Embed Size (px)
Citation preview
CLSR Briefing
CLSR BRIEFINGNEWS AND COMMENT ON RECENT DEVELOPMENTS FROM AROUND THE WORLDStephen Saxby, editor
UNITED KINGDOM
Government paper on identity cards
The Government has published a con-sultation paper on what it calls“Entitlement Cards” which theGovernment committed itself to doingfollowing the events of 11 September2001. Having given advance notice ofthe publication, the Government wasable to take account of commentsreceived by the public and subsequentconsultation with a range of organiza-tions in the public and private sectors.The consultation document explainshow a universal entitlement cardscheme would work; the potential usesof such a card and how the schemewould operate in practice; and the costestimates of the scheme as a whole.The Government believes that thescheme would enable individuals, whoare lawfully resident in the UK, to con-firm their identity with a high degree orassurance; establish for official purpos-es a person’s identity so that there isone definitive record of an identitywhich all government departments canuse if they wish; help people gain enti-tlement to products and services pro-vided by both the public and privatesectors - particularly those who mightfind it difficult to do so at present; andhelp public and private sector organiza-tions to validate a person’s identity,entitlement to products and servicesand eligibility to work in the UK.
There is likely to be a robust debateon the civil liberties aspect of what isproposed and that is why the consulta-tion exercise is intended to run for sixmonths giving all interested groups andindividuals an opportunity to partici-
pate in the debate. The Governmentsays that the introduction of an entitle-ment card would be a major step andthat it will not proceed without themost careful consideration of all theresponses that may be received.
EEddiittoorr’’ss NNoottee::Entitlement Cards and Identity
Fraud – a Consultation cm 5557 (July2002) is available from:<wwwwww..hhoommeeooff--ffiiccee..ggoovv..uukk//ddoobb//eeccuu..hhttmm>. Also avail-able from that site is a separate studyentitled Identity Fraud – A Study fromCabinet Office (July 2002) which exam-ines the serious and growing problemof identity fraud in the UK. This Studyexplores the extent and nature of iden-tity fraud and theft in the UK both inthe Government and in the private sec-tor. It proposes possible solutions tothe problem drawing on best practicefrom both the UK and overseas.
Privacy fears voiced at dataprotection conferenceRepresentatives from over 50 DataProtection Authorities and PrivacyCommissioners attended the 24thInternational Data Protection andPrivacy Commissioners Conferenceheld in Cardiff,Wales in September.TheConference was jointly hosted by theCommissioners from Republic ofIreland, Jersey, Guernsey, Isle of Manand the United Kingdom.The assembled Commissioners andtheir representatives discussed manymatters of common concern rangingfrom privacy issues in relation to web-sites through to video surveillance ofthe population in public and privateplaces. However, the Commissionersdevoted a substantial amount of time toconsidering the various national
responses to the terrorist attacks on 11September 2002.The Commissioners agreed that whilethere is the need to protect society fromsuch outrages, the reaction in manycountries might have gone beyond ameasured response to the terroristthreat with serious implications for per-sonal privacy. The Commissionersagreed that the need to safeguard per-sonal privacy in such developmentsremains an essential task for the world-wide data protection community.Unless an approach is taken byGovernments which correctly weighsdata protection and privacy concernsthere is a real danger that they will startto undermine the very fundamental free-doms they are seeking to protect.EEddiittoorr’’ss NNoottee:: The 25th Conference isscheduled to take place in Sydney,Australia in 2003.
Small companies failing ondata protection complianceThe UK data protection regulator, theInformation Commissioner has instigat-ed a study of compliance with the DataProtection Act 1998 by UK based web-sites.
It is available from the DataProtection Regulator’s website on:<www.dataprotection.gov.uk>.
The report was produced by rep-resentatives from the University of Manchester Institute of Science and Tech-nology (UMIST) was carried out over atwo month period in winter/ spring 2002with the aim of assessing the degree ofcompliance by UK websites; identifyingparticular areas where there are failuresto comply with the legislation; to gener-ate awareness of relevant issues for bothdata controllers and data subjects; and to
446 Computer Law & Security Report Vol. 18 no. 6 2002ISSN 0267 3649/02/$22.00 © 2002 Elsevier Science Ltd. All rights reserved
CLSR 1806.qxd 24/10/2002 13:47 Page 446
447
CLSR Briefing
prove a basis for possible future enforce-ment action. The survey involved assess-ment of websites as well as in-depthinterviews by telephone and in person.The survey looked at the websites ofcompanies of different sizes and a ran-dom sample was also taken of 20 of themost visited UK websites. The websitesurvey included portal sites, news sites,weather sites, travel services, magazines,online directories, games and leisuresites, and email and Internet access ser-vice providers, amongst others. It alsolooked at sites aimed at children andteenagers, as well as adults, and somepublic sector sites were also included, aswell as those in the private sector.
For all those interested in this area,the report is worth reading. It has cer-tain general conclusions, - for example,that smaller companies and companiesin unregulated sectors tended to havewebsites showing a low level of com-pliance and, for example, how to col-lect data in compliance with thelegislation was not well understood.
The report cites some examples ofgood practice. For example,a couple ofchildren’s sites were praised - onebecause it enabled children to createtheir own web pages but requestedparental authorization in writing (notby email), and another because it gavevery specific instructions to childrenon how to protect their privacy.
Equally,examples were found of poorpractice. Again, looking at one website, itappeared to be the off-shoot of a tele-phone company collecting informationon children (and adults) in return for freering tones,etc for their mobile phone. Atleast one of them also required the use ofa premium rate telephone call (at addi-tional cost) and it was not made clearthat the company was an off shoot of atelephone company. Other sites, avail-able to all, contained sexual contentunsuitable for children, even thoughaccess to the more explicit materialrequired a registration procedure.
HHeeaatthheerr RRoowwee,, RReeppoorrtt CCoorrrreessppoonn--ddeenntt.. PPaarrttnneerr,, LLoovveellllss,, LLoonnddoonn
Local government out ofstep with Freedom ofInformation lawMembers of the local government sec-tor, including many bodies that provideservices at a local level are being
encouraged to ensure they complywith the requirement of the Freedomof Information Act with regard to pro-ducing a publication scheme. Failure todo so would be a breach of section 19of the Freedom of Information Act.Whymust local government take action?
The Freedom of Information Act2000 is about to enter the second waveof the timetable for adopting‘Publication schemes’. ‘Publicationschemes’are a means by which a publicauthority can make a significantamount of information available rou-tinely, without waiting for someonespecifically to request it.
A ‘publication scheme’ will list the“classes” or types of information thatthe public authority intends to makeravailable and how that information willbe published. Public authorities withinthe local government sector must sub-mit their publication schemes to theInformation Commissioner forapproval, by 31 December 2002. Thedeadline according to legislation forlocal government members to ‘operate’a publication scheme, is the 28February 2003.
Bodies who must now comply withthe Freedom of Information Act inpreparing a publications scheme arenumerous including County Councils,fire authorities, transport executivesand national parks etc. They alsoinclude many smaller bodies such asany charter trustees constituted unders246 of the LGA 1972, as well as a bodycorporate established under section 67of the Local Government Act 1985 etc.Anyone who thinks they may fall underthis area should check whether theyare listed in the Act.
Information Commissioner,Elizabeth France said:
“It is important that all publicauthorities recognize the fact thatthey have this legal duty and thatthey start taking steps to produce a publication scheme. There aredistinct advantages in developing a well thought out publicationscheme and my Office is happy tooffer advice and guidance to anypublic authority that approachesus.”
EEddiittoorr’’ss NNoottee:: All the second waivepublic authorities are listed in Schedule1 part II of the Freedom of InformationAct,which can be viewed on the HMSOwebsite: <<wwwwww..hhmmssoo..ggoovv..uukk>>..
For more information on publicationschemes or the Act in general visit:<<wwwwww..iinnffoorrmmaattiioonnccoommmmiissssiioonneerr..ggoovv..uukk>> or telephone: ++4444 ((00)) 11662255554455770000.
E-commerce Minister welcomes new securityguidelines E-commerce Minister Stephen Timmshas launched a new set of guidelines toensure information systems are moresecure against viruses and computerhackers. He has also welcomed thelaunch of a revised Standard to helpbusinesses manage the risks to theirinformation assets. Mr. Timms intro-duced the guidelines at the FirstInternational 7799 Users Conference, anew forum for global security issues.They radically overhaul the originalguidelines published by the OECD tenyears ago.The guidelines are based onthe following principles:• an increased awareness of the need
for security and what can be doneto enhance it on a basic level;
• Responsibility being taken by everyindividual on a network for thesecurity of information systems andnetworks;
• Co-operation and swift actionplanned as vital to the preventionand detection of security breaches;
• Security of information systemsmade to be compatible with theessential values of a democraticsociety;
• Risk assessments being used as anessential tool;
• Security incorporated as an essen-tial element of information systems;
• Adoption of a comprehensiveapproach to security managementneeds; and
• Reviewing,reassessing and modifyingof security policies and practices.
Speaking at the conference, StephenTimms said:
“We are faced with a major chal-lenge of making the information age asafe place to do business. Today’slaunch marks a turning point in howwe rise to that challenge. Security sys-tems play an integral part in the devel-opment of information systems, givingus a strong and healthy informationtechnology environment. The UK hasvery actively supported and con-tributed to the revision of the original
CLSR 1806.qxd 24/10/2002 13:47 Page 447
CLSR Briefing
guidelines laid out by the OECD in1992.The new guidelines provide a setof principles that will help us create aculture of security.”The CBI joined theMinister in welcoming the revisedOECD Guidelines. CBI BIAC represen-tative Jeremy Ward emphasized theimportance of businesses introducingthe guidelines:“Far too many business-es today are crossing the informationhighway without knowing anythingabout the risk.As a result, too many ofthem are becoming involved in nastyaccidents involving information securi-ty. The key issue is not so much whatindividual businesses must do to pro-tect themselves, though this is still veryimportant, it is creation of an environ-ment of trust and security.Development of such an environmentwill require close and co-ordinated co-operation between industry and gov-ernment. The OECD’s guidelinescontain principles that businesses needto understand and on which they mustact, in order to fulfill their side of theresponsibilities involved in such a part-nership.They are, if you like, the ‘greencross code’ of the information super-highway.”A recent Information SecurityBreaches Survey by the DTI shows anumber of areas that need to beaddressed. For example, less than athird of businesses encrypt files con-taining confidential customer detailsand over a third of websites have nofirewall in place, giving hackers easyaccess. Viruses are the major cause ofthe most serious security breaches,with four in ten companies admittingto virus infection. Despite this, 17% ofbusinesses still have no software inplace to guard against attacks. StephenTimms also took the opportunity tocommend the updated British standardfor information security management -part two of the BS7799 - publishedrecently.He stressed the value of havinga tool by which all organizations -including the DTI itself, which uses theStandard - can manage the security oftheir information assets as a core busi-ness activity. This Standard will bringinformation security into the main-stream of good business practice and isa practical way to demonstrate commit-ment, at the organization level, to theOECD guidelines. Editor’s Note: TheGuidelines were developed at theOECD by representatives ofGovernments from the OECD’s 30
Member Countries and by representa-tives of industry under the BusinessIndustry Advisory Council. The CBI isUK representative to BIAC. The OECDguidelines are available on the DTIwebsite at <www.dti.gov.uk>.The 2002DTI Information Security BreachesSurvey is the most comprehensive sur-vey about this issue in the UK. For fur-ther information or to view the resultsof the survey, visit <www.security-sur-vey.gov.uk>. Further information onBS7799 part 2 is available in the BSInews room at <www.bsi- global.com>.
Minister slams illegalbroadcastersTelecoms Minister Stephen Timmsrecently joined in a raid in southLondon to combat radio piracy.Government enforcers from theRadiocommunications Agency (RA) leda raid on an illegal station to seize theirtransmitter and stop them broadcast-ing.The raid is the latest activity in theAgency’s strategy against pirates. Othermeasures include tackling suppliers ofpremises and radio transmitters, target-ing those who advertise on pirate sta-tions, and working with the police andcourts to raise awareness about theserious nature of illegal broadcasting.Stephen Timms said: “Pirate radio sta-tions are threatening the public’s safetyeveryday. Their illegal broadcasts runthe risk of disrupting with essentialradio services, like air traffic controland emergency service communica-tions. People’s lives may be put at risk.We applaud community-based radioservices, but public safety considera-tions mean they must go through thelicensing process with everyone else.”Pirates also interfere with licensedbroadcasting stations. Legal broadcast-ers support the Agency’s work as theywant fair competition on a level playingfield. The Agency carries out nearly1500 raids on pirate broadcasters ayear, of which around 90% are in theGreater London area. It seizes hundredsof thousands of pounds worth of equip-ment and materials, including transmit-ters, record decks, and vinyl. In 2001,the Agency carried out 1438 operationsagainst 248 separate stations.The maxi-mum penalty that a pirate can face isan unlimited fine and up to two yearsin prison. Editor’s Note: The
Radiocommunications Agency (RA) isan Executive Agency of the Departmentof Trade and Industry,and is responsiblefor management of the civil radio spec-trum. One of the Agency’s key responsi-bilities is to ensure that legitimate usersof spectrum do not suffer from interfer-ence. Pirate radio is a major cause ofdisturbance. Details of the Agency’saction against pirate broadcasters canbe found on their website at<www.radio.gov.uk>. The maximumpenalties at Crown Court for piratebroadcasters are an unlimited fine andup to two years in prison. The forth-coming Communications Bill has aclause in it that proposes that Policecan arrest a person for a pirate radiooffence.
OFTEL prepares for newEC CommunicationsRegime The Government has published a con-sultation paper on proposed legislationto ensure that OFTEL has the necessarypowers to prepare for the newEuropean Electronic CommunicationsDirectives. The directives determinehow electronic communicationsincluding spectrum will be regulated.In order to ensure smooth and speedyimplementation of the directives byJuly 2003, Member States are obliged tocarry out some preparatory work. Thework involves:• market reviews to determine which
markets are effectively competitive,and which are not, so that the rele-vant obligations to be imposed onoperators with significant marketpower can be determined; and
• determination of which operatorsshould be designated as universalservice providers. CurrentlyOFTEL’s powers extend to telecom-munications. In order to effectivelycarry out the above assessmentsthese powers will need to beextended to cover all electroniccommunications networks and ser-vices. The consultation documenttherefore proposes a statutoryinstrument made under theEuropean Communities Act.
EEddiittoorr’’ss NNoottee:: The four new directiveswere adopted on 7 March 2002 and areas follows: Framework Directive,Authorization Directive, Access
448
CLSR 1806.qxd 24/10/2002 13:47 Page 448
449
CLSR Briefing
Directive and the Universal ServiceDirective. The consultation documentcan be found at: <www.dti.gov.uk/cii/regulatory/telecomms/index.shtml>.The Government consultation periodon the draft regulations concluded on 1October 2002. Copies of the NewDirectives can be obtained from theEuropean Commission’s website at:<http://europa.eu.int/information_society/topics/telecoms/regulatory/new_rf/index_en.htm>. For a general outlineof the Government’s plans for theimplementation of the directives see“The draft Communications Bill -Thepolicy, May 2002” which is availableelectronically at: <www.communica-tionsbill.gov.uk>.
UK Domain NamesRegistration bodyresponds to privacy concerns
Following concerns raised about itsplans to publish the names and address-es of those who register .uk domainnames (web addresses), Nominet UK,the UK Internet Names Organization,has announced further measures toprotect the privacy of individuals.
Individuals not wishing to have theiraddress shown in Nominet’s free onlinesearch facility (known as WHOIS) willbe able to take advantage of an opt-outmechanism, which will mean that any-one looking up the domain name will bereferred to the relevant ISP for furtherdetails. However, in line with UK legisla-tion, the opt-out will only apply to non-trading individuals.
The revised WHOIS format will golive in two stages. From 1 October, thename of all registrants (domain nameholders) will be published, togetherwith the date on which the domainname is due for renewal and the nameand web address of the registrationagent (ISP). However, only domainnames registered for those classified asbusinesses will show the address of theregistrant at that stage.
From 1 December addresses will bepublished for all new registrations andexisting domain names as they arerenewed thereafter, unless the opt-outfor non-trading individuals is activatedby the registrant via their ISP or regis-tration agent. This will apply irrespec-
tive of which Second Level Domain(including .co.uk,where the majority of.uk domain names are registered) thedomain name falls under.
At no stage will telephone and faxnumbers or email addresses be includ-ed for either businesses or individuals.
“While the principle of impro-ving the scope of the WHOIS searchfacility remains, we have changed ourplans to take account of the concernsexpressed,” said Lesley Cowley, man-aging director of Nominet UK, thenational Registry for .uk domainnames. “We would like to thank allthose who contributed to this discus-sion for their input.”
Nominet’s WHOIS is the only auth-oritative source of information for .ukdomain names and can be found at<wwwwww..nnoommiinneett..oorrgg..uukk>.This currentlyshows the organization or individual towhom the domain name is registered,when that registration was made andwhen the entry was last updated.
EEddiittoorr’’ss NNoottee::For more information see the
Nominet web site aatt <<wwwwww..nnoommiinneett..oorrgg..uukk//rreeff//wwhhooiiss44..hhttmmll>>..
A domain name is not for life!Half of all UK businesses do not realizethat their domain name registrationneeds to be renewed, thereby riskingtheir entire Internet presence. Domainnames form the basis of all web site andemail addresses and those ending .ukhave to be renewed every two years.Without them, the company effectivelydisappears from the Internet and can-not be contacted electronically.
“There have been several high pro-file examples recently of companiesnot renewing their domain names andlosing Internet access - albeit tempo-rarily - as a result,” said Lesley Cowley,managing director of Nominet UK, thenational Registry for domain nameswhich carried out the survey. “We aretherefore advising people to checkwhen their domain name registration isdue for renewal and make themselves adiary note!”
Most domain names ending .uk areregistered through an Internet ServiceProvider (ISP) and need to be renewedevery two years. In the first instance,Nominet sends the renewal invoice to the ISP, who should contact the
Registrant for payment. If, for any rea-son, the ISP does not renew the regis-tration, Nominet tries to contact theRegistrant directly to offer them theopportunity to renew the registration.
However, anyone can check therenewal date of a .uk domain name bygoing to the Nominet UK home page<wwwwww..nnoommiinneett..oorrgg..uukk> and enteringthe name into the domain name search.This currently shows the date of regis-tration, from which the renewal datecan be calculated,but from autumn thisyear will also show the date of renewalitself.
EEddiittoorr’’ss NNoottee::Further help, is available from
Nominet’s customer support team on++4444 ((00)) 11886655 333322221111 or <wwwwww..nnoommiinneett..oorrgg..uukk>.
OFTEL launches newadvice for mobile andInternet usersNew advice to help consumers makethe most of the wide range of mobilephone and Internet access servicesavailable in the UK, was launched byOFTEL in September.
Two new guides - Getting the bestdeal from your mobile phone serviceand How to access the Internet athome - will help UK consumers choosethe best service for their needs.
The guides advise on the range ofthings to consider when buying mobileand Internet services, including:• hints and tips on the different ways
to pay for your service;• how to ensure you don’t get stung
by unexpected costs; and • advice about changing your
Internet or mobile phone serviceprovider.
David Edmonds, Director General ofTelecommunications commented:
“Consumers have access to a widerange of services and tariffs as aresult of the UK having one of themost competitive telecoms marketsin the world. Consumers continueto take up new services with aquarter of a million UK homesgoing online between February andMay of this year and over 500 000new mobile users in the same peri-od. I want to make sure that con-sumers make the right choice from the range of services on offer.
CLSR 1806.qxd 24/10/2002 13:47 Page 449
CLSR Briefing
Customers new to the Internet orconfused by mobile phone choi-ces will benefit from the clear,independent advice published byOFTEL today. Simply knowing theright questions to ask and the range of options available meansconsumers can make their purchas-ing decisions with confidence.”EEddiittoorr’’ss NNoottee::OFTEL’s consumer guides are avail-
able to the public from OFTEL’sResearch and Information Unit on: ++4444((00)) 2200 77663344 88776611.The consumer guidesare also available on OFTEL’s websiteat: <wwwwww..OOFFTTEELL..ggoovv..uukk//ppuubblliiccaattiioonnss//ccoonnssuummeerr//ccoonnssgguuiiddeess//mmoobb00990022..hhttmm>for the mobile leaflet and <…..//iinntt00990022..hhttmm> for the Internet leaflet.
UK plc security strategiesput detection over prevention UK businesses are focusing on alarmbells rather than protection when itcomes to securing their networks andsensitive data. Independent researchfrom the DTI shows that 44% of com-panies have suffered a malicious securi-ty breach, but only 27% have adocumented security policy in place.Whilst this means organizations areaware of these intrusions when theyhappen, they lack the necessaryprocesses and policies to limit the dam-age from unauthorized access. Theproblem is worse when more commoninternal breaches by insiders occur asthe majority of intrusion detection sys-tems are ineffective against this type ofattack.
To help companies address thisincreasingly important issue, ComputerAssociates (CA) has published a guidethat outlines exactly what to do whenthe alarm bells start ringing,and how toprepare for possible attacks.
Entitled ‘Reaction Remedies - theway it should work’, the guide pro-vides a step-by-step set of processes forfirms to follow.
According to CA, many companiesrely upon intrusion detection systems,which like burglar alarms warn whenan intruder has already broken in.Secure protection should include prop-er access control - the IT equivalent ofstrong door and window locks - to pre-vent intrusion and to limit the ability of
an intruder to do damage. In additionmany companies fail to apply impor-tant patches or correct configurationson their systems - this is like leavingwindows and doors open - and invitesopportunist attempts to intrude.
The problem of hack attacks is com-pounded by the clandestine nature ofmost attempts. Given that the majorityof breaches take place during unsocia-ble hours, to minimize the number ofpeople on hand to observe them, hack-ers are often free to destroy files andaccess confidential data before defensemechanisms can kick in.
However, once alerted to a hacker’sintentions, the reaction has to beinstant to isolate the area that is beingattacked. Most companies are notaware that these processes and policiescan be automated. Instead, too manyrely upon a pager message or late-nightphone call to a system administratorwho could then take any length of timeto get into the office.
In addition to the guide, CA is advis-ing companies to re-assess their securi-ty policies as a matter of priority, andcontinue to review them regularly.Independent security bodies, such asInterforum, are also advising that firmsare better off pursuing more rounded,integrated security strategies that onlyuse detection only as the first part ofthe security campaign.
Mike Small, vice- president, eTrustR&D at CA said:
“Intrusion detection is just a burglaralarm and really is the last line ofdefense. It is much better to havestrong access controls to preventintrusion and then be able to limit thedamage an intruder can do. Relyingcompletely on intrusion detectionwill mean you need to ensure that theDobermans are poised and the policecalled out to the scene immediately if you’re going to prevent a theft.Security has traditionally been donepiecemeal and this can dramaticallyreduce its effectiveness.You can havea best-of-breed security set of prod-ucts,but without co-ordinated centralmanagement you can never be surewhether they’re working for ratherthan against you. Intrusion detectionshould be one component of thisstrategy,but you also need a well doc-umented set of procedures and poli-cies to limit the damage that anintruder can cause.”
EEddiittoorr’’ss NNoottee::Computer Associates International
provides software services foreBusiness. For further informationvisit: <http://ca.com>.
Spielberg in domain namedisputeFilm director Steven Spielberg has threat-ened a small Internet design firm in Indiawith legal action for registering the site<Dreamworkzweb.com>, claiming con-fusing similarity to the name of Spiel-berg’s production company, DreamWorks. The Indian firm has been hit witha request to hand over the domain namewithin 15 days or face court action.
Aidan Clarke, Partner at Marks &Clerk, the UK’s largest firm of patentand trade mark attorneys, said:
“Mr. Spielberg’s threat to take actionagainst Dreamworkzweb.com willnot come as a surprise to corpora-tions that actively police and pro-tect their IP rights. While details ofwhat Mr. Spielberg intends to do areunknown, he may decide to make acomplaint to the World IntellectualProperty Organization or take legalaction to protect his intellectualproperty rights through the courtsin India or the US. However, provid-ed that his rights are adequately pro-tected by registration in the relevantcountries, Mr. Spielberg may be ableto succeed in preventing whatwould appear to be infringing activ-ities. Critics of Mr. Spielberg’s casemay suggest that this is an instanceof intellectual property law beingused by a major corporate to stifle asmaller competitor. However, withstatistics suggesting that as much as75% of the value of the Fortune 500lies in intangible assets, it becomesapparent that protecting the brandis absolutely crucial to business suc-cess; more so than ever in thesedemanding economic conditions.”
Home Office orders IT sector to put Britishrecruits firstA change to the work permit arrange-ments for overseas IT workers has beenannounced by the Work Permits UK(WPUK) of the Home Office. This
450
CLSR 1806.qxd 24/10/2002 13:47 Page 450
451
CLSR Briefing
change means that, from 2 September,UK companies will be required toadvertise all IT posts at home beforebeing allowed to seek suitable peoplefrom abroad.
At present certain IT jobs are listed as“shortage occupations” by WPUK wherethere is considered to be an acute short-age of available resident workers.Employers seeking to fill jobs on the listare not required to advertise in the UKbefore recruiting abroad – as is necessaryin the usual work permit process.
The shortage occupation list cur-rently highlights specific skills andoccupation shortages in industries suchas the engineering and health sectorsas well as the IT industry. It is subject torevision at regular intervals in responseto changes in the UK labour market.
Recent consultation with industryrepresentatives, as part of a regularreview, established that there is not acurrent shortage of specific IT skills inthe domestic workforce. Based on theirrecommendations, WPUK has decidedthat is not necessary to designate anyjobs in the IT industry as shortageoccupations at this time.
Home Office Minister, BobAinsworth said:
“The work permit scheme muststrike the right balance betweensafeguarding the interests of the res-ident work force whilst allowingemployers to recruit skilled peoplefrom abroad to fill vacancies wherethere are temporary skills shortages.This is vital in order for the UK tocompete effectively in an interna-tional market. WPUK consults withrepresentatives of all industries – inthis case the IT industry - on a regu-lar basis and makes sure that theindustry demands can be met andthe Government can respond to anychanges in the labour market.”
EEddiittoorr’’ss NNoottee:: The IT jobs to be takenoff the shortage occupation list on 2September include: Business Analysts(in any area), Network Specialists(Microsoft NT, Windows2000 andUNIX) and senior Architects (in Java).
Work permits are considered underthe criteria published on the website<wwwwww..wwoorrkkppeerrmmiittss..ggoovv..uukk>>.. Success-ful applications usually require employ-ers to demonstrate that they have testedthe resident labour market and thatthere are no qualified resident workersavailable for the job in question.
Certain occupations are recognizedby Work Permits (UK) as ‘shortageoccupations’.This recognition acknowl-edges that there are acute shortages ofsuitably qualified and skilled workerswithin the resident labour market.Theresident labour market is defined ascountries within the EuropeanEconomic Area including the UnitedKingdom.
The shortage of resident workers inthese occupations has been deter-mined following consultation with therelevant governing bodies for the indus-tries concerned. These posts areacknowledged as being particularly dif-ficult to fill.Work Permits (UK) ensuresthat the shortage occupation listreflects current labour market trendsthrough regular sector panel andemployer meetings.
The change in policy on the ITshortage occupation list follows recom-mendations from the InformationTechnology, Communications andElectronics (ITCE) sector panel thatconcluded the occupations listed nolonger had a domestic labour supplyshortage. Members of the ITCE sectorpanel include other governmentdepartments, trade unions, industrybodies and independent representativeorganizations.
Sector panels meet on a quarterlybasis to review changes in the labourmarket and make recommendations toWork Permits UK on the occupationsthat should form the shortage occupa-tion list.The ongoing review process ofthe shortage occupations, had led tothe removal of a number of IT jobsfrom the list in April this year.
FAST urges users to actnow or pay Microsoft laterThe Federation Against Software Thefthas stepped into the current industrydebate over Microsoft’s new licensingregime by urging all Microsoft softwareusers to take action now to get compli-ant or pay more later. Paul Brennan,General Counsel of FAST, said:
“The cut off period between the oldand new licensing schemes is 31 July.Despite numerous extensions, if usershave not signed up to a SoftwareAssurance license in that timeframethey will have to buy a full license ifthey then want to upgrade. This new
scheme is designed to replace the exist-ing license upgrade program altogetheras Microsoft moves toward what itterms its ‘software as a service’ strategy.In other words offering its customersthe opportunity to upgrade more regu-larly using an online method of distrib-ution, FAST has recognized that thetime is now right for organizations andcompanies alike in the UK to get theirhouses in order when it comes to soft-ware licensing and ensure that no ille-gal copies are in use. Paul Brennanadded: “While it is not our policy tocomment on Microsoft’s commercialdecisions,what is apparent is that thereis a major issue when it comes to ensur-ing that users have the licenses theyneed. And this means that this is theideal time to ensure that they are soft-ware compliant.” FAST is therefore rec-ommending that users take the time tonot only put in place a methodology ofcontrol over internal software use butactively engage in the software auditingprocess. Sarah Simkins, FAST CorporateServices, believes that Microsoft’snumerous extensions to the timetableoffered corporates an acceptable time-frame to prepare for the proposedchanges: “IT managers I know wouldrather ignore the sometimes tedioustask of licensing software. Howeverthere are major benefits once the taskis completed, on average companieswill save up to 30 % off the cost of run-ning its pc’s. The Microsoft licensingchanges are just another good businessreason to get the situation under con-trol. FAST actively educates companiesby visiting key IT personnel to makethem aware of the implications of usingsoftware illegally, as well as giving themfurther information on the changes toMicrosoft licensing.” Company direc-tors, if found guilty of under-licensingsoftware can face up to two yearsimprisonment under the CopyrightDesigns and Patents Act 1988.
EEddiittoorr’’ss NNoottee:: FAST became theworld’s first software anti-piracy organi-zation when it was set up in 1984 tolobby Parliament for changes to thecopyright law.
Its mission to promote the legal useof software is supported by its 2,300strong corporate membership.
Since that time FAST has taken on amuch broader approach in the areas of:education and enforcement, promotingthe effective and legal use of software
CLSR 1806.qxd 24/10/2002 13:47 Page 451
CLSR Briefing
452
as well as helping organizations to max-imize their software investment.
The focus of enforcement is underlicensing by corporate UK togetherwith the increasing problem of Internetenforcement.
Queries to Fast can be made byemail to ffaasstt@@ffaasstt..oorrgg or via the Copy-right Advice & Anti-Piracy Hotline: ++4444((00)) 884455 660033 44556677.
Product News in Brief• EExxppeerrttss ddiissccoovveerr sseeccuurriittyy ““HHoollee”” iinnMMiiccrroossoofftt WWiinnddoowwss22000000 NNGGSSSSooffttwwaarree,,the UK based Internet security expertshave released information detailing a newvulnerability found in Microsoft productswhich give hackers access to potentiallywreak havoc on the vast majority of thecorporate world. The hole would allowan attacker to remotely run commandson a user’s computer. This could beachieved either through email or byencouraging the victim to visit a particu-lar ‘malicious’ web site. NGSSoftwareinformed Microsoft of the vulnerability,which was found in Windows 2000 earli-er this year. This issue has now beenaddressed in Service Pack3 availablefrom: <http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/w2ksp3.exe>.Mark Litchfield, Director at NGS-Software said:
“I consider this vulnerability to beof a critical nature for two reasons.It can be exploited through email. Ifreceived by email, and the Internetsecurity settings are not set to high,(a default install would allow thisvulnerability to work) there is noth-ing the end user can do to stop it,and secondly, the majority of corpo-rate’s using Microsoft will be run-ning Windows 2000. From acorporate perspective, because thisissue has been addressed in aService Pack, as opposed to a HotFix, many businesses will remainvulnerable over the next comingweeks. A Hot Fix is easy to imple-ment,whereas a Service Pack can bea logistical nightmare.This is due tothe tests performed in-house ondevelopment machines to checkthat the company’s own technologyfunctionality does not break, beforebeing deployed to the productionenvironment. Our advisory, found at
<wwwwww..nnggssssooffttwwaarree..ccoomm>, gives thefull technical details of the vulnera-bility and the fix information.”The opportunities the vulnerabili-
ties present to hackers are consideredendless.The Melissa virus, which is esti-mated to have cost business around$10bn, is a good example of a viruswhich exploited this type of vulnerabil-ity. A virus can be programmed to cre-ate any number of problems. Forexample, a virus could be programmedto infect a computer hard drive andthen mail itself to the contents of theaddress book. The virus could then goon to install a ‘payload’ with a date 30September 2002, which would executeon that date, reformatting the hard diskand removing all data.
NGSSoftware would recommendthat individuals take at least one of thefollowing steps to protect themselves:1 Install Service Pack 3 2. Set Internet Security Settings to
High3. Remove WinHlp32.exe if it is not
used within your environment
• SSaaffeeMMeessssaaggee eennssuurreess tthhaatt pprriivvaattee oorrccoonnffiiddeennttiiaall eelleeccttrroonniicc mmeessssaaggeess ssttaayytthhaatt wwaayy - SafeMessage has announcedthe launch of its secure communicationssystems in Europe and the appointmentof Steve Jenkins as European ManagingDirector. SafeMessage is aimed at com-panies and individuals needing to sendimportant and sensitive informationwith absolute security. It uses propri-etary patent pending technology tosolve problems associated with emailproviding users with a highly encryptedmessaging system, which both ] fullytracks delivery status and has the abilityto control message life. Messages can beprotected against copying and forward-ing,printing and leaks.Despite SafeMessage having the highestcommercially available encryption lev-els, suppliers claim that the system iseasy to use unlike other secure messag-ing products. Additionally, recipients canverify the message they receive is actual-ly from whom it says (non-repudiation)and hasn’t been tampered with en-route(digital signature.) Messages do not govia an email server and are never sent viainsecure ASCII.This guarantees no elec-tronic ‘foot-prints’ are left, so even acompany’s IT department cannot snoop.Steve Jenkins commented, “Sendinginformation by email is as secure as
sending it on a postcard. With the cur-rent pervasiveness of email people arelulled into a false sense of security.There is a huge potential audience for asecure alternative to email which iseasy to use, and I believe SafeMessage isthe answer. This is best-of-breed-tech-nology and I strongly believe it willbecome the market leader for securemessaging systems.”SafeMessage is currently in use in theUSA in financial services, law and med-ical sectors.
EEddiittoorr’’ss NNoottee:: SafeMessage Tel: ++4444((00))2200 77555566 77002222
• OOppeenn SSeeaass llaauunncchheess nneeww vveerrssiioonn ooffddaattaa sseeccuurriittyy ppaacckkaaggee – SpyKiller, oneof the leading packages for keepingdata locked away from unauthorizedaccess, can now be used with almostany security device on the market.
The latest version of SpyKiller, fromdata security specialists Open Seas, sup-ports the PKCS#11 communicationstandard – allowing the application towork with any smart card or USB tokenusing a Public Key Interface (PKI)encryption algorithm.
SpyKiller uses small, individuallyprogrammed external devices such asUSB tokens and smart cards to makedata on a hard disk thoroughly inacces-sible to anyone without permission toview it.Whether the protected machineis a laptop, a notebook or a desktop PCconnected to a network, the computerwill not even boot up without thedevice in place.
Because the user’s password isstored on the token, there is no dangerof accidentally disclosing it. On the flydata encryption adds an extra level ofsecurity to the gatekeeping system.Other features of the new release,Version 5.3, include a personal firewall,compatibility with the Novell andLinux operating systems, and a new,more convenient logon process.
EEddiittoorr’’ss NNoottee:: For more informationabout SpyKiller and Open Seas’ otherdata security products and services,including advice about the DataProtection Act,call ++4444 ((00)) 11886655 774444665566or visit <wwwwww..ooppeennsseeaass..ccoo..uukk..>.
• SSuurrvveeyy RReevveeaallss EEmmaaiill WWooeess ffoorr tthheeLLeeggaall SSeeccttoorr –– According to an NOP sur-vey, 61% of employees in the legal pro-fession are unable to resist openingsuspected inappropriate emails sent to
CLSR 1806.qxd 24/10/2002 13:47 Page 452
453
CLSR Briefing
their work email address. A further 23%of these make matters worse by will-ingly circulating the offensive materialto colleagues and friends - risking disci-plinary action and damage to theirfirm’s reputation.
SurfControl, experts in email filter-ing and content management, commis-sioned the NOP survey to examine theattitudes towards email use of 100 pro-fessionals from each of the UK’s sevenlargest employment sectors: accountan-cy, the civil service, financial services,legal, retail, IT and manufacturing.
Given the willingness of employeesto circulate career-damaging emails,80% of staff admit that they realize thatpersonal comments or material sentfrom their work email address is theequivalent, in legal terms, of writingand posting the message on depart-ment letterhead paper. Nearly 30% ofthose interviewed,pointed the finger atjunior members of staff as being theworst email abusers in their office.
However, 72% of those interviewedclaimed that highly publicized workrelated email gaffes reported in themedia had made them more wary aboutemails they send that could potentiallydamage their career or reputation.
Steve Purdham, CEO of SurfControlsaid:
“All Internet content that enters, cir-culates and leaves any company’snetwork carries a risk. Our surveyshows that the legal sector still hassome way to go in the way it viewsemail use in the workplace. Thefindings illustrate that firms need tore-evaluate the way in which theyeducate employees about the poten-tial disciplinary and legal risks inap-propriate emails pose to thecorporate reputation. The first stepis for IT and Human Resourcesdepartments to work together todraft an Acceptable Use Policy -communicating what is and is notappropriate use of the email systemfor all employees within the depart-ment. The next step is for the legalsector to employ sophisticated fil-tering technologies that can helpenforce the policy and manage therisks of offensive or harmful emailcontent within the workplace.”
Furthermore more than one in two(59%) employees in the legal profes-sion believes that the volume of emailcommunication in the workplace is
going to spiral out of control - with toomany employees becoming over relianton email communication rather thanface-to-face interaction. Indicating thisdepth of feeling, the survey also revealsthat legal workers’ are most annoyedabout being cc’d into emails withoutthe sender thinking about whether themessage actually applies to them ornot. Over one in four employees (27%)cite this as a major annoyance.
Purdham commented:“These two statistics suggest thatperhaps the legal profession needsto get back to basics and try andencourage users not to becomeoverly dependent onemail. Email isone of a number of methods of com-munication that needs to be man-aged just like the telephone and theold fashioned mail.”EEddiittoorr’’ss NNoottee:: For further infor-
mation visit: <hhttttpp::////wwwwww..ssuurrffccoonnttrrooll..ccoomm//ggoo//eemmaaiilleetthhiiccss22>.
• Legally irrefutable proof of onlinetransactions “here at last” – Internetsecurity specialists SSeeccuurriittyy && SSttaann--ddaarrddss LLttdd have developed a straight-forward range of security softwareproducts known as GrowlTecho whichwill validate the security and moni-tor the integrity of any website but,more importantly, will create legal,irrefutable evidence of the existence ofall forms of digital date.
This proof is supported by indepen-dent third party verification, whichmeans that, for the first time, legallybinding evidence of all online transac-tions is available. This includes not only emails or sales and purchases buttime sensitive or financially significantcommunications such as proof of compliance and due diligence, offers in principle, quotations, contracts orfinancial transactions can be recorded.Having such irrefutable evidence willshorten dispute mechanisms and inmany cases may significantly reducethe need for costly litigation.
The arrival of e-commerce has prob-ably been one of the most dramaticinfluences on the way business is con-ducted since the advent of the tele-phone, but there are two major issues,which need to be resolved in order toachieve the full potential of electronicbusiness. Security has been a concernsince the outset, and whilst it is not aproblem for most Internet transactions,
there have been a number of docu-mented cases where less scrupulouspeople have been able to gain access toconfidential data. GrowlTecho aims tomonitor the real level of security of anysite, and also detects every server oper-ating at any website. It should meanthat users can independently confirmthe identity of any site with which theyare connected.
Those conducting business by theInternet are usually dealing with criti-cally sensitive information, and only byhaving absolute trust in confidentialityand conclusive proof of critical transac-tions can all the benefits of e-businessbe realized.
EEddiittoorr’’ss NNoottee:: For further informa-tion visit Security & Standards websiteat: <<wwwwww..sseeccuurriittyyaannddssttaannddaarrddss..ccoomm>>.Free copies of Growl can be down-loaded via the website or can be sup-plied on CD.
• SSwweeeett && MMaaxxwweellll aaccqquuiirreess LLAAWWTTEELLoonnlliinnee lleeggaall iinnffoorrmmaattiioonn sseerrvviiccee ffrroommCCeennttaauurr CCoommmmuunniiccaattiioonnss - Sweet &Maxwell, a Thomson business hasannounced the acquisition of the LAW-TEL legal online information servicefrom Centaur Communications for anundisclosed sum.
The deal marks the continuedexpansion of Sweet & Maxwell’s onlineservices in the UK, which alreadyinclude Westlaw UK, New Law Onlineand Consult GEE.
LAWTEL offers current awarenessand other legal services designed toallow lawyers to keep in touch with thelatest legal developments at their desk-tops. It is widely used by individualpractitioners at the bar, in law firms, incorporations and in the public sector.As such, it complements Sweet &Maxwell’s other services but will con-tinue to be provided separately.
Sweet & Maxwell has a 200-year his-tory as one of the UK’s leading legaland regulatory market publishers and is part of the worldwide ThomsonCorporation. The company publishes a comprehensive range of legal and regulatory products, as well as its suiteof online services.
Wendy Beecham, Managing Direc-tor of Sweet & Maxwell, said:
“The addition of LAWTEL will great-ly strengthen our ability to reach abroader range of legal customers. Itis an ideal partner for Westlaw UK
CLSR 1806.qxd 24/10/2002 13:47 Page 453
CLSR Briefing
454
which provides in-depth researchservices and serves the needs oflegal research professionals.”
Mike Boswood, Managing Director ofThomson’s Legal operations in Europe,said:
“The acquisition of LAWTEL sup-ports The Thomson Corporation’svision to be the leading provider ofintegrated information solutions tobusiness and professional marketsworldwide. In particular, it rein-forces Thomson’s commitment toinvesting for our customers inonline services,which we believe tobe key to providing effective infor-mation solutions in the future.”EEddiittoorr’’ss NNoottee:: Sweet & Maxwell
<wwwwww..sswweeeettaannddmmaaxxwweellll..ccoo..uukk> is partof the legal and regulatory group of The Thomson Corporation. The Thom-son Corporation <wwwwww..tthhoommssoonn..ccoomm>, with 2001 revenues of $7.2 bil-lion, is a global leader in providing inte-grated information solutions to businessand professional customers.
Westlaw UK was launched by Sweet& Maxwell in March 2000 to providethe only entirely comprehensive andup to date service available to the legalmarket - covering cases, legislation,journals, news and business informa-tion - together with the full text ofmany of Sweet & Maxwell’s titles.
LAWTEL was launched in 1980. Itwas formerly owned by The LawyerGroup, a division of Centaur Communi-cations.
• SSeeccuurree wwiitthh CCCCTTVV –– bbuutt aarree yyoouuCCoonnttrraavveenniinngg tthhee DDaattaa PPrrootteeccttiioonn AAcctt??– Many companies use CCTV for securi-ty and protection purposes; howevermost are unaware of recent changes tothe Data Protection Act which broughtimages captured on CCTV surveillanceequipment under its control.
A 3M Privacy Filter could offer asimple, low cost solution that could aidcompliance with the Data ProtectionAct covering CCTV surveillance.
A Code of Practice has been estab-lished under the legislation which setsout, amongst other things, that it is the responsibility of anyone who usesCCTV to ensure that monitors display-ing images from areas in which indi-viduals would have an expectation ofprivacy should not be seen by anyone,except those authorized to do so.Failure to comply could lead to an
infringement of the Data ProtectionAct and the possibility of an unlimitedfine!
3MTM Privacy Filters have a patent-ed microlouvre film that allows onlythe person sitting directly in front ofthe monitor to see the images of datadisplayed. People viewing from eitherside see only a blank, dark screen,excluding prying eyes – deliberate ornot. The filters are available in a rangeof sizes to fit CRT monitors and LCDflat panels, as well as laptops.
EEddiittoorr’’ss NNoottee:: For more informationof 3M Privacy Filters for CCTV surveil-lance equipment tel: ++4444 ((00)) 334444 885588338811.
• NNeeww wweebbssiittee ffoorr tthhee ccoommpprreehheenn--ssiivvee oonnlliinnee mmoonniittoorriinngg ooff mmeeddiiccoo--lleeggaallccaasseess – LitComp plc has announced thelaunch of a new website, providing a‘live’, web-based site for solicitors andinsurers involved in ongoing personalinjury claims to review the details andstatus of their medico-legal reports.
Responding to the growing demandfor important case information to alwaysbe available, the facility allows solicitorsand insurers access to comprehensivedetails via a unique username, passwordand case number. This informationincludes: Case profile; Case history;Patient Details;Referral Company details;Progress Report;History of medical treat-ment, including pending examinations;Performance Monitor.
Thus, the solicitor or insurer can seeall of the most important, up-to-dateinformation on his computer screeninstantaneously. All information isupdated live as soon as it changes andthe site is fully secure.
Commenting on the new feature,LitComp’s Managing Director JasonSmart said:
“our new cost effective facilities willhopefully prove to be an indispens-able tool for those who must haveconstantly updated vital and confiden-tial information at their fingertips. It isthe latest step in our continuing goalto excel in the provision of medico-legal reporting services.”EEddiittoorr’’ss NNoottee::Further information from: <wwwwww..
lleeggaall--rreeppoorrttss..ccoo..uukk>.
• IICCSSAA llaauunncchheess aa pprraaccttiiccaall gguuiiddee ttooddaattaa pprrootteeccttiioonn – Company directorsand managers must ensure that their
organizations are fully compliant withthe Data Protection Act 1998 and ifthey fail to grasp the importance ofestablishing or improving their compli-ance programs in this area they riskprosecution, hefty fines and adversepublicity. The publishing arm of theInstitute of Chartered Secretaries andAdministrators have published aPractical Guide to Data Protection thatprovides comprehensive coverage ofthe Data Protection Act 1998 and whatis means for businesses.
A Practical Guide to Data Pro-tection includes illustrative examples tohighlight best practice and how to avoidthe possible pitfalls. It shows how toensure that the correct procedures andoperations are set up and followed.Utilising features such as pro-forma doc-umentation, templates and tips, thisbook will help you to deal with andanswer your day-to-day queries onimportant data protection issues.
The book is written by LeeCudmore, in association with the lawfirm Osborne Clarke. Lee Cudmore hasworked for many years as a solicitor,providing advice on data protectionand specializing in commercial andintellectual property matters in the ITindustry. He is currently CompanySolicitor for Ingenta plc. The co-authors, Osborne Clarke, have experi-ence in advising users and suppliers ofthe legal issues surrounding E-Commerce and the Internet. They haveoffices throughout the UK and Europe,as well as branches in the US.
EEddiittoorr’’ss NNoottee:: Copies of this bookcan be ordered via ICSA Publishing’swebsite at:<wwwwww..iiccssaappuubblliisshhiinngg..ccoo..uukk>or by calling Turpin Distribution Serviceson:++4444 ((00)) 11446622 448888990000..
UNITED STATES
Unauthorized Websiteaccess does not infringeWiretap Law
Konop v Hawaiian Airlines Inc. No.99-55106 (9th Cir. 23 August 2002)The 9th Circuit Court of Appeals hasruled that unauthorized access to awebsite did not infringe FederalWiretap law since that only applied tothe interception of communicationswhile in transit. Robert Konop was a
CLSR 1806.qxd 24/10/2002 13:47 Page 454
455
CLSR Briefing
pilot for Hawaiian Airlines (Hawaiian)who maintained a website regarded ascritical to his employer and the AirlinesPilots Association since it stored infor-mation regarding pilots’ labor con-tracts. Konop controlled access to thewebsite by requiring visitors to log inwith a user name and password, afterfirst registering with an authorized userid and creating a password. It wasalleged that Hawaiian Vice PresidentJames Davies had used the names oftwo pilots authorized to use the sitehaving first obtained their consent to do so. Konop filed suit alleging violations of the Federal Wiretap Act,the Stored Communications Act andother subsidiary claims. The DistrictCourt granted summary judgment toHawaiian on the main claims but thiswas subsequently reversed by a CircuitPanel in January 2001. Following a fil-ing by Hawaiian for a rehearing enBanc. The Court withdrew its originalopinion for the one it now issued.
The first task was to determinewhether Hawaiian had violated eitherthe Wiretap Act (18 USC section 2510-2522) or the Stored CommunicationsAct (18 USC section 2701-2711), whenDavies accessed the Konop securewebsite. The Court noted that in 1986Congress has passed the ElectronicCommunications Privacy Act (ECPA)(Pub. L. no. 99-508, 100 Stat. 1848)which was intended to afford privacyprotection to electronic communica-tions. Title 1 of the ECPA had amendedthe Federal Wiretap Act which previ-ously addressed only wire and auralcommunications. It was now to coverthe interception of electronic commu-nications as well. The Court noted thedifficulty of interpreting this legislationwhich was written prior to the adventof the Internet and Worldwide web. Itobserved that, until Congress broughtlaws into line with modern technology,protection of the Internet and websitesuch as Konop’s would remain “a con-fusing and uncertain area of the law”.The legislative history of the ECPA sug-gested that Congress wanted to protectelectronic communications that wereconfigured to be private, such as emailand private electronic bulletin boards.The problem related to unauthorizedpersons deliberately gaining access to such communications. The problemhere, however, was that Davies was able to access the website by entering
correct information, which was freelyprovided to Davies by individuals whowere themselves eligible to view thewebsite.
Konop argued that Davies’ conductconstituted an interception of an elec-tronic communication in violation ofthe Wiretap Act which made it anoffence to “intentionally intercept …any wire, aural, or electronic communi-cation. The task for the court was todetermine whether Konop’s websitewas an “electronic communication”and, if so whether Davies “intercepted”that communication.
Section 2510(12) defined “electroniccommunication”as “any transfer of signs,signals, writing, images, sounds, data, orintelligence of any nature transmitted inwhole or in part by a wire,radio,electro-magnetic,photoelectronic or photoopti-cal system”. The Court observed thatwebsite owners such as Konop transmit-ted electronic documents to servers,where the documents were stored. If auser wished to view the website, theuser requested that the server transmit a copy of the document to the user’scomputer. When the server sent thedocument to the user’s computer forviewing, a transfer of information fromthe website owner to the user occurred.Although the website owner’s docu-ments did not go directly or immediatelyto the user, once a user accessed thewebsite, information was transferredfrom the website owner to the user viaone of the specified mediums. TheCourt therefore concluded that Konop’swebsite did fit the definition of “elec-tronic communication”.
The Wiretap Act however prohibitedonly “interceptions” of electronic com-munications. “Intercept” was defined as“the aural or other acquisition of the con-tents of any wire, electronic, or auralcommunication through the use of anyelectronic, mechanical or other device”.This seemed to suggest that an individual“intercept” and electronic communica-tion merely by “acquiring” its contents,regardless of when or under what cir-cumstances the acquisition occurred.The Court, however, had chosen the nar-row definition of “intercept” observingthat,prior to the enactment of the ECPA,the word “intercept” had been inter-preted to mean the acquisition of a communication contemporaneous withtransmission. In one case (SStteevvee JJaacckkssoonnGGaammeess IInncc vv UUnniitteedd SSttaatteess SSeeccrreett SSeerrvviiccee
((3366 FF..33dd 445577)) 55tthh CCiirr.. 11999944)) the 5th
Circuit had suggested that Congress, inpassing the ECPA, intended to retain theprevious definition of “intercept” withrespect to wire and aural communica-tions while amending the Wiretap Act tocover interception of electronic commu-nications. The Court reasoned howeverthat the word “intercept” did notdescribe the exact same conduct withrespect to wire and electronic communi-cations, because the latter were defineddifferently in the Statute. “Wire commu-nication” was defined to include storageof the communication, while “electroniccommunication” was not. The Courttherefore concluded that this textual dif-ference was evidence of Congress’understanding that one could “intercept”a wire communication in storage, butone could not do so in respect of an elec-tronic communication in storage.
The Court agreed with the SStteevveeJJaacckkssoonn Court that the narrow defini-tion of “intercept” applied to electroniccommunications. It also noted thatCongress had since amended theWiretap Act to eliminate storage fromthe definition of “wire communication”as well (see USA Patriot Act 209, 115Stat at 283).By eliminating storage fromthe definition of wire communication,Congress was essentially reinstating thepre-ECPA definition of “intercept” –acquisition contemporaneous withtransmission – with respect of wirecommunications. The purpose of theamendment was to reduce protectionof voice mail messages to the lowerlevel of protection provided for otherelectronic restored communications.Congress had therefore accepted andimplicitly approved the judicial defini-tion of “intercept” as acquisition con-temporaneous with transmission.Accordingly, the Court held that for awebsite such as Konop’s to be “inter-cepted” in violation of the Wiretap Actit must be acquired during transmis-sion, not while it was in electronic storage. This was consistent with the ordinary meaning of “intercept”which was to “stop, seize or interrupt in progress or course before arrival”(Websters 9th New Collegiate Diction-ary 630 (1985)). The Court noted thatit was consistent with the structure ofthe ECPA which created the StoredCommunications Act for the expresspurpose of addressing “access to stored electronic communications and
CLSR 1806.qxd 24/10/2002 13:47 Page 455
CLSR Briefing
456
transactional records”. The level of protection provided for stored commu-nications under the SCA was consid-erably less than that provided forcommunications covered by theWiretap Act. The Court noted that ifKonop’s position were correct and theacquisition of a stored electronic com-munication were an interception underthe Wiretap Act, “the Governmentwould have to comply with the moreburdensome, more restrictive proce-dures of the Wiretap Act to do exactlywhat Congress apparently authorized itto do under the less burdensome pro-cedures of the SCA. Congress could nothave intended this result. As the 5th
Circuit recognized in SStteevvee JJaacckkssoonnGGaammeess, “it is most likely that Congressintended to require law enforcementofficers to satisfy the more stringentrequirements for an intercept in orderto gain access to the contents of storedelectronic communications”. Accord-ingly the Court concluded that Daviesconduct did not constitute an intercep-tion of an electronic communication inviolation of the Wiretap Act and itaffirmed the District Court’s grant ofsummary judgment against Konop onhis Wiretap Act claims.
On the subsidiary issue that byviewing his secure website Davies hadaccessed stored electronic communica-tion without authorization in violationof the SCA the issue was whether therehad been unauthorized access to “afacility through which an electroniccommunications service is provided.The District Court had found Hawaiianto be exempt from liability under theAct since section 2701(c)(2) allowed aperson to authorize a third party’saccess to an electronic communicationif that person was a “user” of the “ser-vice” and secondly the communicationwas “of or intended for that user”. TheDistrict Court concluded that the twopilots Wong and Gardner did have theauthority under this section to consentto Davies use of the website becauseKonop had put Wong and Gardner onthe list of eligible users. However, theplain language of the section indicatedthat only a “user” of the service couldauthorize such third party access.Since there was no finding by theDistrict Court as to whether Wong orGardner had actually used Konop’swebsite it could not be said that theywere “users” to the extent that they
were in a position to authorize Daviesto view it. The District Court’s grant ofa summary judgment to Hawaiian onKonop’s SCA claim was thereforereversed. A dissenting judgment wasoffered by Circuit Judge Reinhardt con-curring in part and dissenting in part.
Membership Directory isnot a copyright protectedwork
American Massage TherapyAssociation v Maxwell PetersenAssociates No. 01C3193 (USDCND Ill 19 July 2002)
The US District Court for the NorthernDistrict of Illinois has ruled that thecopying of thousands of names fromthe Plaintiff’s membership directorydid not amount to a violation of copy-right law since the listings were notoriginal to the Plaintiff but were“uncopyrightable facts” and thereforeunprotected. The Plaintiff, an associa-tion of professional therapists, was anot-for-profit corporation that in 1999created a registry which included thenames and addresses of more than 36000 members listed geographically andby category of membership. The geo-graphical portion included the membername, address, telephone number,membership category and type of ther-apist. The alphabetical portion includ-ed the member name, type of therapist(registered and/or sports massage ther-apist) and the reference page for con-tact information in the geographicalsection.Members were ordered accord-ingly to one of eight membership cate-gories as defined and described in theassociation’s bylaws. The defendant – aCalifornia corporation engaged in marketing and public relations, ob-tained a copy of the 1999 registry via afriend of one of its employees who had been given the task of compiling amailing list of massage therapists by the Defendant’s sole owner DonaldPetersen. To compile the mailing list ofmassage therapists the Defendantobtained therapists’ names from regula-tory agencies in States which regulatedthem, which amounted to about half ofall states. Subsequently the Defendantcopied 17 617 names and addressesfrom the 1999 registry of the Plaintiffs
into its existing database. The De-fendant used the names and addresseson its database as a mailing list for its magazine Massage Today. The De-fendant also operated a massage thera-pist locator service charging 5 dollarsper name fee for anyone who madecommercial use of the names obtainedthrough the service. Both the Plaintiffand Defendant filed cross motions forsummary judgment on the issues ofcopyright infringement and commonlaw conspiracy. The main issues werewhether the Defendant had infringedthe Plaintiff’s copyright and secondlywhether the Defendant civilly con-spired against the Plaintiff.
On the copyright infringementissue it was necessary to prove owner-ship of a valid copyright and secondlycopying of constituent elements of the work that were original (FFeeiissttPPuubblliiccaattiioonnss IInncc vv RRuurraall TTeelleepphhoonneeSSeerrvviiccee CCoo IInncc ((449999 UUSS 334400,, 336611((11999911))). The first element was not atissue, therefore the only question waswhether the taking of the names andaddresses from the 1999 registrybelonging to the Plaintiff amounted tocopying anything that was “original” tothe Plaintiff. The Court analyzed theFFeeiisstt decision,which is the leading casein the area. That case had found thatraw data (names, towns and telephonenumbers) did not satisfy the originalityrequirement because, while thePlaintiff may have been the first to dis-cover and report the raw data, this datadid not “owe its origin” to the Plaintiff(ID. at 361). The FFeeiisstt court held thedata was uncopyrightable facts and assuch the originality element “rules outprotecting names, addresses and tele-phone numbers of which the Plaintiffby no stretch of the imagination couldbe called the author”.
By comparison, in the present case,the Court held that the copying by theDefendant of the names and addresses in the 1999 registry did not amount to copyright infringement. However,section 103(b) of the Copyright Actexplicitly said that the copyright in acompilation does not extend to “the pre-existing material employed in awork”. The next question, therefore, waswhether the Plaintiff had selected,coordi-nated or arranged these uncopyrightablefacts in an original way. In FFeeiisstt the Courthad held that the selection, coordinationand arrangement of the Plaintiff’s white
CLSR 1806.qxd 24/10/2002 13:47 Page 456
457
CLSR Briefing
pages did not satisfy the minimal consti-tutional standard for copyright protec-tion because these while pages were“entirely typical”. This was because theinformation featured – the name, townand telephone was the “most basic infor-mation”(499 US at 362-63). Therefore theselection was not copyrightable expres-sion. In the present case the court foundthat the selection of geographical listingsincluded the member name,address, tele-phone number, membership categoryand type of therapist. Whilst the name,address and telephone number wasentirely typical of a directory,the listing ofthe membership category and type oftherapist produced sufficiently creativeselection to make it original. AlthoughFFeeiisstt had noted that factual compilationsmight possess the requisite originality (IDat 348) it did place an important limita-tion on this protection,namely that copy-right protection should extend only tothose components of a work that wereoriginal to the author. Therefore no mat-ter how original the format “the factsthemselves do not become originalthrough association”. The fact that thePlaintiff could have arranged the 1999registry in some other form did not ele-vate the listing to the level of creative.While the court acknowledged the timeand effort the Plaintiff had expended increating the 1999 registry, the “primaryobjective of copyright is not to rewardthe labours of authors, but to promotethe progress of science and useful arts”(ID at 349). The Court concluded there-fore that the names and addresses copiedby the Defendant were not original to thePlaintiff and were uncopyrightable facts.The selection of the listings were originaland creative but the coordination andarrangement of the facts were not.Because the Defendant only copied thefacts from the 1999 registry, the namesand addresses in it were not protected byany Plaintiffs’copyright.
Long Island firm sued fortricking students into pro-viding private informationAttorney General Eliot Spitzer has sueda Long Island firm that deceived stu-dents across the nation into supplyingpersonal information in order to selltargeted marketing lists to retailers.Spitzer’s suit targets Student MarketingGroup, Inc. (SMG) of Lynbrook for
deceptive business practices and otherviolations of consumer protection laws.Spitzer commented:
“As a father of school-age children, Iam outraged by this company’s busi-ness tactics.The company’s ultimategoal was not to help students or toresearch educational issues. Instead,the goal was to collect personalinformation about students and pro-vide it to direct marketers.”A key element of SMG’s strategy
was to enlist the support of teachers inhaving their students supply detailedinformation about themselves. Toachieve this goal, the complaint allegesthat the company established a not-for-profit subsidiary, Educational ResearchCenter of America (ERCA), whichserved as a front to collect personalinformation that would then be provid-ed to other companies. Those compa-nies used the data to target salespitches to children for items such asmagazines, music videos, credit cards,clothes, cosmetics and student loans.
Since 1999, ERCA has mailed anannual survey funded by SMG to teach-ers of approximately 14 million studentsacross the nation.The survey has includ-ed a cover letter noting that the informa-tion obtained through the surveys is tobe provided to universities and collegesnationwide for financial aid and studentscholarship foundations.
However, neither the covering let-ter nor the survey disclosed SMG’sintention to use the survey data forother marketing purposes. The cover-ing letter simply represented that theinformation would be used “by univer-sities and colleges nationally in theirongoing efforts to communicate andkeep in touch with the interests andtrends among today’s high school stu-dents” and for “university financial aidoffices and scholarship foundations...toevaluate and make funding available forstudents post secondary education”.
In New York,ERCA had sent studentsurveys to tens of thousands of schoolfaculty members at nearly 2 000 edu-cational institutions. The complaintalleges that in order for this not-for-profit entity to gain the confidence ofschool officials, the Pittsburgh-basedERCA maintained a Pennsylvania Aven-ue, Washington D.C. address, leavingaddressees of its annual surveys withthe false impression that it was an offi-cial government education institution.
In fact, ERCA’s true address is the homeresidence of its sole listed officer.
One of the nation’s leading privacyexperts assailed the company’s tactics.Professor Joel Reidenberg of FordhamUniversity said:
“This case sends a strong message tocompanies that the stealth collectionof personal information is both offen-sive and illegal in New York,especiallywhen those companies like SMGabuse the trust of our schools andchildren. In bringing this suit, ElliotSpitzer continues to demonstrate thathe is one of the nation’s foremost lead-ers in protecting citizens against pri-vacy invasions.”
Spitzer’s office is seeking a court orderbarring SMG and ERCA from utilizingthe data collected by the scheme andfrom any further deceptive acts, as wellas civil penalties for violating the lawand court costs.
Since 1998,SMG has been in the busi-ness of collecting and compiling dataabout children and young adults - frompreschool through college - includingnames, addresses, age, gender, religiousaffiliation, ethnic background, emailaddress, grade point average, career inter-ests and sports participation. SMG’s listsare amassed and rented to retailers andother parties “to identify and reach thosestudents most likely to become your cus-tomers,” according to SMG’s website:<wwwwww..ssttuuddeennttmmaarrkkeettiinngg..nneett>.
SMG claims to provide its list bro-kering services to such significant com-mercial customers as AT&T, ChaseManhattan Bank, Citibank Mastercardand Visa, Mutual of Omaha Companies,and Reader’s Digest.
This case is being handled byAssistant Attorneys General StephenMindell and Herbert Israel of theConsumer Frauds and Protection Bureau.
Microsoft Settles FTCCharges Alleging FalseSecurity and PrivacyPromises
Microsoft Corporation has agreed tosettle Federal Trade Commissioncharges regarding the privacy andsecurity of personal information col-lected from consumers through its“Passport” web services.As part of thesettlement, Microsoft will implement a
CLSR 1806.qxd 24/10/2002 13:47 Page 457
CLSR Briefing
458
comprehensive information securityprogram for Passport and similar ser-vices.“Good security is fundamental to pro-tecting consumer privacy,” said TimothyJ. Muris, Chairman of the Federal TradeCommission. “Companies that promiseto keep personal information securemust follow reasonable and appropri-ate measures to do so. It’s not only goodbusiness, it’s the law. Even absentknown security breaches, we will notwait to act.”
Microsoft, a provider of software,services, and Internet technologies forpersonal and business computing,oper-ates three related Internet services:Passport Single Sign-In (Passport);Passport Express Purchase (PassportWallet); and Kids Passport.Passport col-lects personal information from con-sumers and allows them to sign in atany participating website with a singlename and password. Passport Walletcollects and stores consumers’ creditcard numbers, and billing and shippingaddresses, and enables consumers touse the stored information when mak-ing purchases at participating Websites. Kids Passport allows parents tocreate Passport accounts for their chil-dren that can limit the collection ofpersonal information by participatingWeb sites. Microsoft’s Passport privacypolicies included statements such as:
“Passport achieves a high level ofWeb Security by using technologies andsystems designed to prevent unautho-rized access to your personal informa-tion” and “Your Passport is protectedby powerful online security and a strictprivacy policy.”
The Kids Passport privacy policyincluded statements such as:
“Microsoft Kids Passport allows par-ents to consent to the collection,use and sharing of their children’sinformation with Passport partici-pating sites. . . . You can choose toallow Passport to share all of theinformation in your child’s Passportprofile with a participating site orservice, or you can limit the infor-mation shared to just a unique iden-tifier or age range. . ..”The Commission initiated its inves-
tigation of the Passport services follow-ing a July 2001 complaint from acoalition of consumer groups led bythe Electronic Privacy InformationCenter (EPIC). According to the
Commission’s complaint, Microsoftfalsely represented that:• It employs reasonable and appropri-
ate measures under the circum-stances to maintain and protect theprivacy and confidentiality of con-sumers’ personal information col-lected through its Passport andPassport Wallet services, includingcredit card numbers and billinginformation stored in PassportWallet;
• Purchases made with Passport Walletare generally safer or more securethan purchases made at the samesite without Passport Wallet when,in fact, most consumers receivedidentical security at those sitesregardless of whether they usedPassport Wallet to complete theirtransactions;
• Passport did not collect any personal-ly identifiable information otherthan that described in its privacypolicy when, in fact, Passport col-lected and held, for a limited time, apersonally identifiable sign-in histo-ry for each user; and
• The Kids Passport program providedparents control over what informa-tion participating Web sites couldcollect from their children.The proposed consent order pro-
hibits any misrepresentation of infor-mation practices in connection withPassport and other similar services. Italso requires Microsoft to implementand maintain a comprehensive informa-tion security program. In addition,Microsoft must have its security pro-gram certified as meeting or exceedingthe standards in the consent order byan independent professional every twoyears.
In addition to EPIC, the coalition ofconsumer groups that filed the com-plaint regarding the Passport servicesare: the Center for Digital Democracy,Center for Media Education, ComputerProfessionals for Social Responsibility,Consumer Action, Consumer Federationof America, Consumer Task Force forAutomative Issues, Electronic FrontierFoundation, Junkbusters Corporation,Media Access Project,NetAction,PrivacyRights Clearinghouse and US PIRG.TheCommission’s action today is also consis-tent with a recent decision by theChildren’s Advertising Review Unit ofthe Better Business Bureau (CARU)regarding the Kids Passport service.The
Commission vote to accept the pro-posed consent order and place a copyon the public record was 5-0.
Arrests made in GlobalChild Molesting andPornography RingUS Commissioner of Customs RobertC. Bonner has announced the execu-tion of 15 US search warrants and thearrests of 10 US citizens in OperationHamlet, a global investigation into aring of pedophiles who sexuallymolested children and distributed childpornography over the Internet.To date,45 children worldwide, including 37children in the US, have been rescuedfrom this abuse. In many cases, parentswere involved in the molestation oftheir own children.
Commissioner Bonner’s announce-ment coincides with the indictment onAugust 8,2002,of 15 of the suspects onfederal conspiracy charges in theEastern District of California. Six ofthose indicted are foreign nationals.
“I congratulate the investigatorswhose ingenuity and perseverancebrought these people to justice,” saidCommissioner Bonner. “There is noduty that law enforcement officials takemore seriously than protecting chil-dren from predators.”
Since November 2001, the USCustoms CyberSmuggling Center, hasbeen coordinating US investigativeefforts following a request for assis-tance from Danish National Police(DNP). The DNP had previouslyreceived information from an Internetwatchdog group called “Save theChildren”about photographs the grouphad discovered on the Internet depict-ing a man sexually abusing a young girl.The man and his wife were arrested bythe DNP after investigators learned thatthey had posted images on the Internetof their nine-year-old daughter beingmolested.The images were shared overthe Internet with individuals in othercountries including the United States.
Working closely with the DNP, theUS Customs Attaché in Berlin, INTER-POL, the National Center for Missingand Exploited Children, and other fed-eral, state, and local law enforcementagencies, officials from the CustomsCyber Smuggling Center were able toidentify several individuals in the
CLSR 1806.qxd 24/10/2002 13:47 Page 458
459
CLSR Briefing
United States who were believed to bepart of the ring. US Customs identifiedsuspects in several states includingCalifornia, Idaho, Nevada, Florida,New York, Washington, New Jersey,Michigan, South Carolina, Illinois, andTexas.
Ten suspects have been arrested inDenmark, Belgium, Germany, England,Switzerland, and the Netherlands.Addi-tional arrests in the United States areanticipated.
US Customs continues to partici-pate in the enforcement of laws aimedat protecting children from sexualexploitation and abuse by pedophiles.US Customs investigations have led tofederal and state prison sentences forthose found guilty of child exploitationviolations, including the recent sen-tencing of Glenn Martikean, a memberof the Blue Orchid Club dismantled byUS Customs and Moscow City Policelast year. Martikean received 20 years inprison after having been found guiltyon a number of charges.
EEddiittoorr’’ss NNoottee:: Further informationfrom: <wwwwww..ccuussttoommss..ggoovv>.
EUROPEAN UNION
Data Protection:Commission seeks viewson privacy legislationCitizens and businesses in the UnitedKingdom had until 15 September tocontribute online to the EuropeanCommission’s review of how Europeandata protection legislation is working.The consultation was launched in lateJune and more than 9 000 responseswere received from across Europe.Thesurvey was part of the InteractivePolicy Making initiative (see IP/01/519). The results were discussed withdata protection experts at a conferenceorganized by the Commission inBrussels at the end of September andwill be fed into the Commission’sreport, due at the end of 2002, on howthe 1995 Data Protection Directive is being applied. Internal MarketCommissioner Frits Bolkestein said:“The Commission’s job is to ensure asecure legal framework that allows thefree movement of information in theInternal Market, while at the same timeguaranteeing the fundamental right of individuals to have their privacy
respected.There is of course no privacywithout the protection of personaldata. We have to keep the Data Pro-tection Directive under review to en-sure that it is working in the interestsour citizens, businesses, public authori-ties and other interested parties.”
EEddiittoorr’’ss NNoottee:: To find out moreabout Data Protection in the EuropeanUnion, visit the Commission’s Europawebsite at: <http://europa.eu.int/comm/privacy>. Background text:IP/02/923
Regulations provide procedure for creation of“.eu”Top Level DomainThe European Council has called uponthe Commission to take the necessarymeasures to introduce a new InternetTop Level Domain (TLD) for Europe -“.eu”. This will complement the exist-ing generic TLDs such as dot.com anddot.org as well as the existing countrycode TLDs such as dot.uk,dot.de,dot.fr,dot.es etc, and provide a Europeanidentity in the Domain Name Systemfor European Internet users. A Comm-unication to the Council and theEuropean Parliament in July 2000 indi-cated the necessary steps to be taken tocreate the Domain. There are severalstages in this process. Firstly, theEuropean Parliament and the Councilhave adopted a Regulation on the basisof the Commission’s proposal, whichprovides the legal basis for the creationof the .eu registry.
Now that the Regulation has beenadopted, the procedure for the imple-mentation of the Regulation can be initiated,including the selection and des-ignation of the .eu Registry operator, aswell as the definition of applicable pub-lic policy rules. The Commission willwork closely with the Member States ateach stage of this process.
Once these steps have been com-pleted, the .eu Registry will be able tobegin operations.The Commission cur-rently anticipates that the registrationof .eu domain names can begin by early2003.
EEddiittoorr’’ss NNoottee:: The Commission is notproposing to act as a Registry or Registrarfor the “.eu” TLD and cannot acceptrequests to reserve particular namesunder the planned system.Further policyand organizational decisions will be
necessary and it is unlikely that the futureRegistrars will be able to start to receiveapplications before the end of 2002.TheCommission has also strongly discour-aged pre-registration in “.eu”pending thecreation of the Registry and adoption ofits registration policies.
Further information from: <<hhttttpp::////eeuurrooppaa..eeuu..iinntt//iinnffoorrmmaattiioonn__ssoocciieettyy//ttooppiiccss//tteelleeccoommss//IInntteerrnneett//eeuu__ddoommaaiinn//iinnddeexx__eenn..hhttmm>>..
EU proposes frameworkdecision on the retention oftraffic dataA Belgian proposal for a draft frame-work decision on the retention of trafficdata and on access to this data in con-nection with criminal investigationsand prosecutions has been leaked to thecampaigning group “Statewatch” whichmonitors EU policy developments interms of privacy and civil libertiesthreats. According to the proposal,access to traffic data (“all data process-ing which relates to the routing of acommunication by an electronic com-munications network”) is particularlyrelevant in the case of criminal investi-gations into cyber crime, including theproduction and defusion of pedophileor racist material. Previous Council andCommission policy discussions havecalled for intervention in the area ofcyber crime and it is now regarded asnecessary to allow the authoritiesresponsible for criminal investigationsand prosecutions to have access to suchtraffic data. It is proposed to establish a12-24 month period for a priori reten-tion of traffic data,which would includeinformation identifying the source, des-tination, and time of a communicationas well as details of the subscriber and the communication device used.Commenting Statewatch editor, TonyBunyan said:“EU Governments claimedthat changes to the 1997 EC Directiveon privacy in telecommunications toallow for data retention and access bythe law enforcement agencies wouldnot be binding on Member States – eachnational parliament would have todecide. Now we know that all alongthey were intending to make it binding,“compulsory”, across Europe. The rightto privacy in our communications –emails, phone calls, faxes and mobilephones – was a hard-one right which
CLSR 1806.qxd 24/10/2002 13:47 Page 459
CLSR Briefing
460
has now been taken away. Under theguise of fighting “terrorism” everyone’scommunications are to be placed undersurveillance. Gone too under the draftFramework Decision are basic rights ofdata protection,proper rules and proce-dure, scrutiny by supervisory bodiesand judicial review”.Further information from: <wwwwww..ssttaattee--wwaattcchh..oorrgg//nneewwss//22000022//aauugg//0055ddaattaaffdd11..hhttmm>.
OTHER NEWS INBRIEF
CENTR issues Statementon ICANN Reform
CENTR, the Council of EuropeanNational Top Level Domain Registries,on behalf of its members, has issued aposition statement to the US Depart-ment of Commerce (30 July 2002) call-ing for a lightweight ICANN. Thesecountry code Top Level Domain(ccTLDs) Registries have already reject-ed the ICANN Evolution and ReformBlue Print as published on 21 June 2002.Dr Willie Black,Chairman of CENTR andExecutive Chairman of Nominet UK, akey supporter of the statement, said:
“ICANN’s prime function is to co-ordinate the world root. It shouldact as a resource to assist ccTLDswith the development of voluntarypolicies covering issues such as dis-pute resolution, WHOIS and dataescrow policies.We are lobbying fora lightweight ICANN that will helpus in the development of these bestpractices”.On the thorny issue of re-delegation,
the authors believe that while ICANN has a role to play in implementing arequest for re-delegation, actual casesshould be decided by the Local InternetCommunity in consultation with localgovernments,not by ICANN itself.
The ccTLD community, whichincludes CENTR members and Nom-inet UK, have set up regional workingparties with the Government AdvisoryCommittee to translate its vision intodetailed proposals.
EEddiittoorr’’ss NNoottee:: The full CENTR state-ment can be found at: <hhttttpp::////wwwwww..cceennttrr..oorrgg//nneewwss//CCEENNTTRR--IICCAANNNN--ssttaatteemmeenntt..hhttmmll>.
ICANN accuses VeriSign ofregistrar accreditationbreaches
In a formal notice issued on 3 September2002 ICANN – the Internet Corporationfor Assigned Names and Numbers -–hasaccused VeriSign registrar of seventeeninstances of breaches of its accreditationagreement. This obliges VeriSign to pro-vide ICANN with specified `whois data’through which the public is providedwith free query-based access to updateddata concerning all active registerednames sponsored by the Registrar foreach top level domain in which it isaccredited. The letter identifies seven-teen examples of VeriSign’s failure tocomply with its contractual obligations.ICANN accuses VeriSign of taking “a cava-lier attitude towards the promises itmade” and seeks assurances fromVeriSign’s Registrar that it will act“promptly to cure the breaches outlinedin this letter, and will become moreresponsive and cooperative in dealingwith data inaccuracies as they are discov-ered”. ICANN argues that registrars havea vital role in maintaining the accuracy ofwhois data and believes that its advisoryissued in May 2002 already gives suffi-cient guidance to registrars on how theyshould act towards compliance withtheir contractual obligations.
EEddiittoorr’’ss NNoottee:: Further informationfrom ICANN at: <wwwwww..iiccaannnn..oorrgg>.
WIPO’s domain name data-base goes live A database containing detailed informa-tion on thousands of cases of “cyber-squatting”, handled by the Arbitrationand Mediation Center of the WorldIntellectual Property Organization(WIPO), became available online on 5 July, 2002 <hhttttpp::////aarrbbiitteerr..wwiippoo..iinntt//ddoommaaiinnss//sseeaarrcchh//>.The WIPO Center isthe leading dispute resolution serviceprovider of the Uniform Domain NameDispute Resolution Policy (UDRP) - alow-cost and speedy alternative to liti-gation in the drive to resolve cases of“cybersquatting”.
The database is the first to be madeavailable by a UDRP dispute resolutionservice provider and is launched as partof WIPO’s continued efforts to furtherenhance the quality and transparencyof the UDRP process. It is designed to
provide quick and easy access to infor-mation on domain name cases handledby WIPO and will serve as a usefularchive for interested parties. It willassist the parties in preparing their sub-missions, panelists in rendering theirdecisions, and it will provide the publicwith easier access to the vast data relat-ing to the cases and the growingjurisprudence under the UDRP.
The database is equipped with apowerful search engine that enablesusers to filter and access targeted infor-mation on “cybersquatting” cases han-dled by WIPO. The multilingual searchengine - available in English,French andSpanish - provides multiple options forthe selection of required information,as follows:• Users may access a summary of case
details (case number, domain name,parties involved, status of case) byselecting “View Case Particulars”.
• Users may also select the “SearchWIPO Cases by Domain Name”option to obtain information oncases relating to specific domainnames.
• A “Full Text Search on WIPO PanelDecisions” option provides a textsearch of all WIPO UDRP decisions.
• The search engine also providesaccess to an index of WIPO UDRPPanel Decisions by keywords. Theindex features two search func-tions: a “Search by Domain NameCategories” (e.g. entertainment,media, or telecommunications) anda “Legal Index” that allows an exten-sive search of decisions by substan-tive and procedural legal issues (e.g.typosquatting, free speech, reversedomain name hijacking). The twosearch functions may also be com-bined.
The UDRP is applicable to generic top-level domains (gTLD) adopted by thetechnical manager of the gTLD space,the Internet Corporation for AssignedNames and Numbers (ICANN), onAugust 26, 1999.The UDRP establishesa uniform and mandatory administra-tive dispute-resolution system toaddress cases of bad faith, and abusiveregistrations. Using this system, panelsof one or three experts, appointed bythe WIPO Arbitration and MediationCenter, apply streamlined, quick andcost-effective procedures to reviewclaims and eliminate clear abuses oftrademark holders’ rights. The WIPO
CLSR 1806.qxd 24/10/2002 13:47 Page 460
461
CLSR Briefing
Center’s Domain Name DisputeResolution Service has been estab-lished specifically to administer domainname disputes and is supported byelectronic case filing facilities and awell developed case administration system.
EEddiittoorr’’ss NNoottee:: Further informationfrom: <<wwwwww..wwiippoo..oorrgg>.
EPIC and PrivacyInternational condemn privacy erosionThe Electronic Privacy InformationCenter (EPIC) and Privacy Internationalhave released the fifth annual Privacyand Human Rights survey. The reportreviews the state of privacy in over fiftycountries around the world. The reportwas released at a press conference at theNational Press Club in Washington, DC inSeptember.
The Privacy and Human Rights reportexamines the impact of September 11,2001 on privacy and civil liberties. Thereport finds that many new anti-terrorismlaws adopted by national governmentssince September 11 threaten politicalfreedom.For example, in Canada, the newanti-terrorism law adopts a controversialdefinition of “terrorist activity,” authorizes“preventative” arrests and grants signifi-cant new surveillance powers to theCanadian Security Intelligence Services(CSIS). In Denmark, a new law grants lawenforcement the authority to covertlyinstall snooping software on computersof criminal suspects and mandates reten-tion of traffic data by ISPs. A similar dataretention requirement is included in theFrench anti-terrorism law along with aprovision requiring disclosure of encryp-tion keys.
In Germany, increased powers forgovernment sharing of information andlegal authorization for biometric identi-fiers in passports and identity cardshave been put in place. In India, a newlaw gives police sweeping powers toarrest and detain suspected terrorists,conduct electronic surveillance, andcurtail free expression. In the UK, amandatory data retention scheme hasbeen put in place and the government ispushing the introduction of a nationalID card.
In the United States, the USA-PATRIOTAct authorizes increased data sharing am-ong government agencies and significantly
weakened privacy protections in the federal wiretapping statutes. In Australia,a proposal to allow law enforcement tointercept electronic communicationswithout a warrant was dropped from thepackage of anti-terrorism measures adopt-ed in late June but is likely to resurface at
a later stage. In New Zealand a bill granting major new powers to surveillanceagencies is still pending, as is a proposal requiring telecommunications operatorsto make all necessary changes to their systems in order to assist the police andintelligence agencies intercept communi-cations.
Marc Rotenberg, CLSR Report Corres-pondent and Executive Director of EPIC,said, “September 11 has posed an enor-mous challenge to democratic govern-ments around the world. Too manyadopted expanded surveillance authoritywithout considering the long-term conse-quences for Constitutional government.Still, there are important indications thatcitizens are not prepared to sacrificepolitical freedom to address the challengeof terrorism.”
The EPIC/PI report also found thatefforts to pass new data protection lawsare continuing in Eastern Europe,Asia andLatin America. A significant campaign isunderway in Japan to stop the adoptionof a national identification system.In addi-tion, efforts to protect privacy in theworkplace are gaining more prominence.The report, which runs more than 400pages,covers a wide range of other topicsincluding biometrics, genetic privacy,national ID cards, spy TV, and privacyenhancing technologies.
EEddiittoorr’’ss NNoottee::“Privacy and Human Rights 2002:
An International Survey of Privacy Lawsand Developments” is available for sale at the EPIC Bookstore: <hhttttpp::////wwwwww..eeppiicc..oorrgg//bbooookkssttoorree//pphhrr22000022>and (in PDF) at: <hhttttpp::////wwwwww..pprriivvaaccyy--iinntteerrnnaattiioonnaall..oorrgg//ssuurrvveeyy//pphhrr22000022//>.
EPIC is a public interest researchcenter in Washington, DC. EPIC main-tains a comprehensive web site on privacy and civil liberties issues at<hhttttpp::////wwwwww..eeppiicc..oorrgg>. Privacy Inter-national is a human rights group formedin 1990 as a watchdog on surveillanceby governments and c orporations. PI isbased in London, England, and has anoffice in Washington, DC. More informa-tion on PI is available at: <hhttttpp::////wwwwww..pprriivvaaccyyiinntteerrnnaattiioonnaall..oorrgg>.
Uncontrolled spammingblocks data processing to seven Italian Internetcompanies Spamming without data subjects` con-sent is actually causing serious damageto seven companies established in Italy,selling goods and services on theInternet.The Italian Data Protection Authority(the Garante), by means of variousdecrees issued in July 2002 and pub-lished through a press release availableon the authority’s website,1 has recent-ly blocked the processing of personaldata of some companies established inItaly, supporting its measure with a rul-ing established by section 31, 1, l), ofACT no. 675 of 31.12.1996 (Protectionof individuals and other subjects withregard to the processing of personaldata, i.e. the Italian Data ProtectionLaw, the “Law”).
Section 31 expressly entitles theGarante to prohibit data processing, inwhole or in part,or block such process-ing if found unlawful or incorrect part-ly because of:• the failure by data controller to take
the necessary measures and changesrequested by the Garante andwhich are necessary or appropriatefor the processing to comply withthe provisions in force; or
• if there is an actual risk that suchprocessing may adversely affect oneor more data subjects,having regardto the nature of the data or thearrangements applying to the pro-cessing or the effects thereof.All the complaint procedures have
been started by complaints filed withthe Garante by various data subjectsthat, having never given any consent todata controllers to use their emailaddresses for marketing purposes,wereinundated with electronic messagescausing mailboxes to overfill.
After unanswered complaints to the data controllers, customers startedthe complaint procedures with theGarante that, instead of narrowing itsaction to examine these particular com-plaints, analyzed the general behaviorof the data controllers. This showedthat unlawful data processing was notrestricted to specific customers. Itappeared to show violation of the lawgoing beyond the single case, findingevidence of “general unlawful behavior,
CLSR 1806.qxd 24/10/2002 13:47 Page 461
CLSR Briefing
462
including the collection of emailaddresses through the Internet withoutany previous acquisition of informedconsent from data subjects”.
Thus, the Garante has ordered thecompanies to block personal data pro-cessing, except for storage,2 expresslystressing in its decree that, in accor-dance with Section 37 of the Law, any-one who fails to comply with measurestaken by the Garante shall be punishedby imprisonment for between threemonths and two years.
Accordingly, from the notification3
of the various decrees, all the compa-nies involved (and mainly active in soft-ware development, advertising andtelecommunication services) are nolonger allowed to actively process per-sonal data. As a direct consequence ofthis decree, their business is now sus-pended, pending further developmentswithin the complaint procedures.
All the companies that have beensanctioned have based their defensesubstantially on similar grounds, declar-ing that the collection of data has beendone through random and massiveresearch on the Internet, on the(wrong) assumption that it was compa-rable to a public file (as per section 12,(1)(c) of the Act, whereby the data sub-ject’s consent is not required if the pro-cessing concerns data extracted frompublic registers, lists, documents orrecords which are publicly available).
Obviously, although some of theaddresses were publicly availablethrough the Internet, it is relevant tothe complaint procedures to clarifythat such addresses were publicly dis-seminated for specific purposes and,obviously, their processing was onlyallowed for such restricted uses.
Notwithstanding the clear purposeof the public availability of suchaddresses and the necessity to obtain aspecific informed consent for market-ing activity, many addresses had beenunlawfully used for marketing purpos-es, going beyond the purposes for theirpublication on the Internet and causingserious embarrassment to all the datasubjects involved (receiving any sort ofadvertisement on their personal com-puters, even related to pornography).
In any case, in order to issue specif-ic and stricter rules to regulate dataprocessing for marketing purposesthrough the Internet, the Garante is inthe process of drafting a specific “code
of conduct” that is expected to bereleased before the end of 2002.
AAlleessssaannddrroo NNaappoolliittaannooLLaawwyyeerr,, LLoovveellllssEEddiittoorr’’ss NNoottee::
1. The press release can be read (inItalian) on the site <wwwwww..ggaarraann--tteepprriivvaaccyy..iitt>.
2. As per section 1 of the Law, “pro-cessing” shall mean any operation,or set of operations carried outwith or without the help of elec-tronic or automated means, con-cerning the collection, recording,organization, kkeeeeppiinngg, elaboration,modification, selection, retrieval,comparison, utilization, intercon-nection, blocking, communication,dissemination, erasure and destruc-tion of data. Accordingly, the stor-age keeping is regarded as dataprocessing itself and, at this stage, isthe only legitimate processingallowed to the companies subjectto the Garante“blocking”decree.
3. Garante’s decrees are usuallyserved to data controllers by theMail Police, a special public securitybody dealing with telecommunica-tions offences.
Government of Canada toReview interception ofcommunications legislationThe Canadian Government hasannounced that it will consult withCanadians concerning lawful access toinformation and communications.Minister of Justice and AttorneyGeneral, Martin Cauchon said:
“Lawful access legislation must pro-tect the privacy of Canadians and reflecttheir values.The Government of Canadawill be examining current laws toensure crimes and other threats to pub-lic safety can continue to be investigatedeffectively. Legislation governing lawfulaccess was originally designed for rotarytelephones — not email or the Internet.Dated laws allow criminals and terroriststo use technology to hide their illicitactivities.This initiative is about keepingour laws current so that the police cando their job and keep Canadians safe.”Industry Minister, Allan Rock said:“Technology is a great enabler forCanadians, but also presents challengesfor law enforcement.” Through thisprocess, we are seeking ideas from law
enforcement, industry and all Canadiansto find a solution that supports publicsafety and privacy, and how to achievethis without inhibiting industry’s abilityto innovate and compete.”Lawful accessis the lawful interception of communica-tions,and the search and seizure of infor-mation by law enforcement and nationalsecurity agencies. Updating lawfulaccess legislation is essential to a broadrange of investigative bodies, in theircontinued efforts to fight crimes such asterrorism, child pornography, drug traf-ficking, smuggling, Internet and telemar-keting fraud, price fixing and moneylaundering. Lawful access can only beexercised with a lawful authority, and iswell entrenched in laws such as theCriminal Code, the Canadian SecurityIntelligence Act, the Competition Actand other Acts of Parliament. Lawfulaccess legislation also recognizes theprivacy rights of all people in Canadaand their rights under the CanadianCharter of Rights and Freedoms. Thisconsultation process will involve keystakeholders including law enforce-ment, telecommunications companies,civil liberties and privacy organizations.The public will also be given the oppor-tunity to consider lawful access issuesand options for change by obtaining aconsultation paper, which is available at<http://www.canada.justice.gc.ca/en/cons/la_al>. Those wishing to respondneeded to send their submissions to: [email protected] before November 15,2002.
EEddiittoorr’’ss NNoottee:: In the January 2001Speech from the Throne, theGovernment of Canada pledged to pro-vide modern tools to safeguardCanadians from emerging threats suchas cyber-crime. The lawful access con-sultation will contribute to theGovernment’s ongoing commitments,both nationally and internationally, toensure a balanced and effectiveapproach to addressing threats to pub-lic safety and national security.
The Internet on probation:anti-terrorism drive threatens Internet freedomReporters Without Borders, an organi-zation which defends freedom world-wide has warned that security “abuses”by the world’s governments in the yearsince the 11 September attacks in the
CLSR 1806.qxd 24/10/2002 13:47 Page 462
463
CLSR Briefing
United States have increasingly put theInternet under the control of securityservices.
“Basic Internet freedoms have clear-ly been cut back,” said the organiza-tion’s secretary-general,Robert Ménard,and the Internet can be put on the listof the “collateral damage”caused by the“tragic events” in New York andWashington and the drive for tightersecurity. Many governments had alsoused the pretext of the anti-terrorismdrive to curb basic freedoms or crackdown on their domestic opponentsusing the Internet.
Ménard spoke as Reporters WithoutBorders published a report, TheInternet on Probation, detailing theconcerted attacks on Internet freedomsaround the world over the past year.
He said the situation was especiallydisturbing because, apart from coun-tries (such as China, Vietnam, SaudiArabia and Tunisia) traditionally hostileto human rights and freedom of expres-sion that had used the situation to stepup repression, Western democracieswere now posing a “new threat” to citi-zens’ freedoms with an arsenal of newsecurity measures.
The report said many countrieshad introduced facilities for general
retention of data about people’s emailtraffic and Internet activity, turningInternet service providers (ISPs) andtelecommunications companies into “apotential arm of the police. Access tothis mass of information is being givenwith alarming ease to police and intel-ligence services,” it said.“This unprece-dented abuse means all citizens aretheoretically under suspicion.”
The report cites the major stepstaken in the drive against Internet free-doms over the past year.These includeUN Security Council Resolution 1373on fighting terrorism, the USA PatriotAct passed by the US Congress and var-ious orders of President George Bush,the amendment of the EuropeanUnion’s rules on protection of electron-ic data, various other laws passed byparliaments around the world and therecommendations of the G8 nationsand the European police body, Europol.
“The United States, Britain, France,Germany, Spain, Italy, Denmark, theEuropean Parliament, the Council ofEurope and the G8 nations have allchallenged cyber-freedoms over thepast year,” said Ménard. “Yet these arecountries with deep-rooted secular anddemocratic traditions whose citizensfought long and hard to win their right
to free expression, the confidentialityof mail and the right of journalists notto reveal their sources.What would thecitizens of Europe and elsewhere do,”asked Ménard,“if they were told a lawhad been passed allowing what theysent through the post to be routinelyread by the police at any time ? Theywould be outraged at such restrictionson their freedom.“Yet these are exactlythe kind of measures that have beentaken or are being taken concerningthe Internet.We need to be much morevigilant.”
EEddiittoorr’’ss NNoottee:: A copy of the reportis available from: <wwwwww..rrssll..oorrgg>..
Reporters Without Borders defendsimprisoned journalists and press free-dom throughout the world, as well asthe right to inform the public and to beinformed, in accordance with Article19 of the Universal Declaration ofHuman Rights. Reporters WithoutBorders has nine national sections (inAustria,Belgium,France,Germany, Italy,Spain, Sweden, Switzerland, and theUnited Kingdom), representatives inAbidjan, Bangkok, Buenos Aires,Istanbul, Montreal, Moscow, Nairobi,New York, Tokyo and Washington andmore than a hundred correspondentsworldwide.
CLSR 1806.qxd 24/10/2002 13:47 Page 463
