United States

Post pics


US Government Seizes 130 domain

On November 26, 2011, in Internet, Law enforcement, United States, by Jorge Espinosa

On Friday November 25, 2011, the Department of Justice (DOJ) working with Immigration and Customs Enforcement (ICE) seized 130 domains operated by alleged counterfeiters.  The seizures seem to be a continuation of last year’s  “Operation In Our Sites v. 2.0” an initiative designed to crack down on online piracy and counterfeiting by seizing the domain names under which they operate.  In last year’s seizures over 82 domains were seized.

The seizure seems to have been timed to anticipate “Cybermonday,” the follow-up to “Black Friday” when consumers are encourage to shop on-line.  The domains seized include clothing resellers such as 100jerseys.com,  purse and bag resellers such as Louisvuiton-bags-forcheap.com, shoe resellers such as Reeboksite.com and even an auto software cite autocd.com.  Attempts to log into to the sites results in a message which states:

This domain has been seized by ICE- Homeland Security Investigations, pursuant to a seizure warrant issued by a United States District Court under the authority of 18 U.S.C. §§ 981 and 2323.

Such seizures have been criticized in the past by consumer advocates as excessive and violations of first amendment rights. At least one senator has expressed his displeasure with these tactics in the past.  Senator Ron Wyden (D-OR) wrote to ICE and stated:

In contrast to ordinary copyright litigation, the domain name seizure process does not appear to give targeted websites an opportunity to defend themselves before sanctions are imposed. As you know, there is an active and contentious legal debate about when a website may be held liable for infringing activities by its users. I worry that domain name seizures could function as a means for end-running the normal legal process in order to target websites that may prevail in full court. The new enforcement approach used by Operation In Our Sites is alarmingly unprecedented in the breadth of its potential reach…

For the Administration’s efforts to be seen as legitimate, it should be able to defend its use of the forfeiture laws by prosecuting operators of domain names and provide a means to ensure due process. If the federal government is going to take property and risk stifling speech, it must be able to defend those actions not only behind closed doors but also in a court of law.

The Senator’s letter also focused on the scant evidence and investigation required to obtain the seizure warrants and how they resulted in wrongful seizure in at least one case.

Aside from their legality, the effectiveness of such seizures has also been questioned.  Also, popular web browser Firefox has a plug-in which allows users to find the website despite the domain seizure. Nevertheless, for the average consumer who is not technically sophisticated, the domain seizures provide an effective means for sending a message against the purchase of counterfeit goods.  No press release has been issued by ICE regarding the new seizures.


Know what you are getting on the cloud

On November 5, 2011, in Cloud Computing, Internet, Privacy, United States, by Jorge Espinosa

It was big news last month when Dropbox, the popular cloud storage provider, announced that it was offering new multiuser business accounts at a competitive price.  The business which initially launched as a consumer service announced that it woiuld now be offering its new service to small and medium size corporate clients.  Corporate users would be able to create virtual disk folders on their computers which would be mirrored on the cloud and would be available anywhere.

The promotional information for the new service promoted its high level of security which includes password protection and user side encryption.  What Dropbox did not easily disclose in its promotional materials was that the service does not meet the requirements of Payment Card Industry (PCI), the Health Insurance Portability and Accountability Act (HIPAA) or the Sarbanes-Oxley law.  Use of the service by a corporation subject to these acts could result in substantial fines and penalties.

Although many similar servies also do not meet these requirements, Dropbox’s new service is directed not at the home user but at corporate customers in industries likely to be governed by these regulations.  Dropbox’s explanation for not emphasizing this shortcoming in its promotional literature was that its customers were more concerned with collaborative ease than with regulator compliance.

Ultimately, this is an example of the basic rule of all cloud computing – user beware.  A corporation in a regulated industry needs to be proactive in confirming that a service which it intends to use fulfills its regulatory requirements.  Furthermore, corporations need to create, promote and enforce internal guidelines to avoid use of cloud based services which could results in regulatory violations.  For such guidelines to be effective, the company’s employees need to be educated to avoid using such services for company information without prior company approval.


Three controversial laws that could change your life on the Internet

On November 2, 2011, in Internet, United States, by Jorge Espinosa

Three controversial new laws are on the horizon which, if enacted could have a significant impact on the Internet in the United States.  Imagine if your business is accused by a competitor of distributing infringing content and your site is taken off the Internet before you have a chance to defend.  Imagine search engines refusing to show your site on search results.  Imagine being banned from using the Internet.   Imagine your music player or laptop searched at the border for infringing content.  All of this and more could come true under these pending laws.

Protect IP Act

Sponsors of the “Protect IP Act” (S. 968) claim that the law is intended to fight piracy and copyright infringement. It is a law that is strongly supported by the large media companies who face serious problems with content infringement.  However, the bill has attracted broad criticism from small business and civil liberties groups.  The bill, if passed into law, would give the Justice Department the ability to seek court orders seizing the sites’ domain names and requiring search engines, payment processing companies and advertising networks to blackball web sites deemed to promote infringing content.  The problem is that the bill does not provide a clear definition of what constitutes an infringement-promoting site therefore leaving the door open to commerce chilling threats web site shutdowns.  Separately, including a private right of action means that any rights holder can tie up a service provider in costly legal action, even if the claims eventually turns out to not be valid.  For a small business or startup this makes them very vulnerable to the well-established media companies.  The bill has been put on hold by Senator Ron Wyden (D-OR).

Stop Online Piracy Act

A successor to the Protect IP Act is the “Stop Online Piracy Act” (H.R. 321) which was introduced last month by a bipartisan group of senators.  The House Judiciary Committee will hold a hearing on the act November 16, 2011.  As with the stalled Protect IP Act, H.R.321 allows copyright owners to required search engines to block accused websites from showing up on search results.   Internet service providers such as AT&T or Comcast can be required to block accused websites from their customers.  Payment companies such as PayPal, Visa or MasterCard can stop all payment processing for any website that they suspect may be posting copyrighted work without permission.  The bill has been criticized for its “shoot first ask questions later” approach and the economic damage that it could cause falsely accused sites.

The Anti-Counterfeiting Trade Agreement

The last of these three new potential laws is part of a new international copyright protection treaty.  The Anti-Counterfeiting Trade Agreement (ACTA) is a multilateral agreement which would create a new international network of laws and regulations governing copyrighted content.  Several factors have made ACTA controversial.  First, it has been negotiated amongst the parties outside of established multinational organizations in order to keep its terms secret.   This secrecy has been justified by the US and Japan as matters of national security. Repeated leaks have raised concerns about elements of the treaty that call  for border searches of laptops, mandatory banning of users from the Internet, enhanced fines and criminal penalties.  Another controversial factor in the treaty is that ACTA negotiations have excluded infringement producing countries such as China, India, Russia and Pakistan.  The penalties and rules are therefore targeted at punishing users in content producing countries in order to dry up demand (parallels could be made to the drug war strategy).  Finally, numerous concerns have been raised about surveillance and human rights.

A signing ceremony was held on October 1, 2011 in Tokyo, at which the United States, Canada, Australia, Japan, New Zealand, Morocco, Singapore, and South Korea signed the treaty. The European Union, Mexico, and Switzerland did not sign the treaty, but attended the ceremony and indicated their intent to sign the treaty in the near future.

Consistent with the history of the treaty, its ratification into US law is now clouded in controversy.  The USTR has claimed that ACTA is consistent with current U.S. copyright, patent, and trademark laws, and therefore it “does not require the enactment of implementing legislation.”   The USTR further stated that “The United States may therefore enter into and carry out the requirements of the Agreement under existing legal authority, just as it has done with other trade agreements.”  This claim that the Act does not require ratification has not been well received.  Critics have voiced concerns that the ACTA is not consistent with U.S. law and that the president does not have the proper authority to bind the U.S. to the agreement without congressional ratification.  Senator Ron Wyden (D-Ore.) has stated that “if the USTR ratifies ACTA without Congress’ consent it may be circumventing Congress’s Constitutional authority to regulate international commerce and protect intellectual property.”  Time will tell what will happen.



Facebook faces suits for tracking logged out users.

On October 9, 2011, in Litigation, Social Networking, United States, by Jorge Espinosa

It has been a busy legal week for Facebook.  Three separate suits were filed against the social media giant alleging that the company violated united states wiretap laws and state consumer protection laws by tracking user web browsing even when they were not logged into Facebook.  The suits were filed in Texas, Kansas and Illinois by three different Facebook users.  Together with two suits filed the week before in California, this brings the total number of suits filed against Facebook for its tracking activity to five.

Information about Facebook’s tracking activities was first disclosed last month when Australian developer Nic Cubrilovic, reported that Facebook was able track when users visited non-Facebook sites.  Facebook accomplished this with cookies, the “like” button and other social widgets.  As a result of this report, several consumer privacy groups including the Electronic Privacy Information Center, the American Civil Liberties Union, the Consumer Action, the American Library Association, and the Center for Digital Democracy, requested that the Federal Trade Commission (“FTC”) launch an investigation.

The Kansas suit seeks treatment as a class actions which would bring into the suit a wide array of users.  If any of these suits succeed, Facebook could face damages of thousands of dollars per violation together with a permanent injunction against such future conduct.

How can you protect yourself from being tracked?  Find out how to located cookies on your browser.  Then delete any cookies from Facebook.  Some add-ons to browsers such as Firefox or Chrome allow you to block cookies or even to surf the web “incognito” which will save no cookies during the session.

Microsoft may disclose your cloud data to the government and may transfer it across borders and may not tell you if it does.

On June 30, 2011, in Cloud Computing, Europe, Privacy, United States, by Jorge Espinosa

On June 28, 2011, at the launch of Office 365, the new cloud based version of its well-known office tools, Microsoft stated that data that you store on the cloud is subject to scrutiny by the US government even when it is stored overseas.  ZDNet reporter Zack Whittaker reported that, when asked if Microsoft could guarantee that data stored in the European Union would not leave the European Economic Area, Gordon Frazer, managing director of Microsoft UK, explained that it could not.  Because Microsoft is a US based company it has to comply with US laws and would be forced to disclose data to the US government if required to do so under the Patriot Act.  When asked if customers would be notified of a government ordered disclosure, he said that neither Microsoft nor any other company can provide such a guaranty.  Gagging orders, injunctions and U.S. National Security Letters can prohibit disclosure of information requests to the owners of the information.

These public admissions are consistent with similar admissions previously made by Microsoft in a white paper detailing Office 365 security which states:

In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service).

Accordingly, if a governmental entity approaches Microsoft Online Services directly for information hosted on behalf of our customers, [Microsoft] will try in the first instance to redirect the entity to the customer to afford it the opportunity to determine how to respond.  …and will use commercially reasonable efforts to notify the enterprise customer in advance of any production unless legally prohibited.

In addition to the insecurity that this language creates for European users who, by using the service, may be exposed to US government scrutiny, it also brings into question the legality US run cloud services in the Europe.  European data security directives prohibit removal of data from Europe without the data owner’s consent.  Microsoft did not explain how it reconciles its obligations under US and European law.

Microsoft’s own white paper increases concern about the extra territorial transfer of data:

As a general rule, customer data will not be transferred to data-centers outside that region. There are, however, some limited circumstances where customer data might be accessed by Microsoft personnel or subcontractors from outside the specified region (e.g., for technical support, troubleshooting, or in response to a valid legal subpoena)

This language not only creates concerns for European customers of the Office 365 service but for US customers concerned with running afoul of export controls which might hold them strictly liable for foreign transfer of certain technical information.

While some readers may shrug off the disclosure requirement assuming that laws such as the Patriot Act are limited in use to terrorist investigations, it is important to understand that nothing restricts the scope of information obtained under the act or the transfer of information gained to other government agencies.  In fact, the government has repeatedly refused to disclose how it feels that it can use the Patriot Act and where there has been disclosure, the interpretation has been expansive.

So what do these disclosures suggest for users of cloud services.  For one thing, it is likely that European users will shy away from accessing cloud services provided by US companies.  We are also likely to eventually see litigation reconciling European Union data rules against compelled disclosure under national security laws such as the Patriot Act.  Finally, companies that are subject to export control compliance would be wise to shy away from cloud services and instead opt for restricted hosting services where they can assure no foreign access to their data.


FBI seizes servers and knocks out service to numerous companies

On June 22, 2011, in Cloud Computing, Law enforcement, United States, by Jorge Espinosa

Your cloud data may be relatively protected from disasters such as floods, storms and earthquakes.  However, it has no protection from the overreaching hand of law enforcement.

Early yesterday morning the FBI raided an Internet hosting facility in Renton, Va., and seized several of its servers.  The facility is owned by DigitalOne, a company based in Switzerland. The raid and seizure seem to be related to the FBI’s search for a wanted hacking organization Lulz Security Group (“LulzSec”).  LulzSec is associated with a series of Internet denial of service attacks against CIA and other government agencies.  At the same time that the Virginia raids were taking place Scotland Yard arrested Ryan Cleary in the United Kingdom for alleged involvement with the organization.

Although the FBI was only interested in one of DigitalOne’s clients whose data was hosted on one of the seized servers and who may have had ties to LulzSec, various servers were seized thereby shutting down access for “tens of clients” who also maintained data on the server.  In an email to a client, published by the New York Times, DigitalOne’s chief executive, Sergej Ostroumow, said that in the “night FBI has taken three enclosures with equipment plugged into them, possibly including your server.  .  .  After FBI.’s unprofessional ‘work’ we can not restart our own servers, that’s why our website is offline and support doesn’t work.”  The New York Times reported that Mr Ostroumow said DigitalOne had provided the FBI with details of how to find servers linked to an IP address they were investigating, but agents also seized unrelated equipment.  The DigitalOne website was still not accesible this morning, a day after the raid.

This seizure is reminiscent of a raid undertaken by the FBI in 2009 where it seized servers belonging to Core IP Networks in Dallas, Texas.  In the 2009 raid the FBI was investigating two companies who had allegedly defrauded AT&T and other telecom companies of service fees.  The seizure of the servers effectively shut down dozens of a companies.  One company in particular, Liquid Motors, a provider of data services for car dealerships was effectively shut down by the raid.  A legal suit for return of the servers filed by Core IP Networks before the U.S. District Court for the Northern District of Texas failed where the Court found that there was probable cause the servers had served as an instrumentality of a crime.


Miami Lakes politicians can also fall afoul of the law by social networking

On May 30, 2011, in Cloud Computing, Social Networking, United States, by Jorge Espinosa

The Miami New Times, a weekly paper local to South Florida, reported today that a resident of the city of Miami Lakes, Florida, has accused two of the city’s councilmen of using Facebook to circumvent Florida’s Sunshine Law.  The Sunshine Law is a Florida state law which requires political communications regarding public matters be  transparent and public.

Councilman Nelson Hernandez is the sponsor of measure to prohibit council members and the mayor from serving on citizen committees.  A week before the council vote on the measure, Hernandez posted sent a request to his Facebook friends, including councilman Richard Pulido, that they contact a swing vote on the council to urge her to vote in support.  Pulido in return posted a comment on Hernandez’s Facebook page indicating that he supported the measure.  This could be construed as a communication regarding an upcoming vote between members of the board which could violate the Florida Sunshine Laws.

According to the article, the resident who reported the allegedly improper communication has asked state public corruption prosecutor Joe Centorino to investigate Hernandez and Pulido.  Considering the number of politicians who presently appear on Facebook, we can expect more such incidents in the future.


Facebook’s secret campaign against Google

On May 12, 2011, in Defamation, Social Networking, United States, by Jorge Espinosa

Common sense dictates that you have to read opinions on social networking sites with a critical eye and more than a bit of skepticism. However, this week a we got a rare look beneath the skirt at how social networking sites are used to manipulate opinions by high priced marketing firms.

Rumors circulated the Internet over the past few days that an unknown principal had hired Burson-Marsteller, a top public-relations firm, to plant opinions and blog articles online attacking Google’s respect of privacy.  USAToday learned of the story and disclosed the campaign in an article which speculated as to the identity of the unknown principal.

The plan seems to have unravelled when a blogger approached by Burson rejected their offer and instead disclosed the e-mails describing the plot.  In a May 3 e-mail to  Christopher Soghoian, a blogger and former FTC researcher, Burson’s John Mercurio offered to ghost write a blog story attacking Google’s data collection policies for Soghoian. Mercurio would then help Soghoian get it published as an op-ed piece inThe Washington PostPoliticoThe HillRoll Call and The Huffington Post.

Today the principal behind Burson’s campaign was revealed by Dan Lyons of The Daily Beast.  It was none other than Facebook.  According to the Lyons article a Facebook spokeman confronted with evidence confirmed that Facebook had hired Burson-Marsteller and defended the manipulation of the social blogging for two reasons:

First, because [Facebook] believes Google is doing some things in social networking that raise privacy concerns; second, and perhaps more important, because Facebook resents Google’s attempts to use Facebook data in its own social-networking service.

At least some of the driving passion behind Facebook’s secret campaign seems to be a new Google service which pulls personal information from Facebook and other sources to create circles of friends which can be accessed through one’s gmail account.  The May 3 e-mail describes this new service as follows:

Unfortunately the ink was barely dry on the settlement before Google rolled out its latest tool designed to scrape private data and build deeply personal dossiers on millions of users – in a direct and flagrant violation of its agreement with the FTC.

Interestingly, this news breaks at a time that the blogs and news sources are filled with stories about Facebook’s large number of members who are unsupervised minors.

So what is the reader to make of this?  How many other articles on blogs and on-line news sites are manipulated by marketing firms.  How can you trust any content when the social networking sites themselves are trying to manipulate news.  Only one thing is certain — question what you read, read both sides and double check all sources.

What if your online persona disappeared?

On May 10, 2011, in Social Networking, United States, by Jorge Espinosa

You have invested hours into developing your on-line persona.  Your blog has dozens of links and hundreds of followers.  Your facebook page is tied to hundreds of friends.  Your Twitter account had a thousand followers.  However, how secure are you in your on-line persona?  What rights do you have to this identity?

Before you develop a false sense of permanency in this illusory world — read the terms of service.  You may be very surprised by what few rights you have.  This is what Danah Boyd learned when she woke up to find her Tumblr blog gone and another company using her blog name at the same address.  She says on her new blog:

All are moved to a new URL, breaking everyone’s links to content that I had on the site and giving me no choice in this process. And a company who also uses the name zephoria is now posting at that Tumblr page (and seems to have been for the last two days). Tumblr did not notify me. And while their ToS [Terms of Service] says that they will, it also says that Tumblr “reserves the right to remove any Subscriber Content from the Site, suspend or terminate Subscriber’s right to use the Services at any time…”

Danah suspects that another company claimed a trademark right to the name she used and Tumblr, without giving her notice or a right to dispute the claim, transferred the account.

If your handle and blog name and images and other online content is important to you, consider traditional forms of protection such as trademarks and copyrights.  The more valuable your on-line persona becomes the more you need to consider taking steps to protect it…and….read the terms of service.

The end of digital downloading copyright suits?

On May 4, 2011, in Copyright, File sharing, Litigation, Privacy, United States, by Jorge Espinosa

Every month across the United States large media companies or business associations file dozens of lawsuits accusing individuals of copyright infringement based solely on claims that film or music files were downloaded to their IP-address. An IP-address is a unique number associated with a particular online account.  Over the last few years tens of thousands of suits have been filed on similar grounds, many resulting in settlements of thousands of dollars.  Often the individual defendants are forced into such settlements by fear of statutory damages and costs of litigation even where they feel that they were wrongly accused.  As a result, many commentators have referred to these lawsuits as unfair and a legal a shakedown.

A new decision issued on April 29, 2011, by a judge in the Eastern District of Illinois brings into question the future of such suits.  In VPR Internationale v. Does 1-1017, (2:2011-cv-02068) Judge Harold A. Baker denied a Canadian adult film company’s request to subpoena ISPs for the personal information connected to the IP-addresses of their subscribers.  The court reasoned that since IP-addresses do not equal persons, no defendants had been identified in the suit and there was no adversarial process.  Since, under federal rule of civil procedure rule 26(d)(1), no discovery may be conducted before the parties to the suit have conferred absent special leave from the court, the judge reasoned that VPR could not go on an ex-parte fishing expedition.

The Court’s concern clearly went beyond the mere procedural issue.  Judge Baker cited a recent child porn case where the U.S. authorities raided the wrong people, because the real offenders were piggybacking on their Wi-Fi connections. The judge noted that, based on this example, defendants in VPR’s case may have nothing to do with the alleged offense either.  “The infringer might be the subscriber, someone in the subscriber’s household, a visitor with her laptop, a neighbor, or someone parked on the street at any given moment.”

The fact that the suit involved the downloading of adult content was a significant factor in the case.  Judge Baker noted that “the embarrassment of public exposure might be too great, the legal system too daunting and expensive, for some to ask whether the plaintiff VPR has competent evidence to prove its case.”

Baker concludes by citing another case for the proposition that until at least one defendant is served the Court lacks personal jurisdiction over anyone.  The Court would not support a “fishing expedition” for subscriber information under the circumstances.

VPR responded to the initial denial of the subpoenas by asking for certification of the following question for interlocutory appeal:

Defendants’ identifies are unknown to the  Plaintiff.  Instead, each Defendant is associated with an Internet Protocol (IP) address.  Internet Service Providers (ISPs) know identity and contact information associated with each IP address.  Is the Plaintiff to entitled to discover this information by serving ISPs with subpoenas duces tecum under Fed. R. Civ. P. 45?

The Court refused to certify the question.  We will have to wait to see if other courts follow this decision.