Wednesday, March 28, 2007

Open Source News

From Slashdot:

The Free Software Foundation has announced publication of the third discussion draft of the GNU General Public License Version 3. Because quite a few changes have been made since the previous draft and important new issues have surfaced, the drafting process has been extended and revised to encourage more feedback. The most significant changes in this draft include refinements in the "tivoization" provisions to eliminate unwanted side effects, revision of the patent provisions to prevent end-runs around the license, and further steps toward compatibility with other free software licenses.

Get your copy here.

I guess it's not surprising how long this new version of the GPL is taking to work its way through their system. This third discussion draft is only being issued today -- The second discussion draft came out July a year ago. (Offhand I can't find when the first discussion draft came out, but I'm sure it was some months before the second.) The good folks at FSF are certainly finding out what happens when many folks with varied interests all get to participate in the crafting of a document that will have universal impact on almost all users of software -- Maybe we should get them to connect with the folks over at NCCUSL who were working on UCITA? Think of how much they all have in common now!

Monday, March 26, 2007

Payment Cards and Money Laundering -- Evidence of Reality?

In our Spring Section Meeting earlier this month, we had an interesting presentation by government and industry folks regarding the potential fraudulent use of payment cards to bypass money laundering laws. While the two groups did not exactly come to agreement, it was this writer's thought that neither side felt that there was all that much evidence of widespread use of payment cards in other than small-time schemes.

Well...

Just recently Florida law enforcement is reporting that they have discovered that a number of the credit card accounts that were the subject of the recent T.J. Maxx hacking incident, where many thousands of credit card numbers were likely revealed, were eventually used to buy gift cards from Wal-Mart stores -- $18,000 and $24,000 worth in two different Florida stores. In turn the bad guys then used those cards at Sams Club locations to buy electronics. (Recall, of course, that Sams Clubs are part of the Wal-Mart empire, and therefore this seems to have been a scheme entirely within a retailer's own private card system, rather than one involving the credit-card branded cards processed through Visa, Mastercard and the like. Maybe the bad guys thought that the private card issuers would be less diligent than the card association issuers? Who knows...)

  • UPDATE: I've been reminded that the industry terms for those two kinds of cards are 'open loop' (the kind that is branded with VISA or MASTERCARD and is usable pretty much anyplace that can accept credit cards) versus 'closed loop' (the kind that is branded by one particular retailer, for example, and is usable only in that retailer's own stores).


Apparently somebody at Wal-Mart eventually took note of the large card purchases, and ultimately they were able to connect the cards to the T.J. Maxx hacking incident.

This isn't the cross-the-border sort of money laundering that we were discussing in Washington. Nonetheless, these guys certainly viewed the gift cards as another way to 'wash' their stolen credit cards, since the only time the stolen cards would have been used was when the gift cards were purchased rather than at the time the electronics were being purchased.

The good news is that the systems that might catch this seem to have worked (of course, we can say that only for the attempts we know about). The bad news is that maybe the 'hype' isn't quite as 'hypey' as we might have thought.

Saturday, March 17, 2007

Electronic Commerce Subcommittee

The Electronic Commerce Subcommittee continues to attract broad audiences for its cutting edge topics. In this Spring's meeting, we first heard a presentation from Jon Rubens regarding the soon-to-be released web site Safeselling.org. As of today the page is only open to people who are signed on with their ABA user IDs (or at least any of the links under it -- I can't test since I'm signed on), but members can certainly poke around and see it for now. The site is very nearly ready to release to the wild. We hope to have it opened up in a matter of weeks, and shortly thereafter joining in a cooperative effort with the ABA's own media relations group for purposes of really telling the whole world about this great effort.

Beyond that, the subcommittee continues to be interested in developing a body of law surrounding virtual reality gaming -- Both in terms of legal issues here in 'real space' as well as the burgeoning law within the virtual spaces. One thought is to publish an outline of legal issues that Christina Kunz has been developing since our Little Rock meeting -- Just in taking notes she has gathered over six pages of nothing but issues (no answers!). This looks like it has legs for a while...

CAIT Meeting


Bill Denny, Co-Chair of the Subcommittee on Corporate Aspects of Information Technology, passed along his notes from their meeting on Thursday:

The CAIT subcommittee had a highly dynamic and well-attended meeting. Don Cohn and Bill Denny, the co-chairs, gave brief presentations on IT issues in M&A Transactions. Don focused on the challenges of addressing electronic records in the Purchase Agreement and then implementing the transfer of such records. CAIT is building a checklist and commentary of IT issues in M&A transactions, which it intends to publish as a supplement to the M&A checklist published by the Negotiated Acquisitions Committee and to present at a Program in Spring 2008. A number of people volunteered to help develop parts of this checklist.

Steve Hollman and Dino Tsibouris gave a fast-paced overview of their exciting project on blogs, wikis and social networking in business communications. This Project has proposed a program for the ABA 2007 Annual Meeting as well as possible podcasts, and will package the materials for use by a speakers bureau. It also intends to develop sample business blogging policies to supplement previous publications covering employer internet policies. There was lots of interaction by the participants about the record retention challenges of these new methods of electronic communication.

Ariane Siegel explained her CAIT project of developing short form and long form data transfer agreements for cross-border transactions. These agreements will cover the collection, use and disclosure of personal information. The participants discussed the challenge of facilitating the transfer of data and keeping focus on the process. Don Cohn addressed another CAIT project relating to cybersecurity. It focuses on security holes associated with software, as economics drive the software market to push products out to customers and deal with problems later. Customers can deal with this through warranties, specifications, acceptance testing or indemnities, and the project will come up with sample contract provisions and discussion of ways the clauses do and do not address risk.

CAIT participants came up with several exciting ideas for new projects. Liz Blumenfeld suggested dealing with how corporations are dealing with virtual worlds such as Second Life. There seemed to be significant energy around developing corporate-related issues in this context. Another interesting new project would be to examine mass market licenses and ask what standards should be placed on vendors regarding the terms in these adhesion contracts. Questionable clauses include audit clauses, confidentiality clauses and indemnity clauses requiring licensees to indemnify for licensor's negligence. The project ties in with work being done by the subcommittee on Electronic Contracting Practices. Chris Kunz said this topic related closely to a Loyola LA symposium on contracting out of mandatory rules in the UCC. She is writing a paper for that symposium on the ethics of invalid and iffy contract clauses.

Data Integrity: The Emerging Risk to SOX Reporting, E-Discovery and Information Protection


The Privacy Subcommittee coordinated a broad expert panel of speakers who taught us something of the potential threats to businesses who depend on data and how reliable it is. A few photographs were used to demonstrate some visible data integrity concerns -- The manipulation of photographs. We took a quick glance at some famous photo manipulations found on the Wired News site. Then Ted Claypool showed us a few examples of his own manipulations, including the photo at top which shows him as a member of a recent space shuttle team. (He's the Canadian team member on the top right by the way. Not.)

Our moderator was Ted Claypoole of Womble Carlyle's Charlotte office. Panelists were Mary Ann Davidson, Chief Security Officer of Oracle Corporation; Francoise Gilbert of IT Law Group in Palo Alto; Paul Doyle of ProofSpace, Inc.; and John Tomaszewski, the Vice President of Policy and Compliance at TRUSTe, the online privacy advocacy and certification organization.

The photograph of the panel that I took early on in the session was pretty good, but somehow Lenny seems to have managed to get into the records and altered it. I am checking into the integrity concerns.

Skipping past the fun stuff, we moved on to discussing how these issues may impact real data. As we have learned in past discussions about data security, data integrity is often more a matter of tracking what has happened than it is preventing that which probably cannot be prevented.
Of course, the panel first tried to define what it was talking about when it spoke of data integrity, something we all want but don't necessarily know what it is. The panel did agree that access/security is not the same thing as integrity, and that helping integrity does not mean the data is any more useful (or not) as Garbage In/Garbage Out still applies. Consensus seems to be that integrity is more of a question of consistency and the ability to link the data's state to a particular point in time.

The lawyers on the panel were more in line with the idea that showing that access had not happened would subsequently be evidence of integrity (the thought being that if nobody was in the room nobody could have changed it). The technologists felt that proof of access (or lack thereof) would not be the point, since we need to focus on somehow comparing the facts at one point to the facts on hand today that we purport are the same as the ones put in the room.

The number of questions from the audience spoke well to the interest in the topic.

Hot Topics in Cyberspace Law


The committee's always popular Hot Topics forum was held on Saturday morning (the first meeting day that finally broke without storm clouds overhead...).

The speakers (left to right in this picture) this Spring were David Satola from the World Bank, Marc Martin from K&L Gates, Holly Towle from K&L Gates, Juliet Moringiello from Widener University and Ben Beard from the University of Idaho.

Marc opened with a primer on the ongoing controversy known as Net Neutrality. He reminded us that this is both a new battle but also one that has a historical element going back over many years. The telecommunications industry has long had elements of 'how do we categorize' this form of communication, the reason often being that once we categorize the form of communication we have pre-determined the type of regulation. Marc ultimately left us with the idea that this is a battle with many goliaths on both sides of the concern, one that may be very politicized, and that it may take a while for any of us to have any answers about this.

David, who along with member and IP Subcommittee Chair Kristine Dorrain visited the recent Internet Governance Forum in Athens, Greece, presented a short discussion of what happened at that meeting and what may happen next. His presentation contained a summary of the presentation he moderated on legal issues, and you can see the slides in the linked document.

Holly reviewed the recent re-birth of claims by advocates for disabled persons that the Americans with Disabilities Act covered a retailer's web site as a 'place of accommodation' which needed to be set up with proper tools (such as text tags that are used by persons who need to use vocalizers because they cannot see). The case against Target Corporation, which alleges that Target's website did not allow blind people to use their text readers to navigate the site, has recently survived an early round of summary judgment. Holly concluded that the case was not so earth-shaking as first thought, since the plaintiffs' case only survived to the degree they could allege a strong connection between the defendant's physical stores and the site, and particularly how the ability to use the physical stores could be negatively impacted by an ability to use the website. The judge has clearly not allowed claims to go forward that allege only that the website is itself a 'place' for ADA purposes. While the outcome of this case is not certain, it does seem that the more narrow category of sites that have a close interaction with a physical place that is unquestionably covered by ADA should be paying attention to their sites' own usability.

Finally, Ben and Juliet discussed for those of us who are completely absorbed in the law the new phenomenon of virtual worlds and the legal issues arising from them. Ben noted that within the world itself we have a burgeoning economy, with the potential for intra-virtual-world disputes, as well as the odd twist of (in at least one instance) being able to move 'money' from the real-world to the virtual-world and back again. There are already people clamoring to note that these sorts of systems have the legal effect of turning the operators of these systems into banks (or at least one of their cousins in the financial services regulatory world). Juliet reviewed a recently file action by a Second Life member against the service operator. The member alleges that he more or less received property rights from Linden Labs, and that Linden has improperly 'converted' his property (he'd purchased 'land' in the Second Life world) when it chose to terminate his account.

We give our thanks to those who dragged themselves out at 8 AM on a Saturday, and especially to our great crew of speakers.

Kennedy Overlooks Jones Overlooking Nuara

The picture of a young JFK, in the Presidents Sports Bar at the Renaissance Hotel, stands watch over Chair Candace Jones, who is ignoring Lenny Nuara's under-the-table BlackBerry habit.

UPDATE: Above entry fixed to reflect the correction to Fleming's faulty history, given that he thought it was Gerry Ford in the photograph and originally posted it that way. Thanks to Lenny for the assist -- You must have looked up at least once last night.

A Snowy Night at the Capital


The weather was beautiful here in D.C. -- The night before we all arrived. Pretty much from that point forward, it rained almost continuously. This writer ultimately ventured into Chinatown to see if he could find the usually ubiquitous $5 umbrella, but none were left. The rain lasted all day on Friday, with no letup.

Actually, that's not true. At about 8 o'clock in the evening, walking home from dinner, there was something familiar to those of us from the North falling from the sky.

The snow really was quite pretty, and hopefully this photo will let you see a bit of that.

Friday, March 16, 2007

Subcommittee on Internet Law


From Hank Judy, Co-Chair of the Subcommittee on Internet Law:


The meeting of the Subcommittee on Internet Law featured a presentation on the US SAFE WEB Act of 2006 (the "Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers beyond Borders Act of 2006") by Shaundra L. Watson who serves as a Counsel for International Consumer Protection in the Federal Trade Commission’s Office of International Affairs. The Act was enacted in December of 2006 and grants the FTC broader authority to pursue foreign spammers, phishers and other online fraudsters and scammers. Now the FTC has authorities similar to those granted the SEC, the Commodity Futures Trading Commission and federal banking agencies. Hank Judy, who chaired the meeting, noted that cross-border online fraud of all kinds is a rapidly expanding threat to business and consumers alike and that, while the Act was largely procedural in nature, it is a key protection for the online world and will become an even more important protection in the future. He said that this fact, plus the fact that the Act has not received the public notice that it deserves, are reasons why the Act was a topic of importance to the Internet Law Subcommittee.

Ms. Watson's presentation covered the Act's provisions dealing with pre- and post-judgment enforcement litigation in foreign courts, information sharing with foreign law enforcement agencies, investigative assistance to foreign law enforcement agencies, enforcement relationships, reporting requirements under the Act and the Act's sunset provision. She emphasized the extent to which the Act clarified existing authority rather than adding new authority. Here is a copy of Ms. Watson's excellent PowerPoint and a copy of the Act.

Thursday, March 15, 2007

Pre-Paid Cards & Anti-Money Laundering: Hype or Reality

Judie Rinearson, co-chair of the Electronic Financial Services Subcommittee, kicked off her group's presentation on payment cards and the risks inherent in offering such services and products. A stellar cast of panelists was on board, including representatives from industry and government. In fact, this was split up as two different panels -- The government panel and the industry panel. Judie promised that no rumble would ensue, and we crossed out fingers accordingly.

The initiation of a seemingly simple activity like issuing the electronic gift cards tends to open one up to a panoply of federal and state obligations. Fortunately, many of those obligations are limited to entities that are banks. But, many non-bank issuers are still going to follow the same rules, either because they volunteer to them OR because the banks they are using as a service provider insist on it. Thus, we do not avoid having to learn about this simply because we are not representing a bank. And, the trend is towards more regulation.


The government panel started first. Courtney Linn from the Justice Department opened (and, as always, noted that he speaks only for himself and not as a representative of the U.S. Government). He pointed out that the burgeoning cash card phenomenon has quickly been seen as a potential alternative method for carrying cash for contraband transactions. The recent Drug Trafficking Assessment stated as much, and offered evidence that this is not merely a hypothetical. Courtney related that many of the existing statutes involving banking, bank secrecy, money transmitting and the like are now being applied to stored value cards. However, there are some shortcomings in the current structure, particularly when looking at powers given to the federal regulators versus the states.

On the other hand, Donald Semesky, speaking on his own behalf and not his employer the DEA, noted that he had no hard evidence that the serious traffickers are actually used stored value cards. There is some anecdotal evidence of cards being used in street-level transactions. There is evidence of it being used in banking fraud cases (where the resulting cash is deposited into a stored value card). He notes that the methods used for cards to be used as a money laundering device tend to increase how much the drug trafficker is noticed. Cash is collected, and the traffickers want to keep it simple and simply move the cash around rather than transform it into the banking system (let alone pre-paid cards). Don noted that the cell phone industry is going to create the next real wave of money transfer, and that his group is probably more concerned about the cell phone money-transfer system than it is the pre-paid card system. That said -- He does believe there is ultimately motivation for the traffickers to want to move to a non-cash system, and that in time they may move towards the systems that so far are more hypothesis than reality.

The industry panel picked up the discussion and continued the theme -- Is there really a problem out there? Are there mechanisms in place in the existing system that should mitigate the chance of pre-paid cards becoming a serious source of contraband funds transfer? Retailers, representatives of national banks, and others more or less concluded that this is not a system that is ripe for use as a serious money laundering facility. While there are certainly going to be examples of small-time fraudulent use, the industry folks certainly did not believe that there was ever going to be a big problem here.

In all - There appeared to be some degree of agreement between the two factions, at least to the extent that the problem has actually appeared in the wild. The disagreement if there was one is more in the matter of how likely this is to happen tomorrow, and even there we didn't exactly here a sky is falling statement from anybody. Certainly, caution is called for by all, but this listener came to the conclusion that 'hype' is the answer (if we're asked to answer).

Query -- Our (exceedingly cutting edge) gang has already been pondering yet another twist -- Money laundering by way of virtual economies that allow one to transfer 'value' out of 'real' money, into virtual money, and back out to 'real' money. Will we see Second Life as a new form of banking?

UPDATE: Committee member Stephen Middlebrook's own blog emoolaw.blogspot.com has just been updated with yet more interesting information on the subject of payment cards and money laundering -- Take a glance.

Wednesday, March 14, 2007

Make a Difference in International Internal Policy

Hal Burman and the Working Group on International Policy is a great forum for those of us who want to have input on the world stage of internet law -- He presents thoughts below on what the group will be discussing on Thursday:
-----------------------------------------

The WG on International Policy (Room 154A Level 1) meeting at 4:30 Thursday will take up issues directly relevant to several Cyberspace subcommittees, some of which also meet Thursday; hopefully some attending two of the other meetings can join the 4:30 so we assure coordination.
Consumer protection (which meets at 12:00): We are asked for views by mid-April on consumer rights and e-commerce to respond to two proposals at the Organization of American States to deal with that, in particular a proposal from Canada.
Transferability of electronic assets (which meets at 1:00): we have been asked to prepare for Uncitral at the UN a short description of our views on transferability in light of current developments. Cyberspace Committee input would be needed by the end of the month or at the latest early April. This is an opportunity to promote possible UN work in this area, beyond that related to maritime cargo, if we take the lead.
Electronic payments (which meets at the same time, so this will be challenging): we were asked whether we should support an informal proposal by IMF to reexamine the Uncitral Model Law on Electronic Funds Transfers, in light of current e-commerce and other developments, and experience of the payments industry (the Model Law, used as a litmus test for countries adopting laws or regulations on EFT, was designed to be compatible with the Brussels-based SWIFT system and UCC 4A).
E-signatures and authentication: we have already passed on the views developed at the Winter Working Meeting, but need to further consider our posture on that for a UN meeting in early July. Volunteers (self-funded) to attend a UN conference in Vienna in mid-July on private commercial law featuring e-commerce as one of its main topics will be welcomed this week or anytime after.
Privacy of data: this has been raised recently as a possible UN topic in several fora. Input on whether we should support further multilateral examination of topics related to privacy, or continue to duck it, would be most helpful.

A couple of room changes...

Stephen Middlebrook let me know:

  • The "Hype or Reality" program scheduled for Thursday from 2:30-4:30 has been moved from room 141 to 144A.

  • The Electronic Payments Working Group meeting on Thursday from 4:30 to 5:30 has also been moved from room 141 to 144A.

Tuesday, March 13, 2007

Spring Meeting -- The final schedule is posted!

I've just uploaded my final draft of the detailed progamming schedule for the Cyberspace Committee's activities in Washington this week. You can download your own copy here.

This promises to be a great meeting, with over 5 major programs either sponsored or co-sponsored by Cyberspace and many of our subcommittee and working group meetings featuring substantive 'mini-programs' in topics of relevance. I hope that we will see many of the readers of this blog at the meetings starting this coming Thursday.

Our usual blogging crew promises to be on hand, and we will try to post our usual mix of meeting reports, photographs, trivia and other fun content, so please try to check back often through the end of the meetings scheduled for Saturday afternoon.