Tuesday, December 11, 2007

Source Code May Set Us Free

Or, at least some folks who are putting up a battle against DWI charges in Minnesota. As reported by a local legal blog, a district court judge in Minneapolis is more or less foreshadowing that evidence from intoxilyzer results will be suppressed unless the manufacturer of the machine discloses its source code to the litigants. This has already been the rule for civil proceedings involving intoxilyzers, but this looks to be the first time the rule has impacted criminal proceedings in this state.

Of course, Minnesota is not the only state where this has been brought up in a defense motion to suppress. I understand that to date the manufacturer of this particular device has refused to grant access to the code, although I would welcome corrections to that understanding since I've only learned it through indirect sources.

Regardless of the facts or outcome of the particular battle between the DUI bar and the manufacturer (which in the end is not a battle we're well equipped to analyze other than as it deals with source code), the Cyberspace practitioner should already be well equipped to understand the fundamental pieces of this dispute. The manufacturer is undoubtedly claiming a right to maintain its source as a trade secret, and has so far only allowed its software to be distributed in object code (or lower) format that is not reviewable by human beings. That may well be its right under trade secret law (although we must leave open the possibility of arguments to be made on public policy grounds, or that somehow the manufacturer in this case waived its rights). Some, on the other hand, might argue that a business model based on proprietary code is not a wise one to follow where courts are more and more willing to demand openness. Could this manufacturer find its business model is ultimately a reason for a competitive manufacturer with a non-proprietary business model to step in and take business away? It all remains to be seen of course, and it's an interesting intersection between our world and another one.

Saturday, December 08, 2007

DC Bar Pipes Up on Inadvertent Disclosure of Metadata

The bar of the District of Columbia is the latest to issue a formal opinion on what lawyers need to do about metadata in documents being passed back and forth between adversaries.

The usual admonition to the lawyer doing the sending was there. Pay attention, learn what metadata is, and remove it if it might disclose privileged or otherwise confidential client data -- failure to so remove might itself be an ethical violation on the part of the sending lawyer. No controversy there.

The interesting part is that DC has joined the small chorus of states that have come out contrary (more or less) to the ABA's opinion on what the lawyer on the receiving end should do. Recall that the ABA's point is that the rules are essentially silent on taking advantage of metadata that an adversary should have removed from a document, although they do not go so far as to formally bless the practice. The abstract for Formal Opinion 06-442 (August 5, 2006) Review and Use of Metadata states, "The Model Rules of Professional Conduct do not contain any specific prohibition against a lawyer’s reviewing and using embedded information in electronic documents, whether received from opposing counsel, an adverse party, or an agent of an adverse party." But, at least two other states have formally come out against this view, Alabama and New York. We summarized those positions here. Alabama, for example, strictly prohibits mining of an opponents metadata: "Absent express authorization from a court, it is ethically impermissible for an attorney to mine metadata from an electronic document he or she inadvertently or improperly receives from another party."

The DC bar has struck a somewhat less harsh standard. "A receiving lawyer is prohibited from reviewing metadata sent by an adversary only where he has actual knowledge that the metadata was inadvertently sent." So, if the receiving lawyer is equally ignorant of how this inadvertent disclosure of metadata occurred, the receiving lawyer is free to use the data!

But, I am not sure how that plays out in practice, and even the opinion seems to acknowledge this. If you see data in the received document that is clearly unintentionally disclosed because it's obviously of a nature that the other side wouldn't want you to know, you're essentially deemed to have the actual knowledge cited in the rule.
Such actual knowledge may also exist where a receiving lawyer immediately notices upon review of the metadata that it is clear that protected information was unintentionally included. These situations will be fact-dependent, but can arise, for example, where the metadata includes a candid exchange between an adverse party and his lawyer such that it is “readily apparent on its face” that it was not intended to be disclosed.

(Citations ommitted.)

One might think that pretty much anything you might find in an adversary's inadvertent disclosure that you might find useful in your then-current dispute or negotiation or whatever is going on would fall in the category of stuff that the other side would have not wanted disclosed. Thus, the actual knowledge standard is probably only helpful to the extent meaningless or valueless information is inadvertently disclosed, which might avoid an ethics battle over trivial issues.

So, for the most part, DC lawyers are on notice that if they find meta-goodies in the other side's documents, they must immediately stop using it or examining it, and must "notify the sending party and abide by the instructions of the sending party regarding the return or destruction of the writing."

(I especially liked one aspect of this issuance, which was to clearly distinguish documents created by the other side for purposes of the inter-lawyer discussions versus documents being delivered under a discovery or other court order. In short, if it's evidence, you can't delete the metadata before you send it to the other side, since the metadata is itself part of the evidence. One would hope that this would evident without explanation, but with the ubiquitous use of metadata scrubbers coming into play now we should be careful to avoid unintentionally using them where inappropriate!)

It's also pretty late notice, but ALI-ABA, one of the educational arms of the American Bar Association, is giving a webinar entitled "Confidentiality and Ethics in a Wired World." Check it out soon, since it fires up on Tuesday December 11.

Saturday, October 27, 2007

"To" vs. "BCC": An Oldie but Goodie Strikes Again

For all of the talk amongst the cyberspace cognoscenti about high-technology security problems, it's good to be reminded that almost all of the 'oops' we've seen before today continue to haunt us.

I can't vouch for this story other than what we read here, but for what it's worth it's a good reminder to us all. There are reports out that an email was sent out by the US House Judiciary Committee to a group of people who had sent in anonymous notes to a whistle blower tip-box. The email was reminding all of how their identities were going to be kept secret.

Of course -- You guessed it -- The email was sent simultaneously to 150 anonymous tipsters by putting each of their email addresses into the "TO" field. Thus, everybody on the mailing list now knows the email addresses of the other 149. (Plus, all of the recipients were probably annoyed at having to scroll down through 7 inches of addresses before they got to the message!) The problem would have been mostly avoided by simply putting the recipients' addresses into the BCC field rather than the TO field. (Even then, the ISP that originally processes the email from the sender certainly has all of the BCC list on its logs, at least for some period of time, so it's not a totally safe maneuver.)

Without getting into the almost certain political fun that will follow, we can take this as a lesson. While we all work to stay up to date on the most cutting edge of exploits and security tactics, don't let the old ones fall out of sight and out of mind. The oldies but goodies are just as likely to bite you today as they were when they were new.

Monday, October 08, 2007

Electronic Contracting versus Laziness

This author has seen a spate of cases lately that some have been citing as the death knell of electronic contracting. To the contrary, I see nothing more interesting than a demonstration of how lazy implementation leads to predictable results. Frankly, had each of the parties in these matters simply followed the practices discussed in our Committee's ongoing series of articles, I doubt any of these contracts would gone bad. But, in each case, the party setting up the contract took the lazy way towards setting up their system. Unlike just a few years ago, where judges were often unwilling to venture into these areas, the bench is now tackling the systems, and calling parties to task for their bad implementations.

In each of these matters, one party set up a system to implement something electronically, either through incorporation in one 'contract' of another set of terms posted on the Web, or through the use of a purported click-through system. But, the party who found himself on the enforcement side of those purported terms or contracts challenged their incorporation or enforcement. Let us take a quick look at two of these examples.

In Federal Trade Comm. v. Cleverlink Trading Ltd., 2007 WL 2875626 (USDC N.D.Ill. No. 05 C 2889), the FTC was doing battle over the remaining assets of the losing defendant in a CAN-SPAM enforcement action. At issue was whether a contract that Cleverlink's former credit-card service, Oceanic, claimed was in place would give the erstwhile Cleverlink's money to that provider or leave it for the FTC. Oceanic and its leader, a Mr. Sholes, admitted they had no signed copy of the contract. But, they did claim they sent an email to Cleverlink that contained a link to an application for the service. "Sholes contends that Cleverlink would have had to click an "Accept" box and then digitally sign the document. [Later], Sholes sent an email to his attorney containing lines of computer code. Sholes stated in the email that the lines of code show that an email was sent to Cleverlink on March 11, 2005 with information on the processing agreement.

One might then hope that Mr. Sholes would have put his computer folks on the stand, maybe to do so little as to authenticate the business records purportedly portrayed in that email, or even better to explain what the email might mean and why. But, I can only gather that he rested his case on nothing more than his email. As we might guess, that did not cut it.

Without explanation, this Court cannot understand the lines of computer code in Sholes' email. Although Sholes stated in his email that the code lines came from Oceanic's servers, he had no first-hand knowledge regarding how and from where the code was retrieved. Sholes also could not interpret the code lines and explain how they can be read to prove that an email was sent to Cleverlink with a link to the [agreement]. Relief Defendants have provided no affidavit or testimony from anyone with actual knowledge of how and from where the code lines were retrieved. Likewise, there is no affidavit deciphering the lines of computer code. Even if the lines of codes proved that an email was sent to Cleverlink, [the card provider] still would be several steps from establishing that Cleverlink accepted the [agreement] submitted to the Court. First, there is no evidence that Cleverlink responded to the email or otherwise visited Oceanic's Web site. Sholes testified that any such evidence was deleted from Oceanic's servers before the FTC served Oceanic. Second, there is no evidence that whatever document was linked in Sholes' email contained the increased chargeback fees [at issue in this matter]. In this regard, Sholes did not retain a copy of the [agreement] and has indicated uncertainty regarding its exact terms. In the end, [Oceanic has] no competent evidence that Cleverlink electronically accepted the terms of the MPPSA.

(Citations ommitted.)

So class, can you go through that last paragraph and put together a check-list for your next client who plans to proffer an electronically-solemnized agreement in court?

(Thanks to committee member Eric Goldman for pointing this one out to me.)

The other case in mind is Manasher v. NECC Telecom, USDC E.D. Mich., No. 06-10749, 9/18/07). Here, telephone company NECC attempted to incorporate terms in the parties' contract that NECC had posted on the web -- A technique our Cyberspace folks have viewed favorably, but only if the incorporation is clear and understandable, and is done in a manner where the other party is clearly shown to have taken an action to agree. Here, the telephone company did just about everything it could to do it incorrectly. It signed up the customers over the phone without mention of a contract, it started to provide the services without any need for the customer to indicate agreement with terms, and it tried to incorporate its web terms by burying a line deep inside of the mailed invoice:

After the phone service began, Plaintiffs received an invoice. The second page of the invoice has five boxes containing five statements. The titles of the five statements are: (1) Recurring Fee; (2) Referral Discount 5%; (3) Preferred Customer Plan 'PCP,' Standard Customer Plan 'SCP;' (4) Rates; and (5) Agreement (Disclosure and Liabilities). [Motion, Exhibit D and E]. The fifth box, containing the statement regarding the 'Disclosure and Liabilities' is at issue. The statement provides "NECC's Agreement 'Disclosure and Liabilities' can be found online at www.necc.us or you could request a copy by calling us at (800) 766 2642."

NECC argued that this was adequate to incorporate the text of 'Disclosures and Liabilities', which was in fact a set of purported contract terms including an arbitration clause that was at stake in this suit. The court did not agree.

The language does not betray a clear intent that the Disclosure and Liabilities Agreement be considered part of the contract between the parties. NILAC, supra. Nothing in the statement clearly indicates that the Disclosure and Liabilities Agreement applies to the service contract between the parties, that it forms any part of the agreement between the parties, or that it is intended to be incorporated into the agreement between the parties. The statement merely informs the reader of where to find "NECC's Agreement 'Disclosure and Liabilities.'" Further, the statement is the last of five statements, written in plain text, on the second page of the invoice. There are no allegations of any other references to the Disclosure and Liabilities Agreement either in writing, or in the verbal dealings with Defendant. Thus, the Disclosure and Liabilities Agreement is not incorporated by reference....


I believe that had each of the parties setting up the systems in the above cases simply followed, both in their legal analysis as well as in their implementation, the simple principles our group's authors have long espoused, none of this would have come to pass (for them at least...). If you haven't reviewed them recently, take a new look at the two seminal articles published by members of our Committee -- The original Click-Through article, and the later Browse-Wrap article. Professor Christina Kunz and her team of authors in each article have provided clear pathways towards successful implementation.

Of course, it's up to each of you lawyers advising your clients to ensure that these principles actually get followed on the ground in a meaningful manner. Our jobs do not end when we've written text of the agreements. We must be aware of the process used to get those contracts in front of others, and challenge those processes if they do not lead to clean and admissible evidence. Alternatively, if we allow our clients to take lazy ways through these processes, we are likely to be getting called out later when the contracts fail to be enforced because they were never entered into in the first place!

Monday, August 27, 2007

Innovation without Permission

This article today in the New York Times about Serena Software's effort to create a Web 2.0 platform for company employees to create their own mashups caught my eye.

The company claims that in the current environment of severe cut-backs, company IT departments probably won't be able to satisfy a company's application development needs. The frustrated employees will need to turn elsewhere.
“The generation that is sitting in their dorm rooms building Facebook applications is going into the workplace in the next few years,” Mr. Burton said. “The whole mindset is innovation without permission.”

How should in-house lawyers respond to this trend and these tools? Sounds like a project for CAIT (Committe on Corporate Aspects of IT). What do you think Don?

Sunday, August 12, 2007

Boing Boing claims Google Video robs customers of the videos they "own"

Boing Boing has an interesting post this morning about a Google user who received a letter telling him that the video's he paid for on Google's Video service were no longer going to be available to him. In exchange, they're giving him a credit on the Google Checkout service that will last for only 60 days. Kind of takes the "own" out of Download to "Own" doesn't it.

Why not kick this one around at the meeting.

Saturday, August 11, 2007

Committee Forum: Website Agreements -- I Didn't Agree to Those Terms, Did I?

The Committee continued its long-standing leadership in the electronic contracting arena. After our groundbreaking articles on Click-Through Agreements and Browse-Wrap Agreements, it was time to revisit some new topics that we've seen bouncing around in recent years.

After spending some time in reviewing the prior scholarship, Chris Kunz, Kathy Porter and Juliet Moringiello went over recent cases involving modifications and amendments to contracts done via electronic means. The cases are still in flux, but we see trends that tell us that principals of 'notice' and basic fairness still apply. The biggest sit-up-and-take-notice moment was discussions of a growing trend in a number of states that find that terms in a contract that allow amendment by unilateral postings on a web site may not only be unenforceable on their own, but might even go so far as to cause the original underlying contract itself to be voided!

Eran Kahana and John Ottaviani spoke on the recent discussions (and very thin case law) regarding 'bots' and their abilities to enter into contracts. While it is pretty clear that 'bots' are recognizable players in a contracting situation, we still wait to see how far the courts are willing to let those things play out.

Putting the Winter Back into Winter Working Meeting!

The Minnesota contingent of our committee is proud to invite all members to the 2008 Winter Working Meeting of the Committee to be held in the Twin Cities on January 25 and 26, 2008.

The event will be held at the Executive Conference Center at the Mall of America in Bloomington.

The world-famous mall is very near to the Minneapolis-St Paul Airport. We will have a block of rooms at a very reasonable price at the Embassy Suites Minneapolis Airport. Free shuttles from the airport and to the mall will be available. And, the MSP International Airport is a very easy airport to reach.

Along with the mall itself, those with families might consider the nearby Waterpark of America as a reason to bring some kids along.

We do promise to keep everybody warm!

More details to follow -- But, we want you all to hold the dates and plan to be with us for Winter Working Meeting 2008!

Friday, August 10, 2007

Program: Net Neutrality--The Great US and Global Debate--What it is About and Why Your Clients Should Care

Hank Judy and Tom Laudise, co-chairs of the Internet Law Subcommittee, gathered a first-class panel of speakers for the Net Neutrality program held on Friday morning at the 2007 Annual Meeting. The program was sponsored by the Business Section Technology Committee, and co-sponsored by the Cyberspace Committee and the Section of Science and Technology.

Greg Luib from the FTC first gave a helpful overview of the debate, which does require some technological background to follow and he gave it the yeoman's effort to teach a bunch of lawyers how routers work. My own common sense suggests that trying to summarize that description is unwise, particularly since one of Greg's points was that

Then, the debate began. Examples on one side -- Imagine you placed a phone call to reach your local pizza joint, and the phone company suggests that instead of your choice of pizza it might be nicer if you tried their chosen pizza provider, but if you really want to talk to your original joint please hold for three minutes (while others are already placing their orders for hot juicy pizzas from the preferred pizza provider, or PPP). The stronger statements were along the lines of "Don't break the Internet." The argument is that by ensuring that even the smallest of new content provider can get access to the Internet consumer, we can have a chance to allow a garage company of today to become an important player, be it by financial success to become the next Google, or be it by having an ability to reach people it couldn't otherwise reach through traditional media or means of communication.

On the other side of the debate, it was suggested that it is over-reacting to enter into regulation prior to knowing if there is a harm to be resolved, as well as questioning if consumers are being harmed in any of the discussed scenarios. "Balancing the risks is a complex empirical question." Another primary argument is that the ability to add new networks, and create further competition, is a better way to resolve the problem rather than to regulate those networks that already exist. The economic arguments often followed a line that regulating today may lead to results we cannot anticipate. Quoting panelist Michael Katz from an article he recently published, "Public policy should intervene where anti-competitive actions can be identified and the cure will not be worse than the disease. Policymakers must tread carefully, however, because it can be difficult, if not impossible, to determine in advance whether a particular practice promotes or harms competition."

Many speakers cited to a recent report issued through the Federal Trade Commission, a copy of which is found here. In the end, the executive summary of the FTC's report followed the 'caution' model: "In evaluating whether new proscriptions are necessary, we advise proceeding with caution before enacting broad, ex ante restrictions in an unsettled, dynamic environment."

The committee thanks participants on the panel -- Michael Katz, professor of economics at the University of California at Berkeley, David Sohn from the Center for Democracy and Technology, Gail Levine from Verizon, and Markham Erickson representing a group of content providers through his firm Holch & Erickson.

Thursday, August 02, 2007

Minneapolis Disaster

Many of you in our committee have been calling around looking for news about fellow members and friends who live here in Minneapolis in light of the bridge disaster.

I've already heard from a number of members based here in the Twin Cities. I've heard nothing to this moment that suggests any of our members have been directly impacted by this event. Give me a ring or send an e-mail if you've got any particular questions or concerns.


Tuesday, July 31, 2007

Lessig to Move On

I missed this announcement that Lessig made last month. He's decided to shift his energy to battling "Corruption" in public policy. As many of you know, Lessig was the first recipient of the Cyberspace Law Excellence Award given out by the Cyberspace Law Committee. I'm personally sad to see him move on to other issues, but his reasons (as usual) are unassailable.

You can read his announcement, entitled "The Next Ten Years" is here.

Wednesday, June 20, 2007

Is Your Virus Checker Going to Get You Sanctioned?

BNA's e-commerce reporter tells the tale this week of a defendant in a federal tax case, who found himself severely sanctioned for spoliation of evidence.

His crime? The court found that after he'd received a subpoena for "e-mail, computer print-outs, and any file, data, or information on a computer disk or hard drive," he nonetheless installed an anti-virus program which also included a feature that routinely 'wiped' the hard-drive of the computer.

The court rejected the defendant's contention that his activity fell within the purview of the e-discovery safe harbor for "good faith routine operations," as provided at Fed. R. Civ. P. 37(f). Wiping a hard drive is not a routine computer maintenance task, the court said, and here it was carefully calculated to deprive the government evidence.

I believe that in most cases the 'wiping' function only serves to completely clean a hard-drive of remanants of a file that has been "deleted" (very much in quotes) by Windows. As most of us know, "deleting" under native Windows does little more than removing the file from the hard drive's file system's directory records. There is no actual deletion of the file until the operating system happens to re-use the space the file had been previously stored in. Since that might take months or years to completely finish, a true deletion of the file requires extraordinary efforts -- Usually with the use of a non-native program known as a wiper. The wiper's principle is to do a true erasure of the former file, done by looking for the space that the files were stored in and over-writing random 1's and 0's over the now 'un-used' spaces on the hard drive to make sure the trash has really been sent out to the trash.

(There are even more obnoxious nooks and crannies within a Windows NTFS hard-drive, including the so-called 'slack' -- If we had to get into that depth I'd bore you to tears. Suffice it to say that "deleting" and Windows are not terribly compatible concepts.)

Wiping actually has little to do with virus-protection, and more to do with the idea that many of us would like to think that when we 'delete' something it actually gets deleted. Since many virus checking programs have since become more generalized suites of security programs, virus checking being just one part, it is entirely likely that many of our computers (and our clients computers) have these wipers installed today, and in many cases the wipers are set to automatically go out on the hard drive and do their jobs.

Therein lies the problem this gentleman had. Once he'd received the subpoena, he had an obligation to maintain the integrity of all of the evidence on his hard drives, which would include the retention of the bits on the hard drive that might have been evidence of files he'd "deleted" prior to the date of the subpoena.

If we give him the benefit of the doubt for a moment, and presume that he never deleted a single (relevant) file (prior to the subpoena or after), what the "wiper" did is wipe out the evidence that he could have used to his advantage to show that he never attempted to delete anything. If the wipe had not been done, a forensics person could have examined the drive and opined that there was no evidence that relevant files had been deleted. By taking away the primary piece of evidence that the forensics person could have used to show the defendant's lack of bad acting, the defendant suffered the sanction of a finding that he had deleted files, that the files would have been evidence of his underlying tax fraud, and the worst flowed from there.

On the other hand, if he had been deleting files that contained incriminating evidence, the sanctions led to the right result. The problem, of course, is that we'll never know. Was this an innocent person who killed his own defense, or was this a person who tried to hide evidence of a fraud and who got his just desserts? The evidence to prove which is forever lost to the wiper.

(That said -- The court did cite evidence of some files that had not been lost to the wiper, indicating a likely pattern of behavior that would not be consistent with the seemingly benign content that remained after the wiper had done its job. In other words, there was at least a significant amount of smoke there, and the court probably felt it was enough to conclude that there must have been a fire there before the wiper had done its job.)

(In this case, the wiper was not actually part of a virus program or suite, but was a separate program called GhostSurf that is designed to delete trails of what one might have visited on the Internet, so I'm not sure why the defendant even tried the argument that this was all part of his 'virus' regime. Likely, it has to do with how much of the public subsumes all 'bad stuff' on computers with the word 'virus.' Again, we should explore what our clients actually mean when they use buzz words like that, since often they are not accurate descriptions.)

The court's harsh assessment of wipers may be a bit over-stated, since wiping a hard drive is very much a routine computer maintenance task for those who are tasked to ensure that data security rules like GLBA, HIPAA and the EU Data Directive (which include obligations to ensure proper destruction of data that the holder is no longer entitled to hold). But, just like everything else, once the subpoena has arrived the rules immediately change. (And, if we find ourselves between the competing obligations of the subpoena and the data privacy rules, we must approach the court and seek relief, and not engage in our own rationalization of how to resolve that dilemma.)

All of which is to say that next time your client receives such a subpoena, particularly one where desktop PC hard drives are in play, be sure to add yet another question to your checklist -- Have you any automated 'wiper' programs in place on any of those systems, and if so have you turned off any automated functions of those programs?

The case is United States v. Krause, Bankr. D. Kan., No. 05-5775, 6/4/07.

(Sidebar: The court made note of how it came to its own understanding of this issue. "The Trustee’s experts presented to the Court a virtual 'live' tour of the imaged hard drives from Krause’s computers. This vastly simplified the Court's understanding of the technical aspects of the spoliation issues. Many of the exhibits referenced in this Order are computer screen shots from that virtual tour." Of course, one might argue that this sort of presentation could be so over-simplified that it could be overly leading regarding the conclusions that should be drawn. While it doesn't appear that this happened to this judge, I would always be very concerned about what an adversary might do in the guise of "helping" a judge understand arcane matters of computer operating systems.)

Saturday, June 09, 2007

Gateway Having Trouble Proving Agreement to Arbitrate

An interesting story surfaced on Slashdot today. A California man has sued Gateway in small claims court alleging he got a lemon. Gateway is trying to have the case kicked to private arbitration, per the arbitration agreement they claim he agreed to.

The customer claims that because the monitor on his Gateway computer was malfunctioning so badly right out of the box, he couldn't read the arbitration agreement, let alone "click" the I Agree button. He claims that during tech support calls, a technician had him bypass the screen altogether. He also claims there was no written documentation with the PC that set forth the arbitration agreement.

The original judge agreed with the customer, but Gateway has asked the court to reconsider its ruling.

This case demonstrates one of the weaknesses of what I call the "gatekeeper theory" of proving assent.

Read the story from the Sacramento Bee.

Monday, May 14, 2007

MINNESOTA LAWYER Blog: Who's your legal tech geek?

MINNESOTA LAWYER Blog: Who's your legal tech geek? A local legal blog has posted a comment on how both businesses as well as law firms have not reached any kind of consensus on how to address the "intersection of law and technology."

The money quote for those of us who actually do understand that intersection: "Is it time for firms and corporations to develop positions that specialize full-time in legal technology? By assigning that beat on a catch-as-catch-can basis, it seems more likely that new developments in this area could be missed or misunderstood."

Maybe a few of us should visit that blog and post some thoughts, eh?

Wednesday, May 09, 2007

Metadata Disclosure - Alabama Follows New York, Not ABA

The Alabama bar has issued a formal ethics opinion, in which it essentially adopts the New York position on a receiving attorney's use of inadvertently disclosed meta-data received from opposing counsel or party (i.e., Don't Do It).

This is in contrast to some of the recent trends. The ABA recently issued an opinion, Formal Opinion 06-442 (August 5, 2006)
Review and Use of Metadata. The abstract for that opinion states, "The Model Rules of Professional Conduct do not contain any specific prohibition against a lawyer’s reviewing and using embedded information in electronic documents, whether received from opposing counsel, an adverse party, or an agent of an adverse party." (Order a full copy of the opinion here.) This is not a specific endorsement of the use of an opponent's metadata, since it merely says the (new) rules are silent on this point. But, remember that this new opinion withdrew a former opinion that specifically condemned the activity. Remember as well that the new ABA opinion arose from a logical result of the ABA's issuance of its new Model Rules, which had removed the specific rule cited in the withdrawn opinion to justify the old position. (I'm not up to speed on whether Alabama or New York have implemented the new Model Rules.)

Regardless, Alabama and New York both hold that the lawyer who has inadvertently received metadata has a duty to avoid use of the inadvertently disclosed information. Under Alabama's rule, "Absent express authorization from a court, it is ethically impermissible for an attorney to mine metadata from an electronic document he or she inadvertently or improperly receives from another party."

They do note that the SENDING lawyer who sent the inadvertently disclosed metadata has independently violated the duty to maintain a client's confidences. On that point both the ABA and Alabama are in full agreement. So, again, if you have not yet installed good meta-data scrubbers on your own systems, do give consideration to that.

(And, of course, remember that meta-data that is embedded in a document that is itself evidence should not be scrubbed when transmitted to the other side in discovery, since the metadata is part of the evidence and to scrub the evidence would be tantamount to spoliation. This rule only applies to documents that are not themselves evidence.)

Zippo Zinged Without Reazon

I don't know why this keeps happening, but yet another court has misstated the holding of the famous Zippo sliding-scale of interactivity case (Zippo Manufacturing Co. v. Zippo Dot Com, Inc., 952 F Supp 1119 (USDC WDPA 1997). (It isn't entirely clear to me if the confusion arose from the litigants, so I'll reserve my right to re-aim my ire.)

Once again, just so we can get this straight: Zippo is a SPECIFIC JURISDICTION holding. Its author went out of his way to say that the sliding-scale test had no application to GENERAL JURISDICTION.

In Howard v. Missouri Bone and Joint Center, Inc. 2007 ILRWeb (P&F) 1675 [Ill App Ct, 2007], the court went out of its way to reject the Zippo test, saying it had no application to the matter at bar (and that web sites, interactive or not, should be viewed as nothing different than advertising, essentially stating that interactivity is irrelevant to the question of jurisdiction). However, all of the parties were in agreement that the web site in question could only apply for jurisdictional purposes as a matter of GENERAL JURISDICTION. The Zippo rule has no application to claims of general jurisdiction.

There was no need for the court to reject Zippo. It need merely have pointed out to counsel that their cite to Zippo in support of their argument for general jurisdiction was clearly misplaced. Having said that, it does make sense to this author, when doing a general jurisdiction analysis, to view web sites as nothing more than another form of advertising. But, there is plenty to commend the interactivity sliding-scale test when looking for specific jurisdiction -- Jurisdiction arising out of a litigated matter that occurred via that particular interactive web site. (I'm not saying it's necessarily perfect... But, it's certainly better, when used in the right circumstances, than this court seems to allow it.)

Another Judge Questions Admissability of Electronic Evidence

As further evidence that the judiciary is no longer willing to simply trust computers and everything they say to us, yet another court has undertaken to teach us what will be needed to have electronic evidence admitted. And, it looks to me like the skills that our cyberspace lawyers can bring to the table are well suited to that task.

In Lorraine v. Markel Am. Ins. Co. (USDC D. Md., No.06-1893, 5/4/07), Chief Magistrate Judge Paul W. Grimm laid out a near treatise-length standard on how he would analyze what he calls electronically stored information, or "ESI". And, he reserves his primary critiques not on the parties, or on the technologists, but rather on the lawyers seeking to have the ESI admitted.

Although he ended up discussing nearly every type of ESI that might come up as possible evidence in litigation, much of the opinion focused on e-mail. As noted in the opening paragraphs of the exposition:

[U]nauthenticated e-mails are a form of computer generated evidence that pose evidentiary issues that are highlighted by their electronic medium. Given the pervasiveness today of electronically prepared and stored records, as opposed to the manually prepared records of the past, counsel must be prepared to recognize and appropriately deal with the evidentiary issues associated with the admissibility of electronically generated and stored evidence.
Indeed, the inability to get evidence admitted because of a failure to authenticate it almost always is a self inflicted injury which can be avoided by thoughtful advance preparation.

Lawyers -- Just because it came from a computer does not excuse your forgetting the basic rules of evidence.

I could not possibly even begin to summarize the teachings of the opinion in a short blog entry. Go now and download your own copy here.

Lawyers, the days of simply printing out e-mails and hoping to get them into the court are soon to be behind us. And, cyberspace lawyers: Is this yet another opportunity for you to pose your own knowledge in these areas to the benefit of your litigation colleagues?

Friday, May 04, 2007

Dvorak's Stinging Indictment of the Profession

Computer industry columnist John C. Dvorak has just published his take on the DVD decryption key case -- And he zooms his focus right on the lawyers who wrote the demand letters.

Because of the lawyers and the nasty letters, now everyone online knows how important this number must be. Boom! Now users get to work on it.

Heck of a job, lawyers.

Investors should be aware of the overall dangers the legal profession present to companies, and how its current and generalized naiveté can sink fortunes overnight. While I know of no corporation that has been bankrupted by this sort of fiasco, it will happen eventually if lawyers doesn't catch up with the times.

Or perhaps some executives should think for themselves.

Who knew that your law degree could be a weapon of mass destruction?

So, what do you think? Is Dvorak right to suggest that if not for naive but fee-hungry lawyers wielding their C&Ds with impunity that the executives never would have gone down this path? Or, would this have reached a head regardless of whether the legal profession was there to assist it? What alternative paths might have the attorneys taken? How do we factor in the role of Congress, which created the rules that the lawyers operate under?

It's your profession under fire folks. The Comment link is functional.

Wednesday, May 02, 2007

ADA Claims Against Web Site Operator -- Certified Class is Narrowly Defined

One of our recent Hot Topics presentations at the Spring Business Law Section Meeting in D.C. concerned the question of whether, and to what extent, a Web site operator is subject to the rules of the Americans with Disabilities Act. A suit against Target Corporation alleged that its target.com Web site did not meet the ADA's requirements to make it accessible to blind persons, and sought class action status for all blind persons in the USA.

A few months back, the judge had already cut back on the breadth of the suit, saying that there was no ADA protection available where the claims were purely related to the Web site. She did allow that claims which could be construed as how the inaccessible Web site impeded a blind person from accessing a physical retail outlet might go forward.

In her most recent action on April 25, the judge noted that the class that would be certified for this suit would be "All legally blind individuals in the United States who have attempted to access Target.com and as a result have been denied access to the enjoyment of goods and services offered in Target stores."

She then followed up with the real kicker -- Apparently the judge was quite concerned that none of the original declarants (the named plaintiffs who represent the class) would be eligible to join the class under this new narrower definition.

Judge Patel allowed that the plaintiffs might still be able to provide declarations to meet the test, or a different named representative, so the suit goes forward with the condition that the plaintiffs' lawyers must come up with at least one named plaintiff who can actually be a part of the class. Nat'l Fed'n of the Blind v. Target Corp., N.D.Cal., No. C 06-01802, 4/25/07)

For the moment, the ADA-specific concerns for Web operators are still rather remote. How site operators might operate in practice is of course a different topic, but for now one better left for those trained in ethics, mores and cost-benefit ratios. (Which is not to say that lawyers should be avoiding those topics in forming their advice.)

Thursday, April 19, 2007

News Flash: The Internet Is Still Part of the Real World

Vince Polley's MIRLN newsletter alerts us to a story out of Florida, where the Florida state bar authorities are on the verge of implementing new rules regarding lawyer advertising that are specifically concerned with advertising on the Internet. That's not so interesting as was a quote from the Orlando Sentinel story about this development. "If the Supreme Court approves the proposed rule, it would make Florida the first state to address lawyer advertisements via the Internet." That's just plain wrong, for one simple reason. Every state authority that regulates lawyers already addresses lawyer advertising -- And internet advertising is, in the end, just advertising. The laws and rules that already exist regarding lawyer advertising should be applicable to the Internet just as they are to newspapers, TV and the back cover of the Yellow Pages. (My guess is that the quote is the newspaper reporter's own characterization rather than by the bar authorities -- So, please forgive my using that as an opportunity for a rant, and no ill will is wished upon those same authorities.)

More to the point -- Why do we always feel a need to create special rules for what happens on the Internet? Where there are distinct differences there might be good cause for special carveouts, but more often than not the "Internet rules" are simply a restatement of what the rules are already in the real world, with the implicit thought that the real world rules didn't apply to the Internet unless we say so. The rules already apply -- The Internet is still a function of the real world, it still applies to how human beings communicate with each other just as pamphleteering, newspapering and broadcasting applied before it. We can apply the same rules to the 'Net in most cases just as well as we can to the other media. Let's get past the fallacy that just because it's the Internet all the rules are off the table, so that we can start to talk about real differences rather than perceived ones.

Wednesday, April 18, 2007

Authentication? We Don't Need No Stinking Authentication!

Many lawyers in internet-related practices have become acquainted with some of the research tools out there for investigations. One of the more popular options is the Wayback Machine maintained by the Internet Archive organization. For the 3 persons left on the planet who haven't seen this tool in action yet, these folks have been crawling the Web for years and maintaining html copies of the pages they find -- More or less every site that hasn't made a request to be excluded from the crawl. (Whether the archive has a right to do that, and how all of this intersects with copyright, contract law and the like, is the subject of other threads of discussion.)

On a more mundane footing, when we as attorneys find these wonderful nuggets stored by the Wayback machine, and eagerly seek to get them admitted into a courtroom proceeding for the benefits of our clients, might we take a second to pause and consider the good old rules of evidence? That was the issue in [XXX[, where the plaintiff sought to admit pages printed from the Wayback Machine as part of his prima facie argument. The existence of the older Web pages was not the issue, but rather the admissibility of the information posted therein.

"Where postings from internet websites are not statements made by declarants testifying at trial and are offered to prove the truth of the matter asserted, such postings generally constitute hearsay under Fed. R. Evid. 801."

We all of course remember that there may be exceptions to the hearsay rule, but absent a showing of one of those exceptions hearsay gets kicked. In today's case, the court noted that the plaintiff

lacks the personal knowledge required to set forth with any certainty that the documents obtained via third-party websites are, in fact, what he proclaims them to be. This problem is even more acute in the case of documents procured through the Wayback Machine. Plaintiff states that the web pages archived within the Wayback Machine are based upon "data from third parties who compile the data by using software programs known as crawlers," who then "donate" such data to the Internet Archive, which "preserves and provides access to it." (Novak Decl. ¶4.) Based upon Novak's assertions, it is clear that the information posted on the Wayback Machine is only as valid as the third-party donating the page decides to make it—the authorized owners and managers of the archived websites play no role in ensuring that the material posted in the Wayback Machine accurately represents what was posted on their official websites at the relevant time. As Novak proffers neither testimony nor sworn statements attesting to the authenticity of the contested web page exhibits by any employee of the companies hosting the sites from which plaintiff printed the pages, such exhibits cannot be authenticated as required under the Rules of Evidence.

(emphasis added)

Without the necessary authentication, the evidence that Mr. Novak was seeking to admit was kicked.

Novak d/b/a Petswarehouse.com v. Tucows, Inc., 2007 WL 922306 (USDC EDNY No. 06-CV-1909 (JFB) (ARL), Mar. 26, 2007).

The lesson for us? Simply this -- Don't skip steps just because you got it from the Internet! All of the same rules continue to apply. And, in some cases, those rules may mean that your golden nugget will remain outside the courtroom unless and until you can find a way to authenticate it.

There was a second part of the same opinion which I found equally interesting on a totally different topic, but to maintain thread integrity (!) I shall hold that for another posting...

Wednesday, March 28, 2007

Open Source News

From Slashdot:

The Free Software Foundation has announced publication of the third discussion draft of the GNU General Public License Version 3. Because quite a few changes have been made since the previous draft and important new issues have surfaced, the drafting process has been extended and revised to encourage more feedback. The most significant changes in this draft include refinements in the "tivoization" provisions to eliminate unwanted side effects, revision of the patent provisions to prevent end-runs around the license, and further steps toward compatibility with other free software licenses.

Get your copy here.

I guess it's not surprising how long this new version of the GPL is taking to work its way through their system. This third discussion draft is only being issued today -- The second discussion draft came out July a year ago. (Offhand I can't find when the first discussion draft came out, but I'm sure it was some months before the second.) The good folks at FSF are certainly finding out what happens when many folks with varied interests all get to participate in the crafting of a document that will have universal impact on almost all users of software -- Maybe we should get them to connect with the folks over at NCCUSL who were working on UCITA? Think of how much they all have in common now!

Monday, March 26, 2007

Payment Cards and Money Laundering -- Evidence of Reality?

In our Spring Section Meeting earlier this month, we had an interesting presentation by government and industry folks regarding the potential fraudulent use of payment cards to bypass money laundering laws. While the two groups did not exactly come to agreement, it was this writer's thought that neither side felt that there was all that much evidence of widespread use of payment cards in other than small-time schemes.


Just recently Florida law enforcement is reporting that they have discovered that a number of the credit card accounts that were the subject of the recent T.J. Maxx hacking incident, where many thousands of credit card numbers were likely revealed, were eventually used to buy gift cards from Wal-Mart stores -- $18,000 and $24,000 worth in two different Florida stores. In turn the bad guys then used those cards at Sams Club locations to buy electronics. (Recall, of course, that Sams Clubs are part of the Wal-Mart empire, and therefore this seems to have been a scheme entirely within a retailer's own private card system, rather than one involving the credit-card branded cards processed through Visa, Mastercard and the like. Maybe the bad guys thought that the private card issuers would be less diligent than the card association issuers? Who knows...)

  • UPDATE: I've been reminded that the industry terms for those two kinds of cards are 'open loop' (the kind that is branded with VISA or MASTERCARD and is usable pretty much anyplace that can accept credit cards) versus 'closed loop' (the kind that is branded by one particular retailer, for example, and is usable only in that retailer's own stores).

Apparently somebody at Wal-Mart eventually took note of the large card purchases, and ultimately they were able to connect the cards to the T.J. Maxx hacking incident.

This isn't the cross-the-border sort of money laundering that we were discussing in Washington. Nonetheless, these guys certainly viewed the gift cards as another way to 'wash' their stolen credit cards, since the only time the stolen cards would have been used was when the gift cards were purchased rather than at the time the electronics were being purchased.

The good news is that the systems that might catch this seem to have worked (of course, we can say that only for the attempts we know about). The bad news is that maybe the 'hype' isn't quite as 'hypey' as we might have thought.

Saturday, March 17, 2007

Electronic Commerce Subcommittee

The Electronic Commerce Subcommittee continues to attract broad audiences for its cutting edge topics. In this Spring's meeting, we first heard a presentation from Jon Rubens regarding the soon-to-be released web site Safeselling.org. As of today the page is only open to people who are signed on with their ABA user IDs (or at least any of the links under it -- I can't test since I'm signed on), but members can certainly poke around and see it for now. The site is very nearly ready to release to the wild. We hope to have it opened up in a matter of weeks, and shortly thereafter joining in a cooperative effort with the ABA's own media relations group for purposes of really telling the whole world about this great effort.

Beyond that, the subcommittee continues to be interested in developing a body of law surrounding virtual reality gaming -- Both in terms of legal issues here in 'real space' as well as the burgeoning law within the virtual spaces. One thought is to publish an outline of legal issues that Christina Kunz has been developing since our Little Rock meeting -- Just in taking notes she has gathered over six pages of nothing but issues (no answers!). This looks like it has legs for a while...

CAIT Meeting

Bill Denny, Co-Chair of the Subcommittee on Corporate Aspects of Information Technology, passed along his notes from their meeting on Thursday:

The CAIT subcommittee had a highly dynamic and well-attended meeting. Don Cohn and Bill Denny, the co-chairs, gave brief presentations on IT issues in M&A Transactions. Don focused on the challenges of addressing electronic records in the Purchase Agreement and then implementing the transfer of such records. CAIT is building a checklist and commentary of IT issues in M&A transactions, which it intends to publish as a supplement to the M&A checklist published by the Negotiated Acquisitions Committee and to present at a Program in Spring 2008. A number of people volunteered to help develop parts of this checklist.

Steve Hollman and Dino Tsibouris gave a fast-paced overview of their exciting project on blogs, wikis and social networking in business communications. This Project has proposed a program for the ABA 2007 Annual Meeting as well as possible podcasts, and will package the materials for use by a speakers bureau. It also intends to develop sample business blogging policies to supplement previous publications covering employer internet policies. There was lots of interaction by the participants about the record retention challenges of these new methods of electronic communication.

Ariane Siegel explained her CAIT project of developing short form and long form data transfer agreements for cross-border transactions. These agreements will cover the collection, use and disclosure of personal information. The participants discussed the challenge of facilitating the transfer of data and keeping focus on the process. Don Cohn addressed another CAIT project relating to cybersecurity. It focuses on security holes associated with software, as economics drive the software market to push products out to customers and deal with problems later. Customers can deal with this through warranties, specifications, acceptance testing or indemnities, and the project will come up with sample contract provisions and discussion of ways the clauses do and do not address risk.

CAIT participants came up with several exciting ideas for new projects. Liz Blumenfeld suggested dealing with how corporations are dealing with virtual worlds such as Second Life. There seemed to be significant energy around developing corporate-related issues in this context. Another interesting new project would be to examine mass market licenses and ask what standards should be placed on vendors regarding the terms in these adhesion contracts. Questionable clauses include audit clauses, confidentiality clauses and indemnity clauses requiring licensees to indemnify for licensor's negligence. The project ties in with work being done by the subcommittee on Electronic Contracting Practices. Chris Kunz said this topic related closely to a Loyola LA symposium on contracting out of mandatory rules in the UCC. She is writing a paper for that symposium on the ethics of invalid and iffy contract clauses.

Data Integrity: The Emerging Risk to SOX Reporting, E-Discovery and Information Protection

The Privacy Subcommittee coordinated a broad expert panel of speakers who taught us something of the potential threats to businesses who depend on data and how reliable it is. A few photographs were used to demonstrate some visible data integrity concerns -- The manipulation of photographs. We took a quick glance at some famous photo manipulations found on the Wired News site. Then Ted Claypool showed us a few examples of his own manipulations, including the photo at top which shows him as a member of a recent space shuttle team. (He's the Canadian team member on the top right by the way. Not.)

Our moderator was Ted Claypoole of Womble Carlyle's Charlotte office. Panelists were Mary Ann Davidson, Chief Security Officer of Oracle Corporation; Francoise Gilbert of IT Law Group in Palo Alto; Paul Doyle of ProofSpace, Inc.; and John Tomaszewski, the Vice President of Policy and Compliance at TRUSTe, the online privacy advocacy and certification organization.

The photograph of the panel that I took early on in the session was pretty good, but somehow Lenny seems to have managed to get into the records and altered it. I am checking into the integrity concerns.

Skipping past the fun stuff, we moved on to discussing how these issues may impact real data. As we have learned in past discussions about data security, data integrity is often more a matter of tracking what has happened than it is preventing that which probably cannot be prevented.
Of course, the panel first tried to define what it was talking about when it spoke of data integrity, something we all want but don't necessarily know what it is. The panel did agree that access/security is not the same thing as integrity, and that helping integrity does not mean the data is any more useful (or not) as Garbage In/Garbage Out still applies. Consensus seems to be that integrity is more of a question of consistency and the ability to link the data's state to a particular point in time.

The lawyers on the panel were more in line with the idea that showing that access had not happened would subsequently be evidence of integrity (the thought being that if nobody was in the room nobody could have changed it). The technologists felt that proof of access (or lack thereof) would not be the point, since we need to focus on somehow comparing the facts at one point to the facts on hand today that we purport are the same as the ones put in the room.

The number of questions from the audience spoke well to the interest in the topic.

Hot Topics in Cyberspace Law

The committee's always popular Hot Topics forum was held on Saturday morning (the first meeting day that finally broke without storm clouds overhead...).

The speakers (left to right in this picture) this Spring were David Satola from the World Bank, Marc Martin from K&L Gates, Holly Towle from K&L Gates, Juliet Moringiello from Widener University and Ben Beard from the University of Idaho.

Marc opened with a primer on the ongoing controversy known as Net Neutrality. He reminded us that this is both a new battle but also one that has a historical element going back over many years. The telecommunications industry has long had elements of 'how do we categorize' this form of communication, the reason often being that once we categorize the form of communication we have pre-determined the type of regulation. Marc ultimately left us with the idea that this is a battle with many goliaths on both sides of the concern, one that may be very politicized, and that it may take a while for any of us to have any answers about this.

David, who along with member and IP Subcommittee Chair Kristine Dorrain visited the recent Internet Governance Forum in Athens, Greece, presented a short discussion of what happened at that meeting and what may happen next. His presentation contained a summary of the presentation he moderated on legal issues, and you can see the slides in the linked document.

Holly reviewed the recent re-birth of claims by advocates for disabled persons that the Americans with Disabilities Act covered a retailer's web site as a 'place of accommodation' which needed to be set up with proper tools (such as text tags that are used by persons who need to use vocalizers because they cannot see). The case against Target Corporation, which alleges that Target's website did not allow blind people to use their text readers to navigate the site, has recently survived an early round of summary judgment. Holly concluded that the case was not so earth-shaking as first thought, since the plaintiffs' case only survived to the degree they could allege a strong connection between the defendant's physical stores and the site, and particularly how the ability to use the physical stores could be negatively impacted by an ability to use the website. The judge has clearly not allowed claims to go forward that allege only that the website is itself a 'place' for ADA purposes. While the outcome of this case is not certain, it does seem that the more narrow category of sites that have a close interaction with a physical place that is unquestionably covered by ADA should be paying attention to their sites' own usability.

Finally, Ben and Juliet discussed for those of us who are completely absorbed in the law the new phenomenon of virtual worlds and the legal issues arising from them. Ben noted that within the world itself we have a burgeoning economy, with the potential for intra-virtual-world disputes, as well as the odd twist of (in at least one instance) being able to move 'money' from the real-world to the virtual-world and back again. There are already people clamoring to note that these sorts of systems have the legal effect of turning the operators of these systems into banks (or at least one of their cousins in the financial services regulatory world). Juliet reviewed a recently file action by a Second Life member against the service operator. The member alleges that he more or less received property rights from Linden Labs, and that Linden has improperly 'converted' his property (he'd purchased 'land' in the Second Life world) when it chose to terminate his account.

We give our thanks to those who dragged themselves out at 8 AM on a Saturday, and especially to our great crew of speakers.

Kennedy Overlooks Jones Overlooking Nuara

The picture of a young JFK, in the Presidents Sports Bar at the Renaissance Hotel, stands watch over Chair Candace Jones, who is ignoring Lenny Nuara's under-the-table BlackBerry habit.

UPDATE: Above entry fixed to reflect the correction to Fleming's faulty history, given that he thought it was Gerry Ford in the photograph and originally posted it that way. Thanks to Lenny for the assist -- You must have looked up at least once last night.

A Snowy Night at the Capital

The weather was beautiful here in D.C. -- The night before we all arrived. Pretty much from that point forward, it rained almost continuously. This writer ultimately ventured into Chinatown to see if he could find the usually ubiquitous $5 umbrella, but none were left. The rain lasted all day on Friday, with no letup.

Actually, that's not true. At about 8 o'clock in the evening, walking home from dinner, there was something familiar to those of us from the North falling from the sky.

The snow really was quite pretty, and hopefully this photo will let you see a bit of that.

Friday, March 16, 2007

Subcommittee on Internet Law

From Hank Judy, Co-Chair of the Subcommittee on Internet Law:

The meeting of the Subcommittee on Internet Law featured a presentation on the US SAFE WEB Act of 2006 (the "Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers beyond Borders Act of 2006") by Shaundra L. Watson who serves as a Counsel for International Consumer Protection in the Federal Trade Commission’s Office of International Affairs. The Act was enacted in December of 2006 and grants the FTC broader authority to pursue foreign spammers, phishers and other online fraudsters and scammers. Now the FTC has authorities similar to those granted the SEC, the Commodity Futures Trading Commission and federal banking agencies. Hank Judy, who chaired the meeting, noted that cross-border online fraud of all kinds is a rapidly expanding threat to business and consumers alike and that, while the Act was largely procedural in nature, it is a key protection for the online world and will become an even more important protection in the future. He said that this fact, plus the fact that the Act has not received the public notice that it deserves, are reasons why the Act was a topic of importance to the Internet Law Subcommittee.

Ms. Watson's presentation covered the Act's provisions dealing with pre- and post-judgment enforcement litigation in foreign courts, information sharing with foreign law enforcement agencies, investigative assistance to foreign law enforcement agencies, enforcement relationships, reporting requirements under the Act and the Act's sunset provision. She emphasized the extent to which the Act clarified existing authority rather than adding new authority. Here is a copy of Ms. Watson's excellent PowerPoint and a copy of the Act.

Thursday, March 15, 2007

Pre-Paid Cards & Anti-Money Laundering: Hype or Reality

Judie Rinearson, co-chair of the Electronic Financial Services Subcommittee, kicked off her group's presentation on payment cards and the risks inherent in offering such services and products. A stellar cast of panelists was on board, including representatives from industry and government. In fact, this was split up as two different panels -- The government panel and the industry panel. Judie promised that no rumble would ensue, and we crossed out fingers accordingly.

The initiation of a seemingly simple activity like issuing the electronic gift cards tends to open one up to a panoply of federal and state obligations. Fortunately, many of those obligations are limited to entities that are banks. But, many non-bank issuers are still going to follow the same rules, either because they volunteer to them OR because the banks they are using as a service provider insist on it. Thus, we do not avoid having to learn about this simply because we are not representing a bank. And, the trend is towards more regulation.

The government panel started first. Courtney Linn from the Justice Department opened (and, as always, noted that he speaks only for himself and not as a representative of the U.S. Government). He pointed out that the burgeoning cash card phenomenon has quickly been seen as a potential alternative method for carrying cash for contraband transactions. The recent Drug Trafficking Assessment stated as much, and offered evidence that this is not merely a hypothetical. Courtney related that many of the existing statutes involving banking, bank secrecy, money transmitting and the like are now being applied to stored value cards. However, there are some shortcomings in the current structure, particularly when looking at powers given to the federal regulators versus the states.

On the other hand, Donald Semesky, speaking on his own behalf and not his employer the DEA, noted that he had no hard evidence that the serious traffickers are actually used stored value cards. There is some anecdotal evidence of cards being used in street-level transactions. There is evidence of it being used in banking fraud cases (where the resulting cash is deposited into a stored value card). He notes that the methods used for cards to be used as a money laundering device tend to increase how much the drug trafficker is noticed. Cash is collected, and the traffickers want to keep it simple and simply move the cash around rather than transform it into the banking system (let alone pre-paid cards). Don noted that the cell phone industry is going to create the next real wave of money transfer, and that his group is probably more concerned about the cell phone money-transfer system than it is the pre-paid card system. That said -- He does believe there is ultimately motivation for the traffickers to want to move to a non-cash system, and that in time they may move towards the systems that so far are more hypothesis than reality.

The industry panel picked up the discussion and continued the theme -- Is there really a problem out there? Are there mechanisms in place in the existing system that should mitigate the chance of pre-paid cards becoming a serious source of contraband funds transfer? Retailers, representatives of national banks, and others more or less concluded that this is not a system that is ripe for use as a serious money laundering facility. While there are certainly going to be examples of small-time fraudulent use, the industry folks certainly did not believe that there was ever going to be a big problem here.

In all - There appeared to be some degree of agreement between the two factions, at least to the extent that the problem has actually appeared in the wild. The disagreement if there was one is more in the matter of how likely this is to happen tomorrow, and even there we didn't exactly here a sky is falling statement from anybody. Certainly, caution is called for by all, but this listener came to the conclusion that 'hype' is the answer (if we're asked to answer).

Query -- Our (exceedingly cutting edge) gang has already been pondering yet another twist -- Money laundering by way of virtual economies that allow one to transfer 'value' out of 'real' money, into virtual money, and back out to 'real' money. Will we see Second Life as a new form of banking?

UPDATE: Committee member Stephen Middlebrook's own blog emoolaw.blogspot.com has just been updated with yet more interesting information on the subject of payment cards and money laundering -- Take a glance.

Wednesday, March 14, 2007

Make a Difference in International Internal Policy

Hal Burman and the Working Group on International Policy is a great forum for those of us who want to have input on the world stage of internet law -- He presents thoughts below on what the group will be discussing on Thursday:

The WG on International Policy (Room 154A Level 1) meeting at 4:30 Thursday will take up issues directly relevant to several Cyberspace subcommittees, some of which also meet Thursday; hopefully some attending two of the other meetings can join the 4:30 so we assure coordination.
Consumer protection (which meets at 12:00): We are asked for views by mid-April on consumer rights and e-commerce to respond to two proposals at the Organization of American States to deal with that, in particular a proposal from Canada.
Transferability of electronic assets (which meets at 1:00): we have been asked to prepare for Uncitral at the UN a short description of our views on transferability in light of current developments. Cyberspace Committee input would be needed by the end of the month or at the latest early April. This is an opportunity to promote possible UN work in this area, beyond that related to maritime cargo, if we take the lead.
Electronic payments (which meets at the same time, so this will be challenging): we were asked whether we should support an informal proposal by IMF to reexamine the Uncitral Model Law on Electronic Funds Transfers, in light of current e-commerce and other developments, and experience of the payments industry (the Model Law, used as a litmus test for countries adopting laws or regulations on EFT, was designed to be compatible with the Brussels-based SWIFT system and UCC 4A).
E-signatures and authentication: we have already passed on the views developed at the Winter Working Meeting, but need to further consider our posture on that for a UN meeting in early July. Volunteers (self-funded) to attend a UN conference in Vienna in mid-July on private commercial law featuring e-commerce as one of its main topics will be welcomed this week or anytime after.
Privacy of data: this has been raised recently as a possible UN topic in several fora. Input on whether we should support further multilateral examination of topics related to privacy, or continue to duck it, would be most helpful.

A couple of room changes...

Stephen Middlebrook let me know:

  • The "Hype or Reality" program scheduled for Thursday from 2:30-4:30 has been moved from room 141 to 144A.

  • The Electronic Payments Working Group meeting on Thursday from 4:30 to 5:30 has also been moved from room 141 to 144A.

Tuesday, March 13, 2007

Spring Meeting -- The final schedule is posted!

I've just uploaded my final draft of the detailed progamming schedule for the Cyberspace Committee's activities in Washington this week. You can download your own copy here.

This promises to be a great meeting, with over 5 major programs either sponsored or co-sponsored by Cyberspace and many of our subcommittee and working group meetings featuring substantive 'mini-programs' in topics of relevance. I hope that we will see many of the readers of this blog at the meetings starting this coming Thursday.

Our usual blogging crew promises to be on hand, and we will try to post our usual mix of meeting reports, photographs, trivia and other fun content, so please try to check back often through the end of the meetings scheduled for Saturday afternoon.

Wednesday, February 14, 2007

Illinois Legislator Tries to Ban Social Networking Sites

Here's a link to the full text of a bill introduced by an Illinois Legislator to require public libraries and schools to block access to social networking sites. Interestingly, the bill doesn't define what a social networking site is.

So, please don't leave a comment on this post, because I wouldn't want a library in Illinois to block access to our blog.

Source: Slashdot

Tuesday, February 13, 2007

Register NOW for the Committee Dinner!

The Committee on Cyberspace Law will hold their Committee Dinner for the Section of Business Law Spring Meeting in Washington, DC on Thursday, March 15, 2007. Dinner officially starts at 8 PM that night. We will be at the Jaleo Restaurant in Crystal City, Virginia.

Your cost -- A mere $40.00 per person. And -- Complimentary transportation to Jaleo Restaurant will be provided to all persons registered for the dinner!

(As always, CLC has amongst the lowest (if not the lowest) pricing for its dinners amongst all of the Section of Business Law -- And, we would think that ours are also the coolest of all, but that's just our opinion...)

To learn more about Jaleo Restaurant click here.

To register for the dinner (note: you must first be registered for the Spring Meeting, or do the dinner reservation at the same time as you register for the meeting) please click here to visit the ABA's online meeting registration system. After logging in, please select the Cyberspace Law Committee dinner and follow the prompts to complete your registration.

For your convenience a printable copy of the registration form is available by clicking here.

The deadline to register for the Cyberspace Law Committee Dinner is Wednesday, February 28, 2007.

Done in a Gliffy...

I've been pondering the growth of online 'collaboration' tools much of late (part of my work for other parts of the ABA than the CLC).

Most of the interesting stuff seems to come from outfits that get a good idea involving a little niche, which ultimately gets popular and forms a new industry in the world of the big boys. "Writely", the online word processor that allows multiple parties to play with the document online at the same time, is a great example of this. Although the writely tool is still a bit of a kludge, it's a significant move towards a viable collaborative environment (i.e., one that my boss would be willing to spend time in for doing real work, and not just the fault-tolerant techies like myself).

The new one I've just come across is Gliffy. This one allows you to start drawing up diagrams and other graphics, sharing and playing with it at the same time with many others, saving in popular file formats, etc. (Cool stuff...)

The only question left in my mind is when it will be that any one of the GYM companies (I'll leave it to you smart readers to figure out what that acronym might mean--it's three different companies who are each big in the online space...) will be either buying them and/or doing the same thing themselves.

Monday, February 12, 2007

If the FBI can't keep track of 'em...

The AP is reporting that the inspector general with jurisdiction over the FBI is reporting that the Bureau's losses of laptops have been reduced significantly from a prior study (previously about 11 1/2 per month, now reduced to about 3 1/2 a month).

Still -- That's over 3 laptops a month, any one of which might contain crown jewel-level information. "'Perhaps most troubling, the FBI could not determine in many cases whether the lost or stolen laptop computers contained sensitive or classified information,' said the report."

This post is not here to bash the Bureau -- Rather, it's a wakeup call for the rest of us. If the FBI is having trouble doing this, can we expect organizations whose entire raison d'etre is not security to keep up? Not that we shouldn't be trying, but do have a realistic point of view on how much can be achieved (and, more important, presume that your best-laid-plans will fall victim to human beings' own issues).

Saturday, February 10, 2007

MIRLN -- Misc. IT Related Legal News [20 January – 10 February 2007; v10.02]

Vince Polley's periodic newsletter known as MIRLN (Misc. IT Related Legal News), a free product of the American Bar Association’s Cyberspace Law Committee and Dickinson Wright PLLC, is out with it's latest edition. You can read it in full here.

Highlights from this new issue include:


Members of the ABA Cyberspace Law Committee automatically receive MIRLN postings (about every third week); members can manage their subscriptions here (find the “Listserves” box; MIRLN comes through the CLCC-MEMS listserve).

Others who wish to be added to the MIRLN distribution list should send email to Vince Polley with the word “MIRLN” in the subject line, and similarly will be removed from the distribution list after sending email to Vince with the words “MIRLN REMOVAL” in the subject line. (Need to know Vince's e-mail address? Well, you'll have to go do some digging... You have enough info in this posting to go find the answer though!)

Recent MIRLN editions are archived at www.vip-law.com and blogged at http://mirln.blogspot.com/.

Wednesday, January 31, 2007

Photo Gallery

Since I couldn't possibly post all of the wonderful photographs that people shared with me, including those from Roland and from Francoise, I've taken many of them and put them up in a separate gallery, which you can visit here.

From CLCC WWM 2007...

Please go enjoy! Someday when I have time I'll try to add captions... (Time -- What a concept.)

And, if you took some (reasonable number of...) photos you would like to share with the rest of us, please e-mail them to me and I will be glad to add them.

Floppies Are Dead

The BBC is carrying a story that "Computing superstore PC World said it will no longer sell the storage devices, affectionately known as floppies, once existing stock runs out."

Cue the funeral dirge.

Anyone want to guess how many years it will take for the USB Thumbdrive to die?

Tuesday, January 30, 2007

USS Agin (NCC-2007)

As a dedicated fan of this blog, Warren Agin took to heart our request that we have some Enterprise models made out of old diskette cases brought down to Little Rock. Not only did Warren follow through, he made his own improvement on the design by using some of the actual diskette as a new piece of cowling for the front of the ship.

Of course, after asking all of you do to the same thing, I'm unhappy to report that I rummaged through my home and could not find an old floppy. I must have taken housecleaning to too much of an extreme...

PREVIOUSLY: What it's Really All About...

Posted by Picasa

Monday, January 29, 2007

Kudos for Our Writing Teams

Eran Kahana and Elizabeth Bowles, co-authors of a recently published Business Law Today article on the famous incident regarding Sony-BMG and DRM software that ran amuk, have been receiving kudos from readers regarding their work. "Very well-written and helpful and, of all things, refreshingly clear," said one reader. I, of course, totally agree.

And, if that sort of thing does not suggest to you that writing for BLT is a good thing for you to get recognized in the national legal community, well -- I don't know what would! Remember -- If you think you should be the next one of the Committee's members who gets that sort of message, get in touch with Vince P, Juliet M, Candace J or myself and we shall set you on the path.

EFF's Internet Law Treatise

We were joined at WWM this year by Lee Tien, Senior Staff Attorney at the Electronic Freedom Foundation. Lee sat in and added his own and his organization's point of view to many of our discussions, and we all look forward to more time with him in the future. You can pick up a bit of Lee's own bio by scrolling down on the EFF's staff page at http://www.eff.org/about/staff/.

Lee pointed out to me that the EFF is currently in the process of drafting its own wiki-based summary of Internet law, currently housed at http://ilt.eff.org/index.php/Table_of_Contents. The Internet Law Treatise is a project to maintain a treatise summarizing the law related to the Internet with the cooperation of a wide variety of attorneys, law students and others. It is apparently based on an earlier publication issued by the Perkins Coie firm from 2003, which has allowed EFF to run with this on the proviso that we all acknowledge that Perkins is not responsible for the results. (In a sense, this is quite similar to how Prof. Larry Lessig has issued a 2nd edition of his famous Code and Other Laws of Cyberspace, known as Codev2, which was largely developed by others working on top of the 1st edition through a wiki set up by Prof. Lessig.)

The EFF's project is not officially sanctioned by the Committee, nor do we participate in it as an ABA effort. But, we are happy to pass on Lee's request that we let our members know about this, since we are certainly not the only game in this town. If you are interested, contact Kurt Opsahl at the EFF for information on getting access to the wiki for participation. (And, let us know if you get involved!)

UPDATE: Kurt himself just contacted me to remind me to remind you that the current draft you see of the Internet Law Treatise is most definitely a beta, and should be read with that in mind -- Which demonstrates the need for good lawyers to come in and assist!

Sunday, January 28, 2007

Taking EULAs to Task

Boing Boing comes through yet again with a very interesting site dedicated to lampooning those horrible, one-sided EULAs. Claiming they are likely not enforceable, this site is dedicated to helping the little guy fight back.

Here's the text of their Anti-EULA:

READ CAREFULLY. By [accepting this material|accepting this payment|accepting this business-card|viewing this t-shirt|reading this sticker] you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.
They even have t-shirts, bumper stickers, and stickers you can add to your stationery, the backs of your checks, etc. Here's a sample of the t-shirts:

At the wrap up from the Winter Working Meeting, Chris Kunz mentioned they were contemplating another article on the enforceability of online agreements. They've covered how to get a binding click, and whether click free can still constitute a contract or otherwise bind a party. The next article is to be about modifying online agreements. Perhaps we should invite these guys to participate in the process. It would certainly make for an interesting discussion.

They even have a link to submit examples of abusive EULAs. I bet we'll find some good examples during the drafting process for the third article. Here's the link.

Finally, the profits from the sale of a lot of the paraphernalia go to EFF.