linux licenses over Microsoft's proprietary Windows.


Friday, January 21, 2005

Gartner News Analysis on IBM's Open Source Move

On January 11, 2005, IBM "pledged open access to key innovations covered by 500 IBM software patents to individuals and groups working on open source software." (Press Release, List of Pledged Patents (PDF))

The pledge is applicable to any individual, community, or company working on or using software that meets the Open Source Initiative (OSI) definition of open source software now or in the future.

IBM intends for this pledge to form the basis of an industry-wide "patent commons" in which patents are used to establish a platform for further innovations in areas of broad interest to information technology developers and users.

Gartner views the move as lending "long-term viability to the principles of open source, encourages open-source innovation by smaller and startup independent software vendors." Additionally, "IBM's latest move puts new pressure on Microsoft - indirectly casting it as a proprietary alternative to the industry's open-software movement."

By referring to the OSI, IBM casts it as the definitive open-source organization.
The move is reminiscent of Novell's announcement last October to "utilize its patent portfolio to defend against potential intellectual property attacks by others on its open source products." Novell said that this Patent Policy "serves to reassure customers that they can choose open source solutions with confidence, knowing they have strong backing from Novell on patent issues."

One commentator wonders whether Novell's Patent Policy is a "Maginot Line."


BITS IT Service Providers Expectations Matrix

This article points to the BITS IT Service Providers Expectations Matrix (Microsoft Excel). From the Matrix introduction:

The BITS IT Service Provider Expectations Matrix was created to promote a common understanding among interested parties of the financial services industry’s needs related to information technology practices, processes and controls. By providing financial institutions, service providers, and audit and assessment organizations with a comprehensive set of expectations, the Expectations Matrix helps financial services companies to identify risks and comply with regulatory requirements, as well as to eliminate gaps in the audit and assessment processes.

BITS is a nonprofit industry consortium whose goal is to foster the growth and development of electronic financial services and e-commerce for the benefit of financial institutions and their customers.

Other BITS papers, presentations and guidelines available for download here.


Government more open to open source

First: The Center for Digital Government is hosting a free live Internet Seminar on Open Source on January 25, 2005.

Second: register here for "Open Source Open Government" white paper.

Now, on to the story. Public CIO story "Government Moves Into the Open" highlights the National Government CIO Summit on Open Source. The summit was presented by the Center for Digital Government and Government Technology magazine and sponsored by Novell.

Excerpt regarding the "Legal Thorns" of Open Source:

[Linda] Hamel [general counsel for the Information Technology Division in Massachusetts] pointed out the common misconception that the general public license or GPL is the open source license. Not so. "The GPL is the most common license for all open source software, but it is not the most common license for the most commonly used open source software," she explained.

While the differences between GPL and other types of open source licenses are complex, she urged the audience to spend time familiarizing themselves with the issues and risks that can occur should a government enter the field as an open source software developer. As just one example, she pointed out that states, unlike commercial software firms, cannot give 3rd party intellectual property infringement indemnification. Bottom line: make sure your jurisdiction's general counsel is well grounded in the nuances of open source licensing and it's impact on proprietary software licenses.


Remember OFAC when publishing material

Related to my previous al Qaeda book post, OFAC recently issued a new rule (PDF) clarifying the extent to which publishing activities with persons in Cuba, Iran and Sudan are authorized, notwithstanding the U.S. embargoes against those countries.

Below is the press release, in its entirety:


December 15, 2004

Treasury Issues General License for Publishing Activities

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) today issued a new rule clarifying the extent to which publishing activities with persons in Cuba, Iran and Sudan are authorized, notwithstanding the U.S. embargoes against those countries. Today's action addresses a series of issues that have come to the attention of the Treasury during the past year.

"OFAC's previous guidance was interpreted by some as discouraging the publication of dissident speech from within these oppressive regimes. That is the opposite of what we want," said Stuart Levey, the Treasury's Under Secretary for the Office of Terrorism and Financial Intelligence (TFI). "This new policy will ensure those dissident voices and others will be heard without undermining our sanctions policy."

The new rule enables U.S. persons to freely engage in most ordinary publishing activities with persons in Cuba, Iran and Sudan, while maintaining restrictions on certain interactions with the governments, government officials, and people acting on behalf of the governments of those countries. The rule entails the issuance of general licenses in the Cuban Assets Control Regulations, 31 CFR part 515, the Iranian Transactions Regulations, 31 CFR part 560, and the Sudanese Sanctions Regulations, 31 CFR part 538.

"Persons engaging in the activities authorized in the general licenses can do so without seeking permission from OFAC," said OFAC Director Robert Werner. "This rule provides clarity and promotes important policies aimed at the free exchange of ideas without undermining the national security objectives of these country sanctions."

Iran, Sudan, and Cuba are subject to U.S. sanctions under the International Emergency Economic Powers Act (IEEPA) and the Trading With the Enemy Act (TWEA) based on the threat they pose to the national security, foreign policy and economy of the United States. IEEPA and TWEA give the president the authority to impose sanctions in times of war or national emergency. These statutes are critical to U.S. interests with respect to dangerous regimes, terrorists, narcotics traffickers and the proliferation of weapons of mass destruction. Embargoes established under IEEPA and TWEA often prohibit persons under U.S. jurisdiction from providing goods or services to persons in sanctioned countries, unless authorized by OFAC.

Economic sanctions against foreign states and groups whose actions pose significant threats to the United States are an integral part of our overall national security policy. OFAC is charged with implementing and administering the U.S. Government's economic sanctions programs to effectively put pressure on those posing such threats, while promoting real and positive change.


Sale of Al Qaeda book causes stir

The Wall Street Journal story "Al Qaeda Book May Stir Debate Over Profit" (paid subscription required).

A collection of writings by al Qaeda's second-in-command, Ayman al-Zawahiri, plus some material attributed to Osama bin Laden will be published by Bertelsmann AG's Doubleday imprint. The article describes the debate of profiting from the September 11 attacks that would likely ensue.

For one historian, the critical issue is that the public will be able to see and read original documents for themselves. "It's crucial to understand the people you are interacting with, especially when the interaction has taken a violent path," said Lawrence W. Levine, a professor of history at George Mason University in Fairfax, Va.

It is interesting that the original material was found at the the Library of Congress. The material was found by Raymond Ibrahim, who forwarded the material to a professor, who in turn sent the material to literary Glen Hartley of Writers' Representatives LLC. Mr. Hartley sold the project to Doubleday.

The article quotes Suzanne Herz, a Doubleday spokeswoman as saying that "Mr. Ibrahim will own the copyright to the translation that he prepares."

So here's an interesting hypo: What if al Qaeda sues Doubleday for copyright infringement? Here's what the University of North Carolina's Task Force On Intellectual Property has to say on translations:

The Copyright Act provides that copyright subsists in any original work of authorship that is fixed in tangible medium of expression. Originality means that the work was not copied from someone else and possesses at least a small amount of creativity. Does the work of translators and indexers meet the requirements for copyright? The matter has been debated among indexers and translators for years, and the answer may not be the same for translations as for indexes and may differ for various types of either. The Copyright Act actually mentions both translations and indexes. This column focuses on translations; next month’s will address the copyrightability of indexes.

Translations are a derivative work, and only the copyright owner can authorize a translation that will be distributed. This envisions a work that is translated into another language and distributed in the parts of the world where that language is spoken. Derivative works are infringing if they are not created with the permission of the copyright holder. Thus, a work of fiction or a best-selling biography cannot be translated into French and distributed without the original author or copyright holder’s permission. If the author authorizes a French translation, the author owns the copyright in the translation since it is a work for hire. According to the statute, for a work for hire, the employing party is the author. In fact, the translator’s name may not even be revealed in the work.

I highly doubt that al Qaeda would sue. Nevertheless, just a little copyright nugget for one to ponder.


Thursday, January 20, 2005

Nine Years for Lowe's Hacker

From the UnSecure Privacy blog (link):

The AP reports (via Mercury News) that the hacker who tried to steal credit card data from Lowe's national computer network received a nine year prison sentence. Brian Salcedo was indicted under 18 USC 1030 by a federal grand jury on sixteen counts alleging conspiracy, wire fraud, computer fraud, unauthorized computer access, intentional transmission of computer code, and attempted possession of unauthorized access devices.

The article states that "it is the longest prison term ever handed down in a U.S. computer crime case."

Link to other computer intrusion cases.


Privacy and Security Update - January 2005

Peter Hazelton has a new Privacy and Security Update. It is reproduced in its entirety below.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Privacy Statements Not Contracts, say Courts

Two federal District Courts recently ruled that an airline’s online privacy statement does not constitute a contract between the airline and a passenger. In a class action lawsuit against Northwest Airlines, passengers claimed that the airline had breached its online privacy statement by sharing passenger data from its web site with NASA. NASA had conducted a government study on airline security.

A North Dakota federal district court held, “[B]road statements of company policy do not generally give rise to contract claims.” In a similar lawsuit against Northwest Airlines, a Minnesota federal district court also ruled that an online privacy statement does not create a contract. As a result, the passengers could not claim that Northwest had breached a contract with them by allegedly violating its online privacy statement.

A privacy statement is meant to be a disclosure of the company’s privacy policies. Users are not asked to agree to the privacy statement. A web site user and web site owner form a contract when the user agrees to the web site’s terms of use.

Even if not liable for a breach of contract, companies that violate their own privacy statements face potential claims by government agencies like the FTC or similar state agencies for deceptive or misleading practices. They also must answer to federal, state, or
foreign governments for failing to comply with privacy laws.

Final FACT Act Rules on Consumer Data Disposal

The Federal Trade Commission and a group of federal financial regulatory agencies have each issued a final rule on the proper disposal of consumer report information, as required by the Fair and Accurate Transactions Act of 2003.

The rules require financial institutions to augment information security efforts to include policies on proper disposal of consumer information. The rules aim to reduce the potential for identity theft by protecting against unauthorized access to or use of consumer information.

The rules take effect in the summer of 2005. Even financial institutions with strong information security programs must follow the new standards on information disposal.

HIPAA Security Rule Compliance

Health care organizations spent significant time and effort preparing for compliance with the HIPAA Privacy Rule by its April, 2003 effective date. They have until next April to comply with the HIPAA Security Rule. The Security Rule requires health care organizations to protect the integrity, confidentiality, and availability of electronic patient information against security threats, improper use and disclosure, and illegitimate access.
The two regulations overlap, and health care organizations that comply with the Privacy Rule have already taken significant steps toward Security Rule compliance. These organizations have already examined carefully their collection, use, and disclosure of patient information and have prepared and implemented policies governing these processes. The Security Rule wraps these privacy processes in a cloak of safeguards.

In deference to constant changes in software and in security threats, the drafters of the Security Rule wisely authorize a flexible approach to compliance. The Rule allows organizations to consider their size, complexity, and capabilities when determining proper compliance. What is reasonable and appropriate for a physician’s office is not reasonable and appropriate for a large hospital.

If your organization had to comply with the HIPAA Privacy Rule, then you must also comply with the HIPAA Security Rule. Fortunately, you have already done much of the Security Rule legwork by complying with the Privacy Rule, and you already have at least some security safeguards.

Spyware Legislation

Spyware has become big news this year because it has wreaked havoc in infecting millions of computers nationwide. Congress and state legislatures have begun to act in response to this threat, but industry observers worry that an overbroad definition of spyware could harm makers and distributors of accepted, legitimate computer software.

What is it? The new term “spyware” can mean several different things:

  • Keystroke logging programs that reveal passwords and credit card numbers as you type them.
  • Adware programs that collect information on your Web surfing.
  • Hijacking programs that take over your Web browser to direct you to a vendor’s products.

Existing laws on electronic communications and computer fraud are of limited use against spyware. As a result, Congress and the states have taken up the anti-spyware cause.

Utah passed the nation’s first anti-spyware law in March of this year. The law bans the installation on an individual’s computer of any "content based triggering mechanism" to display ads that obscure other Web content. A court blocked enforcement of this ground-breaking Utah law while it resolves a challenge that the law restricts interstate commerce and infringes on free speech.

California recently passed comprehensive anti-spyware legislation designed to prevent computer hijacking and collection of personal information. The law also forbids programs that prevent computer owners from blocking spyware installation or that mislead them about uninstalling or disabling the spyware.

In October, the U.S. House of Representatives passed both the SPY Act and the I SPY Act. Both bills prohibit deceptive spyware programs. The SPY Act imposes notice and consent provisions on software vendors. The I SPY Act imposes criminal penalties. The Senate’s SPYBLOCK Act passed out of committee and would forbid the installation of spyware programs without proper notice and consent. Each of these federal bills would preempt state spyware laws.

Ultimately, Congress did not pass any spyware legislation into law in 2004. The authors of both the SPY Act and the I SPY Act have re-introduced or will re-introduce these bills in the House. The SPYBLOCK Act or similar legislation will likely also be introduced in the Senate.

The extent of potential liability from these new and proposed anti-spyware laws is unclear. Software makers and distributors worry that provisions protecting them from liability for using legitimate applications that provide software or anti-virus updates might not prevent zealous regulators or prosecutors from pursuing makers or operators of legitimate software for alleged spyware violations. In addition, businesses or individuals might face legal liability even if they unwittingly send spyware in an otherwise mundane e-mail attachment.

Before a national consensus develops on which types of software and behavior are illegal, those who develop or transmit software programs can prepare for compliance by taking
into account any new laws, legislation under consideration, and court or regulatory decisions on alleged spyware law violations.


Peter M. Hazelton, Esq., M.H.A. has assisted corporate clients, both large and small, in complying with applicable U.S., state, and international laws on health care, online, international, and financial privacy and security. He has published articles and lectured nationally and locally on privacy, security, pharmaceutical, and other legal issues.

Mr. Hazelton has a Master of Health Administration degree in addition to his law degree.

Please see his recent articles on HIPAA security, spyware, and online privacy at
You may reach him at (614) 846-6571 x22 or

This Privacy and Security Update is intended to provide information about important legal developments, not legal advice. Readers should consult legal counsel for advice about their specific circumstances.
Note: the article is not covered by the Creative Commons License.
2005 © Mallory & Tsibouris Co., LPA


IT Security - make sure you exersise due care

Computer World article "Fighting Back, Legally":

The trend in law is to hold organizations accountable for their own IT security weaknesses, warns Ben Wright, a Dallas-based attorney specializing in computer crime and a SANS instructor.

This is particularly the case (PDF) with Internet service providers, says Wright. For example, in 2003, a Maine court forced Verizon Communications Inc. to rebate many of its customers for outages experienced during the outbreak of the Slammer worm. Verizon had not "exercised due care" to protect against the Slammer worm, according to the court.

"Due care can be helpful if you can show a court that you did this," he says. "But the fundamental step is to have a written security policy, followed by logs that showed you followed the policy [during the incident]."


Wednesday, January 19, 2005


I can certainly sympathize with the owners of the Bin & Barrel described in the San Jose Mercury News story "Meet your local antiterror agent".

Under federal rules still being fine-tuned, she discovered, the Bin and Barrel -- like thousands of other businesses -- must have a written plan for foiling money-laundering terrorists. It also must have a "compliance officer'' to ensure the plan is heeded, train its employees to spot shady transactions and regularly audit its own performance.

All thanks to the USA Patriot Act, Section 352 (PDF), 31 USC 5318(h):

(h) Anti-Money Laundering Programs.

(1) In general. - In order to guard against money laundering through financial institutions, each financial institution shall establish anti-money laundering programs, including, at a minimum -

(A) the development of internal policies, procedures, and controls;

(B) the designation of a compliance officer;

(C) an ongoing employee training program; and

(D) an independent audit function to test programs.

But, as the story says "that's not all"

While not widely known, the Bin and Barrel and every other U.S. business must steer clear of people on the government's 192-page list of "specially designated nationals,'' which has more than 5,000 names and is updated frequently. Otherwise, business people could face huge fines and a long stay in prison.


On Sept. 24 of that year, President Bush signed an executive order barring business dealings with anyone on the specially designated list, which includes the names and aliases of suspected terrorists, drug kingpins and their associates. Those failing to comply can be fined $10 million and jailed up to 10 years.

The list of blocked persons is maintained by the U.S. Department of the Treasury's Office of Foreign Assets Control ("OFAC"). Keeping up to the list can be burdensom and costly. The article claims that the cost of software to match names against the list can cost between $1,000 and $100,000. And it's not foolproof. Let's hope the license agreement has a good indemnification clause, from the licensee's perspective : )


Public Domain Film

I forgot to include the Perlinger Archives on archive.org in my King post.

Rick Prelinger and The Internet Archive hereby offer these public domain films from Prelinger Archives to all for free downloading and reuse. You are warmly encouraged to download, use and reproduce these films in whole or in part, in any medium or market throughout the world. You are also warmly encouraged to share, exchange, redistribute, transfer and copy these films, and especially encouraged to do so for free. Any derivative works that you produce using these films are yours to perform, publish, reproduce, sell, or distribute in any way you wish without any limitations. Further information on works from Prelinger Archives can be found here. Questions should be directed to Rick Prelinger at Prelinger Archives, PO Box 590622, San Francisco, CA 94159-0622 USA.


Open Source and something called Pandora's Box

The Boston Globe 12/29/04 story: "Business users worry that open-source could mean open season for lawyers." Pay for the article here. International Herald Tribune has the story here for free (at least for now).

The improper use of open-source components, in the worst-case scenario, could subject companies to costly litigation from parties like SCO Group of Lindon, Utah. ... "It's almost like you've got to be a lawyer now to develop software," said Jothy Rosenberg, chief executive and chief technical officer of Service Integrity, who this month ordered a 24-hour scanning of his company's Sift 3.5 software during a "code freeze" before its introduction. "In this day and age, anybody building a commercial piece of software has got to do this. It's like buying insurance on your building."
And here's something to consider:

Some liken it to the Sarbanes-Oxley (PDF) financial reporting requirements that have rattled executives at publicly traded companies. And the problems are related, in that Sarbanes-Oxley requires public companies to value their software and assess their litigation risks.
In that vain, from Wasabi Systems: The Sarbanes-Oxley Act and the GPL (get the PDF version here):
Third, and perhaps most importantly, the executives of American companies in violation of the GPL are themselves in likely violation of the Sarbanes-Oxley Act, which governs the disclosure of information to shareholders and the public. If the CEO of a corporation says that the corporation owns its assets, but that corporation is violating the GPL, that CEO can go to jail.

What's Wasabi Systems' advice? "Buy lots of Insurance."

And here's a Tech News World article "Can Open-Source Software Survive an Audit?"

The open-source advocates have been able to maintain the thousand-monkey argument largely because the opinion was widely held that open-source software benefits from lots of volunteers and is therefore more secure than proprietary closed-source software. But Enron, and particularly Sarbanes-Oxley, has turned this notion on its head with a vengeance. I've been getting e-mail from CIOs that indicates they are increasingly becoming aware that open-source software might not pass any security audits designed to comply with Sarbanes-Oxley.

That is because, in an audit, you have to be able to certify every part of an application. If there is even a chance that someone who has not been properly qualified touched a financial application or the platform on which that application resides, IT will fail the audit. Corporate boards are motivated to take draconian measures when this happens to protect their own assets.


Sun Open Source License

The Open Source Initiative ("OSI") recently approved Sun Microsystems new Common Development and Distribution License ("CDDL"). OSI is responsible for determining whether licenses meets the terms of its Open Source Definition.

CNet News story here.


Federal Court Ruling Eases Bank Insurance Sales

Article from The National Underwriter Company.

The U.S. District Court in Boston issued a declaratory judgment Wednesday in favor of banks that sought an end to state rules placing various procedural roadblocks that limited the way banks could sell insurance.

The case is Massachusetts Bankers Association, Inc. et al. v. Julianne M. Bowler and Steven L. Antonakes (Case No. 03-11522-RWZ). If you're interested in a copy of the case, e-mail me at alvin dot borromeo at mt-law dot com. MBA press release here (PDF).

In May 2000, the Massachusetts Bankers Association, Inc. ("MBA") requested the opinion of the Office of the Comptroller of the Currency of the United States ("OCC"), the primary regulator of federally charted banks, whether the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. Sec. 6701, preempted certain provisions of the Massachusetts Consumer Protection Act Relative to the Sale of Insurance by Banks, Mass. Gen. Laws ch 167F, Sec. 2A. On March 18, 2002, the OCC opined that the provisions were preempted by federal law.

MBA challenged "four provisions of Massachusetts law, which they have labeled as the Referral Prohibition, the Referral Fee Prohibition, the Waiting Period Restriction, and the Separation Restriction. The Referral Provision, Mass. Gen. Laws ch. 167F, Sec. 2A(b)(2), allows officers, tellers, and other bank employees who are not licensed insurance agents to refer a bank customer to a licensed insurance agent only when the customer inquires about insurance."

One of the Plaintiffs, Banknorth, N.A. has 360 branches in six northeastern states, including 121 Massachusetts branches. During the first six months of 2003, Banknorth did not refer a single Massachusetts customer to its insurance affiliates. By comparison, the Maine, New Hampshire, and Vermont branches referred 4,200 customer, 2,016 customers, and 1,522 customers, respectively, to their insurance affiliates.

The court said:

The dismmal number of referrals is clearly a result of the statutory structural impediments to cross marketing insurance products, which include the requirement that any solicitation attempt must capriciously rely on the customer initiating the inquiry.

The court examined the other provisions as well.

In the end, the court ruled that the GBLA preempts the Massachusetts provisions because they seriously impede the plaintiffs' ability to solicit, cross market, and sell insurance products.


Tuesday, January 18, 2005

Don't use a money transmitter that operates out of his car

According to a The Gazette story, the Maryland Department of Labor, Licensing & Regulation ("DLLR") warned its residents to use only licensed money transmitters (IRS faq) when sending money to family and friends in other countries.

Legitimate money transmitters must display their Maryland license on the premises and show it to the customer if requested. The department warns residents not to do business with anyone working out of a car, parking lot and apartment or home that does not appear to be a legitimate business.

Here's the list of money transmitters licensed in Ohio. Meanwhile, PayPal is a licensed money transmitter in Maryland and 28 other states.

Download by state or territory a list of registered Money Services Business from FinCEN.


Ciena sues Nortel for patent infringement

From the Baltimore Business Journal:

Ciena Corp. said Tuesday it had filed a patent-infringement suit against Nortel Networks in U.S. District Court.

The suit centers on six patents covering equipment that moves voice and data traffic over long distances and stems from Linthicum-based Ciena's 2002 acquisition of Optical Networks Inc., or ONI, for $400 million.

Press release here.


Payments Presentation

Copyright blamed for killing culture

The Globe and Mail story "How copyright could be killing culture":

As Americans commemorate Martin Luther King Jr. and his legacy today, no television channel will be broadcasting the documentary series Eyes on the Prize. Produced in the 1980s and widely considered the most important encapsulation of the American civil-rights movement on video, the documentary series can no longer be broadcast or sold anywhere.


The makers of the series no longer have permission for the archival footage they previously used of such key events as the historic protest marches or the confrontations with Southern police. Given Eyes on the Prize's tight budget, typical of any documentary, its filmmakers could barely afford the minimum five-year rights for use of the clips. That permission has long since expired, and the $250,000 to $500,000 needed to clear the numerous copyrights involved is proving too expensive.

Research resources on the topic:

Center for Social Media - Untold Stories: Creative Consequences of the Rights Clearance Culture for Documentary Filmmakers.

Duke Law - Framed!! How Law Constructs and Constrains Culture.


Monday, January 17, 2005

It's Ambush Marketing Time

I was driving into work this morning listening to Mike & Mike on 1460 The Fan when I heard a commercial for Beef O'Brady's.

One guy was taking about getting food from Beef's for the "Big Bowl." The second guy feigned ingnorance about what the first guy was talking about. The first guy was talking about the Super Bowl.

So what's the fuss? Well, this is the first example of "ambush marketing" I've heard for this year's Super Bowl. Go Pats!

According to BrandChannel.com, ambush marketing "occurs when one brand pays to become an official sponsor of an event (most often athletic) and another competing brand attempts to cleverly connect itself with the event, without paying the sponsorship fee and, more frustratingly, without breaking any laws."

Here's (PDF) a short guideline on the do's and don'ts of "Super Bowl" advertising from Leventhal Senter & Lerman.


EFF FOIA Request

On January 13, the Electronic Frontier Foundation filed a Freedom of Information Act request (PDF) with the Department of Justice to determine whether the FBI is monotoring web browsing without a warrant.

Press Release:

Today the Electronic Frontier Foundation (EFF) filed a Freedom of Information Act (FOIA) request with the FBI and other offices of the US Department of Justice, seeking the release of documents that would reveal whether the government has been using the USA PATRIOT Act (PDF) to spy on Internet users' reading habits without a search warrant.


Friday, January 14, 2005

UPenn and HIPAA Security

The University of Pennsylvania recently announced that it's undertaking "an initiative to ensure that all Schools and Centers that handle health information will be in compliance with the Security Rule of the United States’ Health Insurance Portability and Accountability Act of 1996 (HIPAA) by April 21, 2005. Closely related to the HIPAA Privacy Rule (2003) governing the use and disclosure of individually identifiable health information, the Security Rule is largely, but not exclusively, a technology-oriented rule, intended to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI)."


Blogger Legal Defense

The Media Bloggers Association recently announced "the appointment of Ronald D. Coleman, of the Coleman Law Firm, PC as general counsel. Coleman will be build a team of attorney around the country to provide MBA members with first-line counsel on matters relating to the use of intellectual property, defamation and other issues arising from their weblogging."

Hat tip, Dan Gillmor


Turning Customer Ideas to Innovation

Strategy+Business article on how companies turn customer's big ideas into innovations.

Most successful product innovation requires imaginative insights and incisive action from heroes in the lab and in marketing. Indeed, whether it was wizards in Menlo Park or Xerox PARC who came up with the concepts, the most effective product development and commercialization processes have always been based on a dynamic and complex exchange of ideas and interests among engineers, marketing experts, and, most importantly, the end-consumer.

Booz Allen Hamilton and the Wharton School of the University of Pennsylvania, product innovation experts cited in the Strategy+Business article list five levers to "discovering customer insights about products, and then incorporating those insights into product development":

  1. Employees Use the Product
  2. Successful Innovators Conduct Vigorous Market Research of Customer Needs
  3. The Engineers Stay Close to the Market
  4. Companies Perform R&D Around the World
  5. Innovative Companies Seek Understanding of Customer Behavior and Motivations


Thursday, January 13, 2005

Query Letters I Love

There's this blog called Query Letters I Love that reprints excerpts of unsolicited (?) query letters to an anonymous movie executive. Rather than print query letters from blockbuster hits, the letters are for arguably bad movie plots, such as movies for evil midgets, varsity demon cheerleaders, and my personal favorite, Zombie Lawyers.

In between laughing at some of the ridiculous plot lines, I did have a serious thought as to the liability this guy has for posting the query letters. Perhaps the writer could claim copyright infringement or breach of contract/confidentiality. Maybe the writer will send Google's copyright agent (PDF) a DMCA takedown request (interestingly Blogger has not designated a copyright agent with the US Copyright Office). Hopefully, the writer will take the author of the blog's advice: "if one of these is your query, have a sense of humor, will ya? You're gonna need it in this town."

UPDATE 1/19/2005: Chilling Effects has a bunch of cease and desist/DMCA letters written to Google for Blogger posts.


Google Gmail Gaffe

CNet News article: Gmail glitch yields access to messages:

Two hackers announced that they "found that an improperly formatted address allowed Gmail users to retrieve the message body of the last HTML-formatted e-mail processed by the server."

Google acknowledge the problem and fixed it.

The problem certainly raises privacy concerns for both Google and Gmail users.


Wednesday, January 12, 2005

PricewaterhouseCoopers face HUGE fine, claimed trade secrets revealed

The Cleveland Plain Dealer reports that PricewaterhouseCoopers LLP could be fined $345 Million because it stalled and mishandled the production of documents in two lawsuits.

The cases [Hayman, et al v. PricewaterhouseCoopers, Case No. 1:01-CV-1078 (N.D. Ohio)] in U.S. District Court in Cleveland stem from Pricewaterhouse's relationship with Telxon Corp., a troubled maker of hand-held computers and bar-code scanners.

While the fine is newsworthy by itself, it looks like the court is releasing information that PWC claims to be their trade secret.

Magistrate Patricia Hemann's recommendation isn't new. She issued her report in July, but Pricewaterhouse persuaded the court to keep it under seal, arguing it revealed trade secrets about the firm.

Judge Kathleen O'Malley, who will make the final ruling in the cases, disagreed with Pricewaterhouse and put Hemann's report back on the public docket on Tuesday. O'Malley can adopt the recommendations in whole or in part or can come to her own conclusions.


At one point, Pricewaterhouse said it had produced more than 55,000 documents, along with indexes, to comply with Telxon's requests. The firm initially balked at handing over its electronic databases because it said they contained trade secrets.

You would think that PWC's competitors are scurring over to Pacer to download the report. It's document No. 204 from the docket sheet.


FTC Sues Adult Spammers

From a January 11, 2005 press release (see the complaint):

The Federal Trade Commission has charged a network of corporations and individuals with using spam to sell access to online pornography. The FTC alleges that the defendants, acting as a single business enterprise, barraged consumers with e-mails containing sexually-explicit content without the required warning label. Four of the individual defendants controlled a network of corporations that own and operate the Web sites, payment systems, and servers used to distribute and to sell sexually-explicit content. The network also marketed its sexually-explicit content through an affiliate program that pays commissions to third parties who drive traffic to the network’s Web sites. Through this operation, the FTC alleges that the defendants violated the Adult Labeling Rule, the CAN-SPAM Act, and the FTC Act. A federal district court has issued a temporary restraining order (TRO) against the defendants. The TRO prohibits defendants from engaging in the deceptive practices and freezes the defendants’ assets, pending a preliminary hearing.


Will Bush File a Brief?

The Wall Street Journal has an opinion (paid subscription required) speculating whether the Bush administration will file a brief in an upcoming US Supreme Court case concerning eminent domain, Kelo v. New London. "The Kelo case, which is scheduled to be argued before the Supreme Court on February 22, also involves developer-driven encroachment. A Connecticut developer in cahoots with local officials and Pfizer is seeking to raze more than a dozen homes and small businesses."

It seems that the Bush administration is considering filing a brief against the property owners. This would seem to go against his campaign promise of building "an ownership society, because ownership brings security, and dignity, and independence."

The National Taxpayer's Union urges the administration to protect Americans' property rights.


Saturday, January 08, 2005

Equal Opportunity Infringer

It appears that the copyright infringement problems in Taiwan and China is not limited to the US entertainment industry. The Korea Times reports on the copyright problems Korean entertainment companies face in Taiwan and China.

One strategy, by boy band Shinhwa, is to focus their music and promotional efforts in Japan, rather than Taiwan or China. Japan is precieved to have less of an infringement problem.

Another strategy, by SM Entertainment, is to work with entertainment companies based in Taiwan and China and to encourage people to buy authentic products.


Blue Dog artist sues for copyright infringement

"Blue Dog" artist and creator George Rodrigue sued Dolores Putman, the owner of the Bergen-Putman Gallery; artist Darryl Dean, who has incorporated a blue dog into his own work; and a second, as yet unidentified artist, for copyright infringement. Story here from The Times-Picayune.

At issue are paintings and white T-shirts that feature the image of a blue dog lounging inside a martini glass, all sold recently at Putman's gallery, which is down the block from Rodrigue's Royal Street studio.

The lawsuit, filed Dec. 17 in U.S. District Court, says that Putman and the two artists infringed on Rodrigue's copyright by peddling the items featuring images "similar or virtually identical" to his Blue Dog, a yellow-eyed canine image that Rodrigue created 20 years ago.

Rodrigue is represented by New Orleans attorney Kyle Schonekas of Schonekas, Winsberg, Evans & McGoey, L.L.C.


Friday, January 07, 2005

Copyright, Tsunami and Video Blogs

The Wall Street Journal has a story about the rising popularity of Video Blogs (paid subscription required). It also illustrates the culture (and acceptability?) of the Internet in taking clips from others and posting it on your own blog.
Bloggers don't charge for access, but they haven't been paying for copyrighted footage, either. And bloggers seldom ask each other for permission. "The law really hasn't caught up," says Mr. Golson. "The rule of thumb is you can take stuff as long as you say where you got it from," and as long as you don't sell it, he adds.

Rule of Thumb? I'm not advocating a slew of copyright suits, but I don't think all copyright holders would find this rule of thumb acceptable.

However, the Rule of Thumb worked out for Mr. Tommy Lorensten from Sweeden. He was the one that shot the compelling video of the tsunami hitting Phuket where an elderly couple was overcome by a wave and where the spot Mr. Lorensten was once standing was suddenly 3-4 feet under water. Mr. Golson has the clip here.

After widspread circulation on the Internet, the rights to Mr. Lorensten video was sold to CNN, ABC News and others for a reported total of $20,000.00. Although, I'm not certain whether Mr. Lorensten saw any of that money, because the WSJ article seemed to imply that the rights were sold by Norway's Dagbladet newspaper. In that case, Mr. Lorensten might have a legitimate beef.

Hat tip, Kevin Heller.


Thursday, January 06, 2005

Electronic Sources of Information

Marian Dworaczek from the University of Saskatchewan Library recently updated her Subject Index to Literature on Electronic Sources of Information and the accompanying Electronic Sources of Information: A Bibliography. Both sources "deal with all aspects of electronic publishing and include print and non-print materials, periodical articles, monographs and individual chapters in collected works" and are updated continuously.