JOLT Digest

By Evan Kubota

Microsoft, Yahoo, Amazon Join Opposition to Google Settlement

The New York Times reports that Microsoft, Yahoo, and Amazon have joined library associations, nonprofits, and individuals in opposing the Google Books settlement in The Authors Guild v. Google. The settlement, which would allow Google to provide digital versions of millions of books, still requires court approval and remains the subject of a Department of Justice antitrust investigation. The opposition group, tentatively called the Open Book Alliance, will argue to the Department of Justice that the settlement agreement is anticompetitive.

Internet Law Group Brings Suit Against Unidentified Hackers

“John Doe” suits brought against unidentified Eastern European hackers may offer a glimpse of the hackers’ targets and techniques through subpoenas against defrauded banks. However, the banks may challenge the subpoenas in order to protect customer privacy. Unspam Technologies, a group that recently filed suit against bank hackers in the Eastern District of Virginia, hopes to improve bank security and potentially identify the hackers. The New York Times outlines the stakes and key players in the case, Project Honey Pot v. Does.

Mozilla Versus Microsoft in EU Browser Investigation

Ryan Paul at Ars Technica criticizes Mozilla’s complaints regarding Microsoft’s Internet Explorer bundling and default-setting practices. Paul not only argues that many of Mozilla’s complaints “lack substance,” but also claims that the European Union has no business intervening to encourage competition because Mozilla’s Firefox browser has a 22 percent market share “amidst an increasingly competitive browser market.” In contrast, Mitchell Baker of Mozilla argues that the Firefox browser is at a disadvantage because Internet Explorer has a “uniquely privileged position on Windows installations.”

By Andrew Jacobs

Cyberattack on U.S. and South Korean Governments Stymies Investigators

Law enforcement officials are still investigating the cyberattacks that hobbled some U.S. and South Korean government websites for five days beginning July 4, the New York Times reports. The distributed denial of service attack caused 50,000 to 65,000 infected computers to jam websites of government agencies such as the Federal Trade Commission and the Secret Service with an extraordinary amount of traffic. Although independent and government investigations have led to computers in Miami, Florida, and the U.K., some experts think finding the ultimate source of the “amateurish” attack may prove to be impossible.

Microsoft Convinces Court IP Addresses Are Not Personally Identifiable Information

MediaPost News reports that in a recent class action case against Microsoft, a federal district court in Seattle held that IP addresses do not count as “personally identifiable information” (PII), a term regularly used in user agreements and online privacy policies. The June 23 opinion granted Microsoft’s motion for summary judgment on charges that it had violated its user agreement by collecting IP addresses during automatic software updates. Judge Richard Jones held that in order to be PII, a piece of data must directly identify “a person,” rather than “a computer,” as an IP address does. The decision is in tension with recent E.U. regulatory findings and a 2008 opinion from the New Jersey Supreme Court, according to MediaPost.

New Zealand Takes Second Swing at “Three Strikes”

On July 14, New Zealand’s Ministry of Economic Development introduced a revised version of its “three strikes” copyright provision aimed at curbing online infringement, Ars Technica and Billboard report. The original bill, which provided for the termination of internet service provider subscribers’ accounts as a penalty for repeat copyright infringement, was scrapped in March after public outcry and industry disagreement. The new version addresses due process concerns by allowing alleged infringers to respond to notices of infringement and to have their cases mediated before trial. Termination of infringers’ internet accounts remains a possible penalty under the revised law.

Lori Drew Convicted on Three Misdemeanor Counts of Violating MySpace Terms of Service in “Cyberbullying” Case
By Brian Kozlowski – Edited By Stephanie Weiner
United States v. Drew, 08-CR-582

A federal jury convicted Lori Drew on November 26th on three of four misdemeanor counts of unauthorized computer access under the Computer Fraud and Abuse Act (”CFAA”), 18 U.S.C. § 1030, for violating the MySpace terms of service. Drew was acquitted of three felony counts of accessing computers without authorization to inflict emotional harm under the same act. The case has raised widespread objection to the use of criminal liability for violating website terms of service.

The case revolves around the 2006 suicide of 13-year-old Megan Meier following an argument she had on MySpace with “Josh Evans,” a fictional 16-year-old boy whose profile was created under the supervision of Lori Drew. During the 28 days that the account was active, “Josh” established an online relationship with Meier that ended with harsh words and the involvement of other MySpace users. Creation of the fictional account using false information was a violation of the MySpace terms of service, which served as the basis for the computer fraud charges. The prosecution argued, and the jury found, that Drew’s subsequent visits to the MySpace site, in violation of the terms of service, were “unauthorized access” under the terms of the CFAA. Critics point out that this is a very creative use of the CFAA, which is typically used to target hacking and trademark theft. This is the first time it has been used in this fashion.

The New York Times describes the trial outcome, building on an earlier piece from 2007 that gives more factual background on the events. Court documents for the case are hosted on Citizen Media Law Project. (more…)

Palin E-mail Hacker Indicted on Federal Charges by Tennessee Grand Jury
By Andrew Ungberg –- Edited by Jon Choate

United States v. Kernell
E.D. Tenn., October 7, 2008, No. 3:08-CR-142
Indictment

On October 7, 2008 a Tennessee grand jury charged David C. Kernell with violating 18 U.S.C. § 2701 (part of the Stored Communications Act) and 18 U.S.C § 1030(a)(2) (a subsection of the Computer Fraud and Abuse Act) for allegedly accessing the Yahoo e-mail account of Alaska Governor Sarah Palin, the Republican vice-presidential nominee, without authorization. Images and information from Gov. Palin’s e-mail account first hit the Internet on September 17^th, and began making headlines shortly thereafter. Several websites, including Wikileaks.org and popular blog network Gawker.com, posted screen shots and content from the hacked e-mail account.

Professor Orin S. Kerr, of the George Washington University Law School and the Volokh Conspiracy blog, sees a potential problem with the indictment. He notes that in order to charge the case as a felony, the government must claim Kernell accessed the account “to further criminal or tortuous activity.” According to Kerr, however,

[T]he indictment doesn’t exactly state what the crime or tort is that the intrusion was designed to further. It just states that the intrusion was “in furtherance of the commission of a criminal act in violation of the laws of the United States, including 18 U.S.C. Section 2701 and 18 U.S.C. Section 1030(a)(2)” But Section 2701 and Section 1030 are the intrusion statutes themselves! It makes no sense to allow a felony enhancement for a crime committed in furtherance of the crime itself . . . .

Info/Law draws parallels between this case and the Lori Drew MySpace case.

(more…)

D. Mass: MIT Students’ Security Presentation Merits Temporary Restraining Order
By Jon Choate – Edited by Dan Ray 

Mass. Bay Transp. Auth. v. Anderson
D. Mass., August 9th, 2008, No. 08-11364-GAO
Temporary Restraining Order (Hosted by EFF)  

On August 9th, Judge Woodlock of the U.S. District Court, District of Massachusetts granted the Massachusetts Bay Transportation Authority (”MBTA”) a temporary restraining order against Zack Anderson, RJ Ryan, and Alessandro Chiesa, undergraduates at the Massachusetts Institute of Technology (”MIT”). The order “enjoined and restrained” the undergraduates from “providing program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security” of the MBTA fare system’s CharlieCard and CharlieTicket.  CharlieCards are reusable stored-value cards, which allow Boston subway riders access at ticket terminals by waiving the card over a designated reader. The system operates wirelessly, and allows riders to add money to their cards both at subway terminals and through online accounts. 

Anderson, Ryan and Chiesa reportedly uncovered several vulnerabilities with the MTBA’s CharlieTicket system while doing research for a Computer and Network Security class. Using this research, the students devised a way in which the CharlieCards can be reprogrammed using $200 worth of equipment; theoretically, this method could increase the stored-value on a card   to more than $600.  The students also discovered that the CharlieCards, which store balance and other information internally, can be read using non-MTBA wireless equipment. Furthermore, according to documents on their research, the three had written software capable of generating and analyzing CharlieCards in order to crack the card’s encryption. 

The MIT students were scheduled to present their research at DEFCON, “one of the oldest running hacker conventions around.” It was this presentation which prompted the August 8th complaint filed by the MBTA against Anderson, Ryan and Chiesa and MIT. The complaint alleges that the students

“(i) claim to have circumvented the security features of the MBTA’s computerized CharlieTicket and CharlieCard fare media systems; (ii) publicly offered ‘free subway rides for life‘ to interested parties over the Internet; and (iii) plan to allow others to duplicate their claimed ‘breaking’ of the Fare Media’s security systems by presenting a paper, releasing software tools, and giving demonstrations at the DEFCON hackers convention this Sunday, August 10, in Las Vegas.”

The complaint further alleges that the students did not provide information regarding how they circumvented the security system to the MBTA and that public dissemination of the information before the MBTA has had an opportunity to correct the flaws will cause “significant damage to the MBTA’s transit system.”  

The MIT Tech covers the story, noting that while  the presentation at DEFCON was cancelled, the presentation slides and confidential vulnerability report the students wrote for the MBTA “are widely available online.” The Tech further reports that the students are being represented by the Electronic Frontier Foundation (EFF) and not by MIT’s lawyers.

(more…)