Saturday, December 30, 2006

Last Chance for Hotel in Little Rock!

Don't forget that the hotel block is officially out of reach after January 1 2007, so if you are reading this prior to that date, get on over to here!

(Note that I say "officially" -- Our members have a long history of sweet-talking hotels into extending the official time windows. However, your mileage may vary, no warranties express or implied, use at your own risk, and we'll leave the lights on (in case you get stuck at the Motel 6).)

(NOTE FROM THE OTHER SIDE OF TIME: It's now January 3. Anybody who gets a favorable response from the hotel regarding 'late' reservations, could you please file a comment below for all of us to see? Thanks!)

If you have not yet registered for the meeting, but sure to head now to the meeting's home page.

Access to Source Code Denied

In a recent case in Talahassee, Florida, a local judge ruled that a candidate who lost by only 369 votes can't get access to the source code for the voting machines to test out her theory that flaws in the software resulted in underreporting of votes for her. According to the news report, the court held that the candidates conjecture regarding the supposed flaws was not sufficient to trump the trade secret rights of the company that provided the voting machines.

If I find a copy of the judge's actual opinion, I'll post it as a follow up.

Consider whether this type of thinking will prevail in a contract dispute where one party seeks access to "black box" components of a system that underlie a disputed online transaction.

Friday, December 22, 2006

Even Criminals Should be Careful about Authentication

Here in Cyberspace-law-land, we've long been noting that lack of a true purely electronic method authentication is the big thing that prevents e-commerce from making the leap into the big time. (Yes, you can buy plenty of books online, but nobody has been willing to sell you a house on a transaction that is totally end-to-end online -- You still need to see somebody offline.) There is still some risk that the person you are dealing with is not who they claim to be. If one is vending a low-cost items like books, maybe the risk is sufferable. If one has backup from another independent system like a credit card system, maybe the risk is mitigated. But, if one is doing high-value transactions with a purely electronic communication, from start to finish, authentication is still a serious isue.

Well, it seems you can't even solicit somebody to do a crime without running into potential authentication problems. On an e-mail exchange posted on the site, a couple of guys apparently answered a widely disseminated request from somebody who was allegedly soliciting for someone to engage in potentially criminal enterprises (i.e., entering without authority into the systems of the solicitor's alma mater to change his Grade Point Average). The guys who took up the call were spoofing the solicitor -- let's just say that hilarity ensued. (It almost reminded me of the elaborate e-mail chains the infamous Nigerian spammers would start once they might have started to reel in a victim...)

To put it mildly, when you get to the part where the spoofers ask the solicitor for pictures of the pigeons on his college campus to prove that he's not an FBI agent, you will probably be spitting your lunch all over the table. (Aim away from the computer screen when you do that. Trust me on that one.)

Notes --
  1. All people are innocent before the law until found guilty -- Even on this blog.
  2. There is a background story on this that involves U.S. politics -- Many of you might have already gotten wind of this story because of that aspect. This blog has no dog in that hunt... We're all about the cyberspace part.
  3. If you do go to the actual e-mail exchange posted at, it contains a few choice words that most of us would not want to say out loud in front of our grandmothers. Press the link at your own risk. There's a less naughty-word laden report on the story here if you wish. And, props to Talking Point Memo for originally pointing out the story to me.

ANYWAY -- I hope each of you has a happy holiday season, and we look forward to seeing many of our readers at upcoming Cyberspace Law Committee events during 2007!

Thursday, December 14, 2006

Ken Adams on Web Searching for Contracts

Ken Adams, proprietor of the always interesting AdamsDrafting blog and author of the best-selling ABA book A Manual of Style for Contract Drafting, had a post this morning on his blog regarding the use of EDGAR as a research tool to look at old contracts that had been filed as part of SEC filings. The Cyberspace hook for us today is the commentary on how there is a proprietary Web-based service out there that will help one to index the old contracts and find ones that might be of interest. Ken's sense is that there are many other ways to use the Web to access the same information (for example, the use of Lexis and/or Westlaw to search EDGAR filings that are under Exhibit 10). Ken also notes his skepticism on the quality of the work one might find in SEC filings -- I'll let you go read the particular choice phrase he applied to the contracts on EDGAR (this is a family blog after all...).

My only other thing to add is that in my particular practice, involving a great deal of day-to-day contracting for technology licensing and purchasing, the times I've been able to find useful work on EDGAR is almost too small to count. The EDGAR system is potentially useful if one is interested in contracts that publicly-held companies might do that rise to a certain level of materiality--Software licenses rarely fall into that bucket for either the licensor or the licensee. I've no doubt that there are exceptions to that, but combined with the fact that I think any of us who read this blog are more than capable of running rings around what we might find on EDGAR, my suggestion is to stick to our own form libraries and use our own inherent skills rather than relying on some other person's randomly-selected work.

ASIDE: The other Cyberspace angle -- Ken Adams will be joining a panel of lawyers from this Committee at the ABA Business Section's Spring Meeting this March in Washington DC. The pre-meeting CLE programs put on for the Section's Young Lawyer Forum are fantastic, and that's not just because I will be speaking for one of them! We hope to see you there.

Tuesday, December 05, 2006

Remotely Eavesdropping on Cell Phone Microphones

A cellular telephone can be turned into a microphone and transmitter for the purpose of listening to conversations in the vicinity of the phone.

read more | digg story


I can’t get paranoid about this one. It seems to me that if the bug is obtained through the auspices of a proper (4th Amendment compliant, probable cause, yadda yadda yadda) court order, it’s not all that different than any other form of bug. We can be paranoid about the cops and courts as a general rule (and should be…), but the means they use to exercise their court orders is not all that much more scary.

I couldn’t tell (and CNET obviously can’t from what I read) if the bug is one that directly transmits a signal to a receiver operated by the police, or if it transmits something via the cell network. Legally it should not be all that much different if there's been a proper court order, although you’d have to rope in the cell provider if the latter.

Technically it is interesting in that the only radio that should be in your typical cell phone is the radio that transmits to the cell network. (Blue tooth, found in an increasing number of handsets is, of course, a wild card in all of this – Let’s set that one aside for the moment though.) If we’ve got the bug set up as a purely software bug that infects the phone and has it transmitting what’s passing through the microphone over some sort of ‘radio’ then it must be going over the cell-transmission radio – And, that seems difficult to conceive other than something that would require the cooperation of the cell phone provider, since operating that radio without interacting with the cell network would be something I cannot believe would be an ‘off-the-shelf’ capability of the phone handset. If that’s the case then I’m less concerned again about non-legal hackers because it seems hard to believe that the cell networks would volunteer to allow a hacker to use the network! (It also suggests that this technique shouldn’t work against somebody sitting on an airplane, unless the FBI is suggesting that the FAA’s prohibition on cell phone use is not really a safety concern for all on the plane...)

If, as the BBC article mentioned in the CNET article linked above suggests, the cell network radio is hacked, via some kind of Malware that is sent electronically to the victim’s phone, to stay in transmit mode even where the phone seems to be turned off (or the radio has been turned off, as I can supposedly do with my BlackBerry), and even if ‘intelligence agencies’ can find ways of intercepting that signal and decode it, that would still require the spy to have physical proximity to the victim at all times (presuming the cell network isn't being used), and I find that all rather implausible as a useful source of data unless the spy is investing a LOT of money in this victim (and, if they have that much money to invest, they’d find some other way than this exploit to get what they want). We’re not going to see hackers using this tactic for random crap they might want to listen to while your talking to your best friend at the local coffee shop. (And, the cell providers would quickly come up with anti-spyware tactics for their phones if the exploit got out beyond this nefarious ‘intelligence community,’ so any win by a hacker would be short-lived at best.)

Apart from the radio that is used for purposes of the cell network, the only other ‘radio’ in a typical cell phone (off the shelf) is the Bluetooth. That might be an interesting hack (and the subject of multiple discussions already). Still, it seems hard to believe that there would be a hack that might alter the phone to NOT turn off the Bluetooth (and/or the phone itself) when I thought I’d turned it off – There would be a hell of a lot of software necessary to do that, and it would be so handset specific that, again, the investment for any one particular victim would prevent the odd private citizen hacker from taking advantage of it – We don’t have the single-source problem for cell phone operating software that we have for PCs. (I do work for that industry, and actually work on licenses for cell phone operating system software, so I speak from knowledge in that regard.) Also, since the off-the-shelf Bluetooth system in my phone does not use the microphone on the phone handset itself, but rather the microphone in my earset, it would require an even more incredible hack to get the handset to use the Bluetooth transmitter for such a non-standard function as to transmit the sounds on the microphone to a surreptitious Bluetooth listener, and to do so while also allowing the spy to circumvent whatever encryption is on the Bluetooth transmitter, and probably to do so as well while still allowing the Bluetooth transmitter to be used simultaneously for its intended purposes since otherwise one would tip off the victim of the bug. Finally, Bluetooth is even more susceptible to the need to be proximate to the victim -- That radio will reliably transmit only a few hundred feed through clean space. Again, it might be plausible for the 'intelligence community' to invest in human resources to follow somebody around who is a high-value target, but that target would be gotten one way or the other if somebody was really interested, that target would probably know well enough to take out the battery of his phone, and the rest of us are perfectly safe from the pimple-faced script kiddie.

Finally, if all that’s involved in the above is a physical bug snuck into the cell phone itself, then those paranoid executives who remove their batteries are missing the boat. And, pimple-faced kids sitting in coffee shops are still at a loss when it comes to physical invasions of people’s personal property (or I’m not all that worried about the few who would try such a thing). Regardless, the addition of using a cell phone (as opposed to slipping a bug into the back of my jacket collar) to the mix doesn’t change anything where you’ve got somebody who’s willing to commit a criminal breach of my personal effects in order to plant his bug.

In other words – I’m kind of skeptical about all of this.

But, it all leads to finding stuff on the BBC article cited by CNET, such as this actual living example of a Cone of Silence. Where’s Maxwell Smart when you need him? (If you read the BBC article, it really seems poorly thought out – For example, they find ‘experts’ who claim that a physical bug wouldn’t work since the battery would wear out, but who’s to say the bug wouldn’t be set up to use the cell phone’s own battery (duh…). And, I did check the dateline of the article – It’s not April 1, but maybe it should have been.)

Monday, November 27, 2006

Cyberspace Law: We're More than Just Website Advisors!

From today's WSJ Law Blog, on the pending changes to the Federal Rules of Civil Procedure regarding electronic evidence:

Alvin Lindsay, a partner with Hogan & Hartson, laid out for the WSJ the implications of the new rules. “Lawyers will now have to know about their clients’ computer architecture: How do they store their data? How do their computer systems operate? This is not something they teach in law school.”

Full posting here.

Gosh -- Doesn't that sound like what the Cyberspace Committee has been teaching its members since, oh, let's see--ABOUT A DECADE?

Folks from this committee who are in private practice: If you have not already made your presence and depth of knowledge known to your own firm's litigators, you are missing a great opportunity. This is one of the better 'convergence' moments in our history, so go take advantage of it!

Wednesday, November 08, 2006

News News News

November 8, 2006 -- A busy day in the news. Not that election thing silly -- In Cyberspace news!

I had a small start when reading a squib in the BNA eCommerce Reporter this morning, which discussed a New York federal trial court decision which proclaimed that a Web site is not interactive for personal jurisdiction purposes if the interactivity is merely through password-protected activity. Whoa! I thought, since that would be a major change to the Zippo standards if it were followed. However, careful reading of the squib (as opposed to just the headline...) reveals that the New York case was one regarding general jurisdiction. As any of us who walk these cyberlaw halls knows, Zippo was a specific jurisdiction case. The law as we knew it has not changed. Cite is to C.B.C. Wood Products Inc. v. LMD Integrated Logistics Serv. Inc., E.D.N.Y., No. 06-2673, 10/7/06. {Note: For those of you who aren't lawyers and have no idea what the difference is between specific versus general jurisdiction -- Well, not to be elitist on you, but that's one of those ones I couldn't begin to explain in a sentence, particularly since you need a good grounding on the concept of 'personal jurisdiction' in the first place. You can try this outline from a law school professor on the concept if you want, or this Wikipedia article. And, if you want a cyberspace law angle, read this article by another law professor.}

The Supreme Court of Kansas has taken a look at shrink-wrap licenses, and has dealt a blow against them. In Wachter Mgmt. Co. v. Dexter & Chaney Inc., Kan., No. 95,102, 10/27/06, the court looked at a software transaction that was initially done through a paper purchase order between the parties, and then was followed by the unwrapping of a shrink-wrap license by the software user. When the user ultimately decided to claim a problem, and brought a claim in his local court in Kansas, the software developer pointed to its shrink-wrap license and the venue clause therein. Most of us might have presumed that this would ultimately have favored the developer -- But, the Kansas court revived the thinking of Step-Saver Data Sys. v. Wyse Tech. Inc., 939 F. 2d 91 (3d Cir. 1991). In Step-Saver, the shrink-wrap was ignored on the basis of its being 'a proposal for additional terms' under the UCC, and hence rejectable by the other party. The court in Kansas felt that this was the case here, and refused to enforce the shrink-wrap license. (One should note that the case was a 4-3 decision, and the dissent was clearly bothered with the revival of Step-Saver.) All that said, and whether you agree with one side or the other, this leads to a PRACTICE NOTE: When counseling clients who are using the paper followed by shrink-wrap process, advise them to have an unequivocal statement in the paper that the transaction is subject to the shrink-wrap (or click-wrap, or whatever...) terms that will follow. The Kansas court seems to suggest that this would have avoided the problem, and there is no harm in adding such statements to one's paper contracts, particularly since most of our clients will still like to hold out the possibility of doing business in Kansas!

Finally, an idea that many have bounced around has been endorsed in a U.S. District Court -- Is the transfer of a domain name from one party to another an event that should be treated as a new 'registration' by the recipient? Recall that both the Anti-Cybersquatting Protection Act and the ICANN Uniform Domain Name Dispute Resolution Policy provide that the defendant's actions in registering the domain are important to the case. In many cases, the original registration of the domain was years in the past, and may have actually been done by somebody in good faith or the facts are hard to prove from that ancient time. But, one might have easy facts to show that the subsequent registrant took and uses the domain in bad faith. Some of us wondered if we could simply look to the most recent registrant for our analysis.

In Christensen Firm v. Chameleon Data Corp., W.D. Wash., No. C06-337Z, 11/1/06, the court agreed under the ACPA that each act of transfer was a new 'registration' for the purposes of ACPA analysis. Thus, one need not trace the progeny of a domain back through to the first party that registered it, but only to the most recent (i.e., the one the complaint is all about). Although this is an ACPA case, the logic would seem to apply equally to a UDRP analysis, and one might at least cite this as persuasive evidence on point.

[If anybody with more time than I have wants to find public links to any of those opinions, please let me know and I shall post them. The ones I have are through a password-protected site, so they are not of much use to the rest of the world. UPDATE: I found a free link to the Wachter Mgmt case out of Kansas. Still looking for the other two...]

Wednesday, November 01, 2006

Internet Governance Forum -- Our session

David Satola reports that the session at the IGF entitled 'Legal Aspects' was a big success and well attended. Kristine Dorrain suggested that interest was high amongst the panel as well as the audience and felt it could have gone on easily for another hour. Theoretically the session was recorded (audio) and will be posted on-line, but I have not found a link to such yet.

David sent over a couple of photographs from the session -- Kristine also has some and will send them along when she can.

Monday, October 30, 2006

Live Feeds from the Internet Governance Forum

Although time zone issues will probably impede many of us on this side of the world from participating live, this site:

is open for business and allows one to monitor the Internet Governance Forum taking place in Greece right now. If you register, you can monitor live feeds, read and participate in chats, and all that other good Web 2.0 stuff.

The Internet Governance Forum is the continuing discussion that arose out of the meeting in Tunisia last year, which itself was part of the World Summit on the Information Society (WSIS) set up by the UN and the ITU. Many of our members have worked to understand the original mandate of the WSIS and its ongoing efforts through IGF.

Remember, our own members David Satola and Kristine Dorrain are live and on the ground at the Athens meeting, and will be presenting to the crowd on legal issues this coming Wednesday at 9:30 AM Athens time (which is, unfortunately, about 1:30 in the morning my own time, so I regret that I'll have to read about it in the papers the next day).

UPDATE: Dave Satola reports to me that all is going well at the Summit. Still, there are some troubles to be had apparently... United Nations "Internet" Summit held sans internet

Wednesday, October 18, 2006

Open Source Continues to Come of Age

cNet notes that "OpenLogic, a provider of open-source software for enterprises, is offering indemnification against legal action for companies using its code." The company does note that its indemnity no longer applies if the indemnitee has modified the code in the OpenLogic code. And, the operating system used (e.g., Linux) is not covered by the OpenLogic indemnity (although there may be policies available from insurers, such as Lloyds, to cover that). So, the end user still has some degree of patching together risk-allocation tools in order to create a reasonably protected system.

Still, the days when lawyers in the know should just instantly panic when they hear about OS in their clients' houses should be deemed as officially over. Our own committee's members recently presented a very well-received program on how to assess open source as a risk during a corporate merger transaction -- materials available here (ABA Business Law Section members only).

Like everything else we do, there is still plenty of work to do to make sure the hatches are battened down. However, the coming of age of the OS industry means that the lawyers can start to add value by pointing out the risk management tools their clients can use, and help them to negotiate or assess actual risk versus falling into abject panic.

Saturday, October 07, 2006

Wendy's Blog: Legal Tags: Coming Soon: Kitten with a EULA?

The title of Wendy's blog post (quoted above in this posting's own title) gets it slightly wrong. They don't require you to sign a "license agreement," but they do require that you agree to a rather lengthy contract before they'll allow you to purchase their specially bred hypoallergenic cat. The contract contains a rather broad indemnity clause, a restriction that you not let the cat wander outside or suffer a waiver of any warranties, restrictions on further sale, etc. They also claim patent rights in the cats. Whew.

Thursday, September 14, 2006

Software Doesn't Need to be Perfect?

The company that makes the self-balancing Segway scooters (the two-wheeler for people) announced on September 14 that it is recalling all 23,500 of the units it has shipped to date "because of a software glitch that can make its wheels unexpectedly reverse direction, causing riders to fall off."

As discussed in prior posts, we have come to expect a lesser standard of care in the provision of software -- The sort of thing that we would never find acceptable in other areas such as how our airplanes work. Maybe this story reminds us that those two concepts are more or less impossible to sever in practice, since there are all too many physical products that may potentially injure us that are dependent themselves on software.

That much was probably obvious already to anybody who can reach this blog. What it should also suggest to those of us practicing in cyberspace is that our willingness to let our deals go forward where the software providers to a larger project are held to a lower standard than the provider of the project as a whole. If the software provider for a car's computer suggests that it cannot take liability for what might go wrong with the car, then what is the car manufacturer to do that needs that software? Should it decide that it cannot afford the cost of the vendor's sure-thing software guaranty? Should it decide that it must ultimately bring the project in-house because it can't afford to allow quality control to lie in a third-party who is not willing to be on the hook? Should it calculate the risk of a problem and insure against it rather than try to avoid fixing the problem?

These are often seemingly irresolveable problems for buyers and sellers, although that may be a reflection of the consumer willingness to pay for safety versus whether or not it can be done. That said, understanding these issues and now to describe and negotiate them are what our subset of the profession can offer to the move the debate beyond what today is often simply a battle of wills.

Wednesday, September 06, 2006

You Might Want to Look it up Before You Go to Court

In an interesting little case at the 8th Circuit involving the intersection between 'computer program' and 'data' and the application of the Computer Software Rental Amendments Act of 1990, the court took pains to suggest that the lawyer arguing the case at District Court for the (alleged...) copyright holder did not even understand a fundamental concept in the world of copyright registration:

Indeed, the term source code is nowhere to be found in Action Tapes’ pleadings and motion papers, and at the summary judgment motion argument counsel did not know the meaning of that term.

Oops. I would not want to presume anything about whomever was arguing the case, since it may have been a last minute substitution. But, there was obviously a mishandling of the registration of the copyright (and, maybe I need to reconsider my rule-of-thumb that lawyers are rarely needed in actual registration practice for copyright). It clearly is a lesson for the rest of us -- These technicalities are important but oft-times relegated to the last minute if at all.

Although the case ended up turning on a technicality (failure to register the copyright prior to litigation), the court did offer some thoughts on the underlying theories suggesting that it would have likely decided the case against the copyright holder in any event. The case involved a company that made programs that controlled sewing machines making patterns. The program uses memory cards that contained the instructions for the pattern that was being sewed. A retailer made a habit of lending out memory cards to her customers (although unstated in the opinion, I presume that the computer program itself was not lent out, just the memory cards with the instructions).

The copyright holder sued, claiming that the lending out of the memory cards was an infringement based on the Rental Act's prohibition on lending out copies of 'computer programs' (a specific statutory exemption from the first sale doctrine). The defendant argued that the memory cards did not comprise a 'computer program,' and therefore were still subject to the plain old First Sale Doctrine rules (which allow one to lend, rent or otherwise dispose of a particular authorized copy of a work once it has first been sold under the authority of the copyright holder). The District Court agreed and granted summary judgment on that basis. The 8th Circuit did not reach the question since it noted that the registration used by the plaintiff was not properly done for a 'computer program,' which, among other things, requires that the source code for the program be filed with the registration (which had not been done) -- Thus, deciding the case on the ground that the plaintiff had no case because it "failed to prove it applied for registration of the computer program copyrights before commencing this infringement suit." The plaintiff tried to duck the problem by noting that it still held a valid copyright in the visual design, and again the court noted that even if that were true the exemption from the first sale doctrine only applies to computer programs and not to visual designs.

Although our group focuses on our 'cyberspace' commonality, many of us are frequently brought in for intellectual property concerns, and particularly where computer programs or the like are involved. Or, rather -- We should be brought in. Yet another reason to seek out attorneys who have the knowledge and background to know what Source Code might be...

Tuesday, September 05, 2006

U.S. District Court Takes Judicial Notice that Computer Services Stink

OK -- They never quite said it that way. But, how else can a cynic like me interpret this quote?

Although issues may have arisen as to the services provided, there is no plain, clear language in the Service Agreement requiring NBS to implement a system free of bugs without opportunity to remedy technical problems. Reading this type of requirement into any contract involving computers or software would render virtually every provider of computer services or software in breach of their contracts.

That might seem to make sense at first blush, but how much is that true just because we've become so used to it? Try substituting "airplane passenger service" in place of 'computers and software' in that last sentence -- No court would ever say such a thing. Why is such an important sector of our economy still working under a lax standard of care after many decades of opportunity to standardize systems and interconnections (usually the first excuses given for why a new IT widget won't work in anybody's environment)? (Note that the provider was quick to resort to the courts to enforce it's side of the bargain...)

The decision out of the USDC for Minnesota can be read here.

Monday, August 07, 2006

And so the Sun Sets on the Hawaii Annual Meeting

Many thanks to the great number of people who contributed to a great Annual Meeting here in Honolulu -- Members of the committee, members from the rest of the Section and Association, and colleagues from all over the globe.

Hawaii has been quite hospitable to each of us, and many of us have stated our hope to return in the future. Many are packing up today, many more tomorrow (Tuesday), and a few lucky ones are staying on for the rest of the week.

As we all knew, fewer of us could make it to this meeting as we would normally hope to see at an ABA Annual. Because of that, we are especially hoping that many of our friends will be joining us at the next gathering of Cyberspace Committee members in Little Rock, Arkansas this coming January. We are just on the verge of signing our hotel contracts and getting set up for this event, so please keep your travel plans open for the 26th and 27th of January, 2007. Member and Chair of the Malware Working Group Elizabeth Bowles is looking forward to greeting us all to her lovely home town, as well as to introduce us to her soon-to-be new family member (currently baking in the oven as they say).

And, stay tuned to the Blog in the meantime, since we will try to keep you apprised of Committee goings-on as well as the occasional piece of snarky commentary from your editors.

Aloha. And, hang loose cousins.

Final CLC Program of the Meeting

The last of the programs co-sponsored by CLC was held this morning -- "You Had a Security Breach, What Do You Have to Do and What Happens Next?," which was presented by the Consumer Financial Services Committee and co-sponsored by Cyberspace and the Committee on Banking Law. Our own Bob Ledig, seated on the right of the podium area, helped to prepare the panel of experts.

Two representatives from the government enforcement branches (neither of whom, as we all know all too well, was speaking on behalf of either or their respective government entities) helped lay the groundwork for the enforcement authority as well as developing laws in the 'notification of breach' arena (now known as NOB amongst those in the know). A forensic expert took us through many of the preparations that a business should be doing in advance of a problem as well as once the breach has occurred. Finally, an attorney who practices in defending companies who are being sued after a breach has occurred spoke (reminding us that not many of these cases have succeeded as of yet, frequently on the basis that the harm has not come into actuality).

Paper materials ran out early, but Business Section members can download their own copy here. Julie Brill's materials, which provide a great summary, among other things, of the current NOB laws, were updated after the publication date for the CLE materials -- I will be posting a copy of an updated version of those materials here once I receive it.

When will we have the first virtual scalpers?

Apropos our recent discussion of virtual gaming world economies, Boing Boing points out that 80s musical icons Duran Duran have taken a long-term gig playing within the virtual world of the multi-player game Second Life. I don't know who the opening act is yet.


Sunday, August 06, 2006

Business Meeting of the Committee

Candace opened the second of our two plenary sessions for the CLC in Hawaii -- This one, unlike yesterday which was intended to be our 'substantive' discussion, was intended for committee business.

Rae Cogar and Tim Chorvat discussed their ongoing projects for the Electronic Evidence Working Group. They wish to develop a few short articles for BLT followed by a program for one of our future ABA meetings. Candace suggested that what we need to is find the angle for business lawyers, since otherwise we will be (a) taking on more than we as a committee could chew, and (b) our expertise is not as litigators but rather as business advisors.

(Editor's note: Many lamented that management is not willing to engage in these issues, assuming that this is a lawyer's, and more particularly a litigator's, problem. What gets business managers' attention? If something will cost them money. Remember that system auditing controls were a non-issue until Sarbox came along, and consumer privacy issues were a minor issue for senior managers until the PCI standards came along threatening a merchant's ability to access credit card systems. As the new Federal Rules of Civil Procedure roll out in the next few months, which will be addressing deep-level electronic data concerns in discovery, management will eventually realize this is a bottom line issue. We best be ready to advise once that happens.)

Vince Polley raised the possibility of a project to advise primarily in-house attorneys regarding their companyies' receipt of a National Security Letter from the U.S. government (as provided in the USA-Patriot Act). This proposal would be jointly operated with other ABA constituencies such as the ABA Standing Committee on Law and National Security and the BLS Committee on Banking Law, each of which have indicated interest in working with the Cyberspace Committee. A lively discussion followed, with a few war stories and the like. For the moment, Michael Power and Peter McLaughlin in the Privacy Subcommittee will take the lead on organizing a project, although we will still be thinking about whether this is best in a particular subcommittee or organizing a task force, and maybe even setting up the task force as joint with other ABA groups. -- Stay tuned, but there was clearly a topic of great interest to this group.

Judie Rinearson opened up discussion of her sub-committee's work on how anti-money laundering laws (AML) will impact stored payment systems. Again, we pointed out that we should be looking to collaborate with other groups, such as Consumer Financial Services. Judy heard from others who offered help.

Candace announced that the upcoming Winter Working Meeting will be held in Little Rock, Arkansas. ABA is about to sign a contract with the Doubletree Inn in downtown. We will be pushing committee leadership to plan well ahead. Note that because the Spring Meeting in DC will be March 15-18, which is earlier than usual, we may well be too late at the WWM to prepare materials for Spring. (Unfortunately, we don't have hard deadlines yet, so this is surmise for the moment.)

Candace asked folks who participated in the prior day's CLC meeting, which was the "Un-Conference" format for setting up substantive discussions around the round table. All who were there yesterday thought it was a great exercise. One comment was that the size of the audience was probably important to how it worked, and that a typical full-sized CLC meeting would probably be too large for the format to work.

Candace mentioned the committee is being asked to provide a beta-testing group for the upcoming replacement of the ABA's listserve system (using the Fusetalk platform). A couple of the subcommittees volunteered to be guinea pigs. We will be learning more about the system in coming weeks.

Vince and Juliet Moringiello both mentioned that they are on the publications board for Business Law Today. They mentioned that cyberspace topics are much desired for that publication. We could provide the full-sized article of about 3000 words in the BLT format of chatty (no footnotes!), and there is now a smaller format of about 600 words that allows for very fast turnaround.

Program Two -- Transacting Business Over the Internet in the Asia-Pacific Rim

The primary program of the Committee opened at 7 AM Sunday morning -- Amazingly to a nice-sized crowd.

In the picture to the left: Scott Bain, Christina Kunz, Sajai Singh, Shivpriva Nanda, Martin Hsia, Nick Abrahams and Judith Rinearson

The program was set up with a hypothetical involving a new media company, doing business in the United States, which is delivering electronic products via the Internet to customers. As it is expanding business, it is reaching more customers in the Asia-Pacific Rim area, and is now seeking legal advice on what new issues come up. (For ABA Business Section members, a full description of the hypothetical as well as the rest of the program materials can be found here.)

Each of the panelists had a moment to give an initial impression of the hypothetical and how it related to their expertise.

Scott Bain from the ABA initiated the discussion by reviewing the current state of electronic delivery in the music industry, stretching from the well-known responses to the "free" services to the current growth of the legitimate download industry.

Sajai Singh took a moment to discuss how India has taken early leads in setting up legal structures, but that it had some significant missing areas of law such as electronic payment systems.

Shivpriya Nanda addressed how the hypothetical implicates many younger people as likely customers, and how Indian law considers contracts with such persons as void as well as the Indian law's perspective on materials that is inappropriate for young persons (and the lovely problem arising from the fact that 'young person' for purposes of majority in contract law is a different age from 'young person' for purposes of age-inappropriate materials!).

Martin Hsia suggested that it is very important to seek local counsel in each of the countries we need to do business in -- Enforcement rules and procedures are very different, and presumptions are usually wrong if we presume things are like we know them in the USA.

Nick Abrahams addressed the issues by again reminding us of the lack of uniformity in the legal customs in each of the countries of the Asia-Pacific Rim area. He noted that even simple things like click-through agreements, enforceable in some countries, for example China, are not enforceable in other countries, for example Singapore. Venue clauses are also going to be problematic -- While we can rely on venue clauses for dispute resolution in the States, many of these countries under discussion will not enforce them, and will not enforce judgments obtained in the States. Nick posted some additional materials which we have posted on the CLC page at the ABA site -- Download them here.

Judy Rinearson reviewed the payment system and how it adds a palpable risk when going overseas. While there are many risk mitigation tactics that we can use, the bottom line is that when we do this business overseas we must accept that there is some risk we cannot avoid.

The discussion went into free-flow at that time, and the value of this panel's broad experience became quickly obvious. One interesting question came from the audience, essentially suggesting that the picture is so bleak for a mid-sized businesses to figure this out that it should avoid the issues by simply licensing its content down to local companies in each of the countries and let them handle the issues. Nick pointed out that in China we more or less have no choice but to have a local party to do the business. Sajai noted that this is viable, but that there will still be a need to ensure that the local entity is doing its job because of the detailed differences in, for example, content control (anti-violent content rules) from country to country, so the local company will be reluctant to take on the job unless it has the right (and the capacity) to amend all content before it is willing to take on the risks of being the local distributor.

Scott mentioned that ABA is partnering with the Dept of Commerce to provide a lawyer referral service regarding enforcement of IP rights within China -- A free hour of consultation will be offered to US companies. The DOC's Web page has more information, and the ABA Section of International Law has the form one can use to get the referral.

Chris tried to get the panel to open up on thoughts on consumer privacy concerns. The eyebrows went up, and everybody more or less decided that it would be impossible to even scratch the surface in this forum. Again, local counsel is going to be important, because the rules are varying from country to country and subject to rapid change.

The panels discussed the issue of open-source software in non-US jurisdictions. Nick pointed out that some countries view the use of OS as a positive way to protect their own sovereignty (i.e., not letting a proprietary software supplier control the country's essential IT infrastructure). Nick and Sajai both noted that no matter what is thought by the suits in a company, the developers are using OS almost with abandon (in many cases because since there is no money changing hands the corporate control systems have no way to prevent the import of the OS code).

And the program continued for a bit more while my fingers grew too tired to keep up. This was a great program -- The ABA recorded the show, and we can certainly recommend a purchase of the CD audio if you want to learn more on this fascinating topic.


Michael Fleming and Vince Polley, finally being treated like the demi-gods that they really are, are chauffeured about the island in style.

Neither of them has any idea where those other shoes came from.

{Photography by C. Cooper}

Saturday, August 05, 2006

Cyberspace Law Committee Opening Session

Our first Committee meeting will begin in 15 minutes. Blogmaster and Chief Meeting Correspondent Michael Fleming is off at another meeting for an initiative about which he will fill you in later. That leaves me to try to report on our guided discussion. Our discussion topics:

Prof. Eric Goldman will lead a discussion of the various legal issues that arise in the blogosphere – employment, First Amendment, securities, IP, privacy, election law and the list goes on. In advance of this session, you may want to visit Prof. Goldman’s blog for a compilation of blog legal issues.

Nick Abrahams, a partner in the Sydney, Australia office of Deacons, will lead a discussion about multi-player on-line games. Have you figured out why anyone pays real money for “assets” that exist only in a game? An economist at Indiana University actually studies this stuff: Edward Castronova

And a late addition -- Judie Rinearson will be presenting an update about recent stored value card developments.

If you are planning to participate in the meeting in cyberspace, please post your comments, and we'll keep track and respond as the discussion continues.

Receptions Receptions Receptions

The Business Law Section reception was held on Friday evening, poolside at the Marriott Hotel. It was well attended, in spite of the occassional downpour, each of which lasted about a minute (and which seem to be a frequent-enough event that the local people working outside didn't even flinch). Nicely done music accompanied a fairly large group of attendees and some pretty darned-good food.

From there, a group of the Cyberspacers made their way over to Sergio's restaurant, and met with our new friends from the Cades Schutte firm here in Honolulu. Cades partner Martin Hsia, who will be joining our distinguished panel for our Sunday morning presentation on Doing e-Commerce business in the Pacific Rim, hosted many of the other panel members, including Candace Jones, Prof. Chris Kunz, Nick Abrahams, Scott Bain with Martin Hsia on the far right in the picture below.


Friday, August 04, 2006

First Program

This morning's program, put on by the Section of Science and Technology and co-sponsored by the Cyberspace Law Committee, was entitled Voice Over Internet Protocol: Connecting the Pacific, Connecting the World. CLC member Konrad Trope organized an excellent program, mixing lawyers and civilians. (Actually -- one of the 'civilians' on the panel was anything but -- A Lt. Colonel in the U.S. Army!)

One minor snag in the proceedings -- our moderator Konrad was unable to arrive after a snafu with the airlines. Luckily, he and the panel were able to talk prior to the program, and the panelists graciously held the fort until Konrad able to arrive mid-program.

(L-R) Kenneth W. Kousky, Saginaw, Michigan; Sheba Chacko, Reston, Virginia; LTC Jeffrey T. Girard, West Point, New York; Estevan Macias, Denver, Colorado

(I resisted the urge to photoshop a picture of Konrad in here...)

Thursday, August 03, 2006

Aloha from Honolulu!

The ABA Annual Meeting kicks off today, with many of our members arriving later today (Thursday). Your intrepid reporter arrived last night Hawaii time, which his body reminded him was actually quite late in back-at-home time. It's pretty warm for the islands -- About 90 degrees yesterday for a high, and probably similar today, so hardly the relief from the mainland's heat wave that we might have hoped for. Nonetheless, who's to complain while here?

The first event that many of us attended is the opening reception Thursday afternoon for the Business Section members held at the Convention Center (a modest bus ride from our primary hotel...). It was nice to have a time to view the displays without the crowds, and meet with our friends. Below, Michael Fleming, Judith Rinearson, Michael Power, Candace Jones, Rae Cogar, Juliet Moringiello and Vince Polley.

Doc -- You're getting a computer!

The Secretary of the (U.S.) Dept of Health and Human Services has announced that the healthcare provider anti-kickback regulations will soon be amended. The statutes and rules (more or less) prohibit medical providers who bill Medicare or Medicaid (i.e., more or less all of them) from accepting gratis anything of value from vendors (the economic theory being that such gifts will cause the providers to buy with less of a jaded eye on price, or to refer business for self-interested reasons rather than good medicine). The laws can be interpreted as saying anything of more value than your typical peppercorn is a potentially illegal kickback, and exceptions are strictly limited to items that are expressly allowed under the rules issued by HHS. (And, if you want to learn more about all that, the Cyberspace Law Committee is hardly your best resource! Go find some blog by health law attorneys...)

The cyberspace angle is that the rules will have a new exemption -- One that allows doctors to accept computers as 'donations.' (Doctors in need of 'donations' might seem a bit incredible for many of us, but we should remember that there are plenty of docs doing good work in less than well-funded circumstances.)

The weird thing is that HHS is saying that this is a good idea because their rules will require that any donated computer be interoperable with any other electronic health system. Sayeth the AP:
They also specify that the computer systems that are donated must be able to talk and interact with other health care computer systems around the country. Such "interoperability" requirements will prevent providers from supplying equipment that deters competition, said Health and Human Services Secretary Mike Leavitt. Some donors would be glad to give doctors equipment if it tied that doctor to doing business only with them, he said.

That seems fair on its surface, but I wonder what the Secretary is really trying to say? Is it really possible, in 2006, that a doctor would accept a non-general purpose personal computer (or a network that wasn't a general purpose system)? Or, if the doc did accept one that it wouldn't be quickly relegated to the basement? While the new exemption is probably justifiable on all kinds of reasons (particularly as we try to get all of the world to start using the new electronic medical records systems which will save money as well as improve medical care), I don't see why this idea of interoperability is the big justification where the docs are obviously going to be getting personal computers that are, almost by definition, interoperable. This sounds like the mind of some PR person at work...

[Props to Prof. Michael Geist for pointing to the story in his [BNA] Internet Law News for 8/2/2006]

Monday, July 31, 2006

XML Automation -- Still on its way?

Dow Jones Newswires reports that a group of technology companies has published a draft of new specifications intended to improve the use of extensible markup language, or XML. "The group plans to submit the draft specification, called Service Modeling Language or SML, to an industry standards organization later this year. The new specifications aim to provide an improved means of expressing how computer networks and other IT resources are described in XML, so businesses can more easily manage the services that are built on these resources.
Companies publishing the draft included BEA Systems Inc., BMC Software Inc., Cisco Systems Inc., Dell Inc., EMC Corp., Hewlett-Packard Inc., IBM Corp., Intel Corp., Microsoft Corp., and Sun Microsystems Inc. "

The Committee has had many programs on similar topics going back for many years, including interesting discussions in the Winter Working Meeting this year in Wilmington. Members of the Committee are directly involved in these and similar efforts, including Jamie Clark who is with the Oasis organization (one of those 'industry standards organizations' mentioned above).

Yet another reason to keep up your contacts with this committee -- We not only anticipate the future, but we're there to implement it!

Monday, July 24, 2006

Program Book Available Online

You can download the Annual Meeting Program Book and plan your schedules. Click here for a copy. A hard copy will not be mailed in advance of the meeting but will be available at the Section Information Desk located on the 3rd floor of the Waikiki Beach Marriott Resort and Spa and at the Registration and Expo Reception. The Annual Meeting offers over 20 CLE programs and nearly 100 committee and subcommittee meetings, open to all, which provide concise and relevant developments important to your everyday practice.

No Satellite Registration This Year!

For those of you attending in Hawaii, a special note to you from the Business Section:

The Section of Business Law will host the Registration and Expo Reception on Thursday evening, August 3, from 5:00 - 7:00 p.m. at the Hawaii Convention Center. This unique reception, exclusive to Section of Business Law members and their families, is designed to let Section members pick up registration materials in advance, get a sneak preview of the Annual Meeting Expo, schedule island tours, and catch up with colleagues and friends! Attendees will be able to purchase tickets to Business Law and ABA ticketed functions during the Registration and Expo Reception. Join your Business Law colleagues for this private event—appetizers, cocktails and entertainment for the entire family will be provided! As an added bonus, there will be a special raffle during the reception! Be sure to bring your family as this is a kid-friendly event. Admission is free.

Special transportation from the Waikiki Beach Marriott Resort and Spa, the Section of Business Law headquarters, will also be provided to the Hawaii Convention Center for this event. Buses will begin boarding on Paoakalani Street at 4:30 p.m. and will shuttle continuously between the Waikiki Beach Marriott Resort and Spa and the Hawaii Convention Center until 7:30 p.m. Afterwards, transportation to the Hawaii Convention Center will be available via the ABA Shuttle.

THERE IS NO SATELLITE REGISTRATION IN HAWAII. You must pick up your registration materials, including your name badge, All-Access CLE Badge, CLE tickets, and social event tickets, at the ABA Registration Desk located in the Hawaii Convention Center before you can attend meetings and CLE programs. With meetings scheduled for early Friday morning, the Registration and Expo Reception is a great opportunity for attendees to pick up registration materials.

Thursday, June 29, 2006

Time's a wastin'

Dear Committee Members:

The Cyberspace Law Committee will have an interesting but abbreviated schedule of events in Hawaii. We will be presenting one program for the Business Law Section -- Transacting Business via the Internet in Asia-Pacific Rim (co-sponsored with the UCC Committee and the International Business Committee) co-sponsoring a program with the Science and Technology Section about VoIP, and holding two expanded and dynamic Committee meetings in lieu of our typical schedule of separate Subcommittee and Working Group meetings. Both Committee meetings will include substantitve discussions.

Reservation deadlines for Hawaii are approaching. If you are still on the fence, I encourage you to make the trip. Also, if you are planning to attend and have not yet purchased tickets for Business Law Section events, please check them out. The deadline to purchase advance tickets for the Business Law Section Brunch and Dinner is this Thursday, June 29.

The Cyberspace Law Committee will not be holding a separate Committee dinner this year. I'll look forward to seeing you at the Section events instead.

Candace Jones
Chair, Cyberspace Law Committee

Wednesday, June 14, 2006

Dropdown and Give Me Twenty Two!

The USDC in Washington has just issued a decision on specific personal jurisdiction over a Web site operator. In running through the typical analysis of how much the defendant aimed its activity at the forum state, the court held that the operator's site "was expressly aimed at Washington in that the website lists Washington as an available shipping location and Defendant intentionally shipped its product into this state . . .."

This after noting that only three of the plush dolls at issue had been shipped to Washington, out of the 22 total states where the Michigan-based defendant had sold its products. (Arguably, the three shipments alone might have tipped the balance, but I think some courts would have had a tough time with that as the only factor.)

So, a convenience offered to users of web sites that is not offered to people who fill-in little coupons out of a magazine suddenly subjects the retailer to jurisdiction. Who knew the Web was going to be so dangerous?

It seems unlikely that the vendor who probably sold the off-the-shelf shopping cart system to the defendant here took the time to note that including any particular state in the drop-down list was going to subject the defendant to the personal jurisdiction of every state in that list. It also seems a bit of a stretch to fathom the defendant's intent out of what was probably nothing more than a choice made by the shopping cart operator (who was merely following the standard practice for all shopping carts). Should we now be counseling our clients that they should not present a dropdown list of states to anybody? Or, is the convenience to the site's customers worth the risk (but the lawyers to the site need to counsel on the risk in any event)? Should shopping cart developers provide a functionality in their software to allow site operator to delete certain states from the list? Should the site operator bring a claim against the shopping cart vendor for a design defect? (Just kidding on that last one...) (Sort of...)

Second practice note: Keep in mind that this is not a case where a click-through choice of law/venue provision would have made a difference, since the plaintiff was not itself a customer of the defendant's site nor subject to any contract between it and the defendant. We can't always rely on those contracts to save us from all possible exposure to out-of-state litigation!

Case is Qwest Communications Int., Inc. v. Sonny Corp. (USDC WD Wash NO. C06-20P, May 15, 2006). Reported in the June 15 issue of BNA Electronic Commerce Reporter.

Monday, May 15, 2006

SCOTUS to Trolls: Go Home?

There is a bit of a bombshell for the patent bar on the Supreme Court's front porch today -- No doubt the folks at RIM are a bit miffed that this didn't occur about 3 months ago, but I digress...

Have Justices Kennedy, Stevens, Souter and Breyer all but given public recognition to the (so-called) patent troll industry? Read into the following whatever you might like...

In cases now arising trial courts should bear in mind that in many instances the nature of the patent being enforced and the economic function of the patent holder present considerations quite unlike earlier cases. An industry has developed in which firms use patents not as a basis for producing and selling goods but, instead, primarily for obtaining licensing fees. See FTC, To Promote Innovation: The Proper Balance of Competition and Patent Law and Policy, ch. 3, pp. 38-39 (Oct. 2003), available at (as visited May 11, 2006, and available in Clerk of Court's case file). For these firms, an injunction, and the potentially serious sanctions arising from its violation, can be employed as a bargaining tool to charge exorbitant fees to companies that seek to buy licenses to practice the patent. See ibid. When the patented invention is but a small component of the product the companies seek to produce and the threat of an injunction is employed simply for undue leverage in negotiations, legal damages may well be sufficient to compensate for the infringement and an injunction may not serve the public interest. In addition injunctive relief may have different consequences for the burgeoning number of patents over business methods, which were not of much economic and legal significance in earlier times. The potential vagueness and suspect validity of some of these patents may affect the calculus under the four-factor test.

EBAY INC. et al. v. MERCEXCHANGE, L. L. C., ___ U.S. ___ (May 15, 2006) (J. Kennedy concurrence)(emphasis added).

Saturday, May 13, 2006

8th Circuit Rules in Case Involving Digitally Enhanced Evidence

In U.S. v. Seifert, the U.S. Court of Appeals for the Eighth Circuit ruled on the admissibility of video evidence that had been digitally altered to brighten the image. The original images were very dark. An expert used software tools to brighten the entire image, which then showed a suspect who was dressed very much like the defendant.

So, fellow lawyers, add Photoshop to your list of essential software skills on your resumes.

The case is here.

Friday, May 12, 2006

No More Pesky 8x10 Enlargement Spam

No, not that kind of enlargement. Get your mind out of the gutter.

In a clear victory over the photolab spammer cadre, the FTC has once again shown us the immense value and public good that has come to us out of the CAN-SPAM Act. Kodak Imaging Network sent out an e-mail to 2 million recipients that failed to contain an opt-out mechanism, failed to disclose the right to opt-out, and failed to include a valid physical postal address. For this, they paid over $26 grand in penalties and have the watching eye of the FTC to contend with for the next few years.

So -- I have no doubt the marketer did the dastardly deed (as I gather from the rapid closure that Kodak did not dispute the facts). Take that as a lesson learned for them, as well as for the rest of us who are advising clients on how to comply with CAN-SPAM. Fair enough.

But was this what we thought we were getting when we passed a law about spam? 'Gotcha' cases against legitimate companies that make dumb mistakes as opposed to something that has a meaningful impact on the mess that flows into our inboxes every day? How many of us have spent time complaining to our loved ones about the burden of deleting great masses of photo-lab spams? Are the fake-pharmacy-spammers really going to read about this case and suddenly realize they need to alter their marketing methods to comply with the law?

If anything, this action by FTC -- if this is the best they can come up with -- seems to almost prove the ineffectiveness of CAN-SPAM to achieve its original purpose.

In any event, please be sure to tell your clients to include the opt-out and address! See 15 U.S.C. § 7704(a)(5)(A)!

Tuesday, April 11, 2006

Working Group on International Policy

The Working Group on International Policy met on Saturday morning under the experienced leadership of Hal Burman. He circulated a couple of e-commerce-related documents from the Organization of American States, proposed for the next private international law meeting of the OAS. The two, one from Brazil and one from Canada, dealt with jurisdiction in consumer matters in e-commerce. State Dept would be interested in comments on them. U.S. is inclined to prefer the Canadian proposal, at least as basis for discussion. (There is also an FTC proposal on small claims that is not directed at cyberspace issues.)

The OAS documents are on the Internet Jurisdiction and Global E-Commerce subcommittee's home page, under Other Links of Interest:

Most of the discussion focused on the UNCITRAL Convention on the use of electronic communications in international contracts. The Subcommittee yesterday approved joining the Science and Technology Section in supporting US signature of the Convention. Hal's meeting went in more detail into the signature process and the different considerations that might have to be taken into account in a decision whether to ratify the convention.

The Executive Director, Bill Henning, and the past president, Fred Miller, of NCCUSL were present, along with several veterans of the UETA process, to discuss whether and how NCCUSL might express its views on the Convetion. Bill indicated that NCCUSL would usually restrict itself to saying that the Convention was compatible with state law, rather than actively supporting the Convention.

Pat Fry and others would study the Convention in early May and report to the Committee and to State on their views.

The meeting discussed how the proposal to support signing might be presented to the Council of the Section, and the timing of this in light of NCCUSL's timetable. It was thought that the Committee should take this forward to COuncil, with help from the International Coordinating Committee, without waiting for the NCCUSL review, if Cyberspace had done its own (which we consider ourselves to have done). Council might send views on to State or it might wait to see what NCCUSL had to say - it was certainly of interest to Council whether NCCUSL had concerns. Hal and Henry Gabriel suggested that the Convention was very much like UETA and should not be problematic.

Several members of the Working Group, along with Candace J, were bound from there to the International Coordinating Committee to make their case, which your blogger can now report they did, and their plea was supported at that Committee - particularly in light of the limit of the proposal to support signature only at this stage.

Yet Another Candid Camera Moment from Roland

My -- I give this guy the right to post and he just goes way overboard...

(Many thanks to Roland who really did a great job of adding to our blogging output this meeting. Let us all encourage him to continue, and to bring along that cool little camera of his as well. Here's a shot taken at the Carlton Fields reception outside the Yacht StarShip.)

Saturday, April 08, 2006

A few glimpses from the Columbia Restaurant -- The Committee Dinner

Michael Fleming and his daughter

Ray Gustini

Juliet Moringiello

Jonathan Armstrong (leveraging his British accent)

We {heart} Ziff

Sometime around 2001 as I was walking from one subsubsubworking group to another, at the Cyberspace Winter Working Group meeting at the DC Capital Hilton, I ran into this woman who was cruising the emptying room picking up the handout at the end of a session. (You know, the I-was-in-one- meeting-but-there-was- this-other-one- I-really-wanted-to-see- so-I-dropped-by-the-room -to-see-if-they-left- any-handouts ABA scavenger hunt. C'mon, don't tell me you don't do it too.) Literally ran into her, and I think I had to pick up the pile of paper we both dropped. I gave her the short version:

(insert Polley inflection here, boots optional) "Cyberspace Committee, ABA, Internet, all kinds of new law, e-commerce good, people good, fun good, publications pretty good."

I got most of the details wrong -- a point of which she still reminds me ("you said it was TWO years as chair! You LIED!") pretty much every ABA meeting -- but we hit it off anyway. Only thing I did right was to reflexively reach out to a newcomer. But hey, she bought it -- and became a wonderful leader, key Cyberspace author, replaced me and outdid me, and herself became the incubator of a bunch of additional really good leaders.

Today is her last day as E-Commerce Committee chair and we should celebrate her successes. Luckily someone booked us into a Cuban bar for dinner tonight... See you in Ybor City.

Afternoon Excursion (before Cyberspace Committee Dinner)

An intrepid group of cyberspace counsel fortified themselves with water, sunscreen and umbrellas and walked (some would say trekked) to the nearby Henry B. Plant Museum and its exotic architecture. Photos are better than words to describe the Museum, which was formerly a railroad hotel and is now known as Florida's First Magic Kingdom.

PROGRAM: 21st Century Risks and Age-Old Insurance Clauses

Bill Denny led a very interesting program how businesses are responding (or, in many instances, not responding) to the risks arising out of participating in cyberspace.

Mike Rodman of Albert Risk Management Consultants spoke on his observations of businesses and how they interact with the need for cyber-insurance. He noted a number of risks that should be addressed in any useful policy, particularly noting the need to address what things are NOT covered in other policies such as CGL. He suggested that there is still a lack of belief in the need for these kinds of cyber-loss policies -- and that in his opinion businesses do that at a higher degree of risk than they believe.

Bill Denny spoke on traditional contract principles and how we have historically allocated risks in IT deals. He then recalled the traditional insurance policies that we might have been analyzing for our clients -- third-party liability policies including CGL and its cousin E&O to cover many traditional IP claims such as copyright infringement; and first party coverages such as property, automobile and the like. He reminded us of the differences between occurence policies versus claims-made policies. He also reminded us of how some policies provide defense, some do not, some will pay defense costs after the claim is actually paid out, some count defense costs against the policy limits while others do not. Bill also went over how much of the boilerplate provisions we frequently glaze over may be self-defeating of our purported intentions.

Margaret Reetz of Chicago discussed how the newer policies have been working out in practice, based on her practice representing insurers. She discussed concepts of how the cyber-policies provide coverage, and misconceptions that are out there.

Emily Freeman of JLT Risk Solutions of London discussed how so many of us will spend so much time negotiating the best indemnity clause ever written, and never take the time to wonder if the indemnifying party has any insurance to stand behind that indemnity. She reminded us again how 'useless' CGL policies will be to cover indemnified cyber-risks. She also reminded us of how little consistency there is between the various policies that fall into the so-called cyber-policies. Her strongest message was that we should never rely on just calling out the name of a policy (like "CyberInsurance") and assuming that any particular risks are covered. (Emily has a checklist she would be willing to offer that lists the various risks that we should be asking about.) Rather, we need to cite the specific risks that need to be covered. She discussed the methods that potential insureds will need to follow to get coverage, including the due diligence that insurers will do prior to writing coverage. (Getting coverage, and 'passing' due diligence by the underwriter, is itself a flag for customers of the insured parties. Failure to get insurance can be a red flag.) She also noted that those who rely on their vendors to be the sole source of potential assets to cover risks are potentially foolish. The sorts of claims involve actions that tend to harm many parties -- Imagine a privacy breach that causes thousands of consumers who have dozens of different banks, all of whom use a common financial data services provider. If that provider has a $5 million policy, there is not much left for the 2nd claimant after all 4 dozen of them suffer $5 million in damages. Those customer businesses will hope they had through to obtain their own policies.

Working Group on Consumer Protection

The Consumer Protection group opened its discussions on how it will be participating in the ABA project to put up The group will be adding much from the consumer's perspective, including needs for sellers to analyze and address the Magnuson-Moss Act's consumer warranty requirements as well as methods to disclaim certain warranties.

Touch base with Prof. Don Clifford if you wish to participate -- His Working Group's home page can be found here. This is a really great opportunity for the person who wants to get started with CLC, since the project lends itself well to one who wants to write both short or long pieces. See

Corporate Aspects of Information Technology (CAIT)

The CAIT subcommittee met on Saturday morning, chaired by standing Chair Don Cohn. First order of business, Don introduced the incoming new Co-Chair Bill Denny of Potter Anderson in Wilmington. Don and Bill have worked together for many years, and are looking forward to carrying on their work in the Committee.

Don ran through a number of projects that are in various stages of life, and made sure that potential participants knew that their mission was to get in touch with Bill or Don and get their wishes known.
  • An M&A checklist for IT concerns (Bruce Doeg & Bill Denny are leading the charge.) Can we assist the business community to understand the issues in IT that will come up in their deals? How can we get experienced lawyers in line when these deals come up?
  • How can the IT purchasing community start to get vendors to take contractual responsibility for the security breaches caused by their products?
  • Corporate-sponsored blogs -- Can we produce a product to advise counsel on analyzing the risks of issuing corporate-sponsored content via 'blogs' (or any of the other non-traditional mechanisms that we see now or that will surely be invented soon).
  • Corporate rules on how to filter incoming e-mail going to employees -- The USA perspective is essentially that the employer is in total control of this, but EU and other jurisdictions feel differently. How can a company that crosses boundaries have a viable policy?
Please get in touch with Don or Bill if you have any interest in adding efforts to any of the above.

Participants in the CAIT subcommittee meeting (chaired ably as always by Don Cohn)

Candace Jones and Vince Polley

(photos by Roland Trope)

Next Year's WWM

Candace announced at the plenary sessions that we are tentatively a GO for meeting this coming January in member Elizabeth "Soon-to-be-a-Mom" Bowles' home town of Little Rock, Arkansas. (Elizabeth later reminded us that while most of the locals refer to themselves as ar-kan-sans, the state constitution officially denotes them as ar-kan-sawyers.)

This is another great opportunity to enjoy the home city of one of our members (just as we did this year with Bill Denny and Don Cohn welcoming us to Wilmington and the wonderful Hotel DuPont). I am looking forward to seeing a town I've yet to spend time in.

Model Data Breach Notification Procedure and Payment Card Industry information Security Standards (CLE session)

Panelists: Joan Warrington (off cam); Michael Power; Robert Rothman; Jon Armstrong; Tom Laudise (moderator); Peter McLaughlin and Hank Judy (off cam)

Panelist: Jonathan Armstrong (delivering his presentation)

Panelist Joan P. Warrington explained PCI Data Security Standards

Questions from the audience were lively.

Panelists provided an unconventional discussion to company responsibilities to fulfill statutory obligations when data breaches occur.

Tom Laudise noted that the California statute (the "grand daddy" of data breach reporting statutes) overlooks the fact that with web search capabilities, data thieves do not need several kinds of personal data, they need only one important kind such as social security number and can then locate the rest of the data they need in order to make illicit use of the data.

Tom also noted that with so many states now having enacted disparate data breach statutes, it is time for federal legislation to harmonize these obligations. He discussed the pending HR 4127, Data Accountability and Trust Act, and its underlying theme "If you can't protect it, don't collect it." It gives enforcement action authority to the FTC and state attorney generals, which is strongly opposed by financial service companies. He doubts, however, that unless there is a significant data breach for a triggering event that the House will enact any of the competing bills currently pending.

Jonathan Armstrong, from the UK, discussed data breach -- a view from Europe. He noted that there are increasing numbers of data breaches in Europe, and particularly in the use by EU businesses of offshore call centers. He noted that companies seem reluctant to recognize that if you pay employees less, you increase the chances that they will be susceptible to bribes by data thieves. He drew an analogy to a weather map, and noted that there is a strong storm system of threats to data privacy moving west from Eastern Europe. He also provided the graphic example of a person who once told him "you will never understand data privacy until a neighbor of yours has been taken out and shot." Jonathan noted that despite the EU-wide Data Directive, each Member State has implemented its own national version, and that the prosecuting official for a data breach will, therefore, not come from EU headquarters in Belgium, but from the local Member State. In Europe he added that there is "loads of law, but little enforcement", whereas in the US "you have little privacy law, but vigorous enforcement." Mandatory reporting requirements are proliferating, with Norway being the first, where the mandatory report must be to the Norwegian data commission, which then will decide if the company must report to end-users or affected customers. Data reporting laws also have emerged in Hungary, Malta, Sweden and Germany. In most countries, persons have the right to make a "subject access request" -- if they believe they are in a class affected by a data breach, they can submit such a request, and the company must respond within a brief period. In Europe, it is common that prior to handling personal data, a company must register with the Member State's data protection commission.

Robert Rothman emphasized the need during initial diagnosis of a data breach to create a centralized "Fact Sheet" to ensure that one version, not many, becomes the view of the company internally and in contacts with the media. He pointed out that when a company reports a data breach it should give very careful consideration to omitting from such notice any disclosure of information that would alert the data thieves to the significance or value of the platform or stored data that they took.

Michael Power approached the problem as an evidence collection exercise in which the overseeing counsel need to make sure that they can trust everyone involved. He noted this must start with the engagement of a forensic expert. When a company suspects a known person or target who may have stolen the data, he recommends seeking court orders to compel production of their storage devices in order to "ghost" them and review contents to determine if they contain stolen data. He drew the analogy to coming home at night, finding the door had been forced open, and then you have the difficult task of determining what happened -- did the intruders merely walk around, did they party (unlikely), did they go upstairs and take valuables from drawers, etc. Finding out what the data intruders actually did is an important task that needs to be investigated and should not be assumed away. He noted unique issues that arise under Canadian federal and provincial privacy laws. In one instance, he discussed how the team leader (and there MUST be one after a breach) needs to be prepared to deal with the media. He echoed the theme of earlier panelists "Get the Lawyer in Early" if there is a security breach.

Joan Warrington elaborated on that theme emphasizing the risks of class actions and attorneys general investigations. She devoted considerable attention to the Payment Card standards and how clients will increasingly need to grapple with these standards. They emerged, in part, from Visa, which have been approved and adopted by all of the big payment card sponsors -- Amex, MasterCard, etc. They are applicable to all entities that store, process or transmit card holder data. If you go to the websites of these card issuers there are inches thick materials (when printed in hard copy) on compliance with those standards. Several banks, for example, have sued BJ's claiming that they are third party beneficiaries of those standards and seek to recoup funds lost through thefts that originated in data stolen as a result of BJ's alleged failure to comply with those standards.

Hank Judy encouraged counsel to download from the Better Business Bureau and from MISMO websites the primers available on how to handle data breaches (the former is best suited to small businesses, the latter provides a more sophisticated and technologically advanced guide). He highlighted certain issues that can be easily overlooked. Unlike usual thefts where missing items mean something has been stolen, with data "the absence of evidence is not evidence of absence" because hackers are often skillful at compromising data without leaving a trace of their intrusion and leaving the data seemingly intact. There needs to be a person with "unambiguous decision-making authority." Although perhaps counterintuitive to companies fearful of the consequences of a public disclosure, he encouraged the use of a website to provide notice (gets the word out to a wide community, and keeps control of the version released by the company -- and allows a company to combine a good account of the incident, with links to service providers that can help consumers protect themselves from the consequences of the breach, and that allows a company to continuously update its account and such aids as needed). Hank recommended as an example that counsel view a few websites, including this one put out by Georgetown University after an incident.

Questions from the audience, including Michael Khoury's inquiry about how to respond when you advise your client on the best practice responses to the data breach and brings you up short with one or another version of the question, "But isn't that going to cost us a shitload?"

Subcommittee on Privacy, Security and Data Management

Michael Power and Peter McLaughlin co-chaired this morning's meeting of the cyberspace subcommittee on Privacy, Security and Data Management. More than 35 people attended (and more than half of them were new to the subcommittee). There was discussion about possible new projects -- e.g., collection of examples of negotiated clauses/exceptions to standard software vendors' exclusion of liability for security breaches (and/or a collection of examples of how large buyers have used their buying power to move vendors away from their historical hard line). There also was discussion about CAIT's ongoing project to develop (and keep up to date) a set of checklists/tools to help counsel effectively work through the barrage of decisions that have to be made while in the midst of a security incident (e.g., a network security breach).

Andy Serwin made a presentation (using powerpoint in an unexpected way, with non-volatile storage/display tools -- paper) trying to read the tea-leaves about the FTC's emerging security policies. While recent enforcement actions are reported as "privacy-protection" activities, a closer look suggests: (a) the FTC is more focused on lacking underlying security, at (b) companies that are holding financial-related information. Relying on Gramm-Leach-Bliley, FTC has seized on the lack of a written contingency plan (for managing security incidents). (While many companies have at least decent security processes, many of these aren't formally enough institutionalized in a fashion that facilitates knowledge continuity -- hence, the need for a written plan.) FTC actions also illustrate the need for formalized, risk-assessment and risk-management processes, being systematically applied to the area of information security. (An ecopy of Andy's presentation resides here.)

The number of people in the room, the kinds of questions raised, and the level of passion exhibited during this meeting all suggest that the "perfect storm" of security/privacy is closer than a distant speck on the horizon. The lawyers who prepare earliest may actually benefit from the coming storm, by being able to out-sail their less-well-prepared colleagues. As with Health-Safety-Environment, companies also may find an emerging competitive advantage flowing from their earlier planning. (Argue this, when justifying your participation in our work.)

Internet Jurisdiction and Global E-Commerce Subcommittee

The Internet Jurisdiction and Global E-Commerce Subcommittee assembled a lucky 13 participants to discuss three topics.

  • The first was Internet governance: has the Cyberspace Committee something to say on that topic, would the ABA agree, and would anyone else in the world care?
  • The second was a project on state (and probably federal) courts' response to choice of law provisions in internet transactions.
  • The third was whether Cyberspace, and/or the Section, should support the submission by the Section of Science and Technology to the Department of State that the US should sign the UNCITRAL Convention on the use of Electronic Communications in International Contracts.

On the first topic: considerable scepticism on all three points. The subject was considered inchoate at the international level, with "high barriers to entry" because of the complexity, density and high political content of the material (not to mention the travel budgets required to participate in meetings). If anything were to be done, it should be on narrow focused and ideally relatively technical topics, rather than big policy issues like "should policy be set bottom-up, as with ICANN and its user constituencies, or top-down by governments?"

The meeting discussed whether to try to formulate a solution to the WHOIS issues presented by Kristine Dorrain at the Hot Topics session on Friday morning. For reasons to be outlined in more detail in the report of the meeting on the Subcommittee's home page (in due course), there was some reluctance to undertake this. The topic was left with an invitation from the chair to propose topics, ideally narrow and manageable.

The second topic, on choice of law, was inspired by a recent California case and by revised Article 1 of the UCC, which has been adopted in California - but nearly nowhere else, so far, at least on this subject. There was some discussion about how closely linked the questions were to the UCC. At the end, the project was thought to be worth pursuing, so the chair would pursue volunteers, offline and on. It was thought that someone with students with term papers might be a good candidate. It might be useful to reach out to other subcommittees.

The third topic, the UNCITRAL Convention, led to discussions about the nature of the decision to sign conventions under the current US administration, the differences between signature and ratification, the role of NCCUSL and implementing legislation generally, and the process for joining the SciTech submission if we wanted to. Detailed discussion was left for the meeting of the Working Group on International Policy, but the meeting favoured, nemo dissentiente, moving towards support of SciTech and US signature of the Convention.