"Fair Use" of Copyrighted Works Contributed $4.7 Trillion to U.S. Economy in 2007, Reports CCIA

Posted on April 30, 2010 by Gabriel M. Helmer

This week, the Computer & Communications Industry Association (CCIA) released the report Fair Use in the U.S. Economy (.pdf) concluding that industries that rely on the "fair use" exception in copyright law contributed $4.7 trillion or 16% of the  U.S. gross domestic product in 2007, growing faster than the other sectors of the U.S. economy.  The report credits the fair use of copyrighted works for the success of search engines, software developers and a number of other "new economy" industries.

The Fair Use Doctrine is derived from Section 107 of the Copyright Act, which reads:

[T]he fair use of a copyrighted work . . . for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.

The CCIA Report examines industries that benefit from the Fair Use Doctrine, particularly Internet search engines, software developers and the makers of music and media players, and concludes that "exceptions to copyright protection . . . promote innovation and are a major catalyst of U.S. economic growth."  The report cautions that these findings do not necessarily call for scaling back copyright protections:

Certainly, copyright protection provides an incentive for the production of creative works and these works have a positive impact on the U.S. economy.  The positive aspects of copyright protection should not, however, obscure that fair use is also a vital economic driver.

The CCIA report does not explain in detail what "fair use" helped drive the growth of MP3 players, but everyone should keep in mind that, as far as current caselaw is concerned, we still need to pay for songs downloaded from iTunes. 

Tags: , , , ,

Incident of the Week: "Huge Social Networker" Indicted For Threatening Spam Email Campaign Against New York Life

Posted on April 23, 2010 by Gabriel M. Helmer

Yesterday, a federal grand jury in New York issued an indictment (.pdf) against Anthony Digati based on his threats to use spam email and the www.newyorklifeproducts.com domain to drag New York Life Insurance Company "through the muddiest waters imaginable."  Both the U.S. Attorney's Office press release (.pdf) and the FBI press release announced the indictment. 

Digati was arrested on March 8, 2010 for violations of 18 U.S.C. Sec. 875(d), which prohibits extortionate communications "containing any threat to injure the property or reputation of the addressee."

The resident of Chino, California, was a former agent and manager at New York Life, but the relationship apparently soured after Digati purchased a variable universal life insurance policy.  When Digati was disappointed by the financial returns on his investment, he began to demand a refund a refund of the $49,576 in premiums he had paid. These demands apparently escalated to around $200,000 and then $3 million.

When his demands were denied, Digati allegedly registered the www.newyorklifeproducts.com domain and threatened to use the site, along with his presence on social networking sites and spam email sent to millions of potential customers to smear New York Life.  The indictment provides some colorful excerpts from Digati's threats, including:

At this point, you're probably asking yourselves why should I even listen to this crazy fool, what can he do and why should I pay him.  NUISANCE VALUE is why, I am going to cause you millions of dollars in lost revenue, good faith and general trust in your company.

I have 6 MILLION emails going out to couples with children age 25-40, this email campaign is ordered and paid for.  2 million go out on the 8th and every two days 2 million more for three weeks rotating the list.  Of course it is spam, I hired a spam service, I could care less, The damge [sic] will be done.

I am huge social networker, and I am highly experienced.  200,000 people will be directly contacted by me through social networks, slamming your integrity and directing them to this website within days.

New York Life turned Digati's emails over to the FBI, who investigated and ultimately arrested him in California.  Digati faces a maximum sentence of 2 years in prison and $250,000 fine. 

Tags: , , , , , ,

New Google Tool Maps Goverment Requests For Users' Personal Information

Posted on April 23, 2010 by Gabriel M. Helmer

This week Google rolled out its Government Requests tool that quantifies the number of government requests it receives from various countries around the world.  The move was announced by David Drummond, Google's Chief Legal Officer on Tuesday on the official Google blog.  In his post, Drummond stated:

So it's no surprise that Google, like other technology and telecommunications companies, regularly receives demands from government agencies to remove content from our services. Of course many of these requests are entirely legitimate, such as requests for the removal of child pornography. We also regularly receive requests from law enforcement agencies to hand over private user data. Again, the vast majority of these requests are valid and the information needed is for legitimate criminal investigations. However, data about these activities historically has not been broadly available. We believe that greater transparency will lead to less censorship.

The issue has been somewhat controversial in the wake of the expansion of government requests in recent years.  The Google Tool maps the number of data requests and removal requests that Google received between July 1, 2009 and December 31, 2009.  Google indicates that it will be updating this data every six months.

Tags: , , ,

Regulators Provide Online Privacy Notice Builder to Help Financial Institutions Comply with Gramm Leach Bliley Act

Posted on April 22, 2010 by Gabriel M. Helmer

Last week a number of federal regulatory agencies rolled out an online privacy notice builder for financial institutions subject to one or more of the Gramm Leach Bliley Act (GLBA) regulations.   The agencies involved include the Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), Office of Comptroller of Currency (OCC), Federal Deposit Insurance Corporation (FDIC ), Board of Governors of the Federal Reserve System (FRB), Office of Thrift Supervision (OTS), the National Credit Union Administration (NCUA) and the Commodity Futures Trading Commission (CFTC)

The GLBA regulations issued by these agencies require financial institutions to provide initial and annual privacy notices to customers.  On December 1, 2009, the agencies adopted a Model Form (.pdf) based on length quantitative testing and research to provide financial institutions with a safe harbor for compliance with the privacy notice requirement.  Financial institutions are still free to draft their own privacy notices, but are responsible for making sure that their own notices contain all the required elements. 

The online form builder consists of a linked set of instruction (.pdf) that leads financial institutions to one of four forms that are filled out depending on whether the company is providing customers with a right to opt-out or elects to allow affiliate marketing. 

GLBA Privacy Notice Forms:

 

Tags: , , , , , , , , , , , , ,

Incident of the Week: NSA Officer Indicted For Emailing Classified Documents to Reporter

Posted on April 16, 2010 by Gabriel M. Helmer

On Wednesday, a federal grand jury in Maryland indicted Thomas A. Drake, a former employee of the National Security Agency (NSA), on charges that he emailed classified NSA documents and information to Siobhan Gorman, then a reporter for the Baltimore Sun.  Drake worked for the NSA first as a contractor and then as a high level employee in the NSA's Signals Intelligence Directorate between 1991 and 2008, when he resigned following the suspension of his security clearance. 

The 14-page indictment (.pdf) alleges that in 2005 Drake received Gorman's contact information from "Person A," an unnamed congressional staffer that had a "close, emotional friendship" with Drake.  Drake allegedly obtained an anonymous email account with Hushmail and contacted Gorman to "volunteer[ ] to disclose information about NSA." 

After Gorman obtained her own Hushmail account, Gorman allegedly emailed her hundreds of times with information about the NSA and its Signals Intelligence (SIGINT) activities.  Drake is also accused of smuggling classified documents out of the NSA, including his own handwritten notes, and doctoring documents so he could provide them to Gorman without the markings that identified the information as classified.  Based on these emails, Gorman published a series of articles between 2006 and 2007 that federal prosecutors claim contain classified information.  Drake is charged with violations of the Espionage Act, as well as lying to FBI agents, destroying evidence and obstructing the investigation of his activities. 

In its press release on Thursday, the U.S. Department of Justice stated that:

As alleged, this defendant used a secret, non-government e-mail account to transmit classified and unclassified information that he was not authorized to possess or disclose. As if those allegations are not serious enough, he also allegedly later shredded documents and lied about his conduct to federal agents in order to obstruct their investigation

The federal public defender representing Drake, James Wyda, told the New York Times that “Mr. Drake loves his country.  We look forward to addressing these matters in a public courtroom.”

Hushmail is an encrypted email service that allows users a certain level of anonymity.  Hushmail's website states:

Hushmail can protect you against eavesdropping, government surveillance, unauthorized content analysis, identity theft and email forgery. But using Hushmail does not put you above the law.

and

We are committed to the privacy of our users, and will absolutely not release user data without an order that is legally enforceable under the laws of British Columbia, Canada, which is the jurisdiction where our servers are located.

From the face of the indictment in the Drake case, it appears that the FBI and federal prosecutors managed to obtain a court order in Canada to obtain the release of Drake's email archives.

Tags: , , , , , ,

Cracking Down: FINRA Fines Blackmailed Brokerage Firm $375,000 for Violation of Reg S-P

Posted on April 14, 2010 by Gabriel M. Helmer

On Monday, the Financial Industry Regulatory Authority (FINRA) announced that brokerage firm D.A. Davidson & Co. had consented to the imposition of a $375,000 fine for lax security measures that allowed hackers working for an "international crime group" to obtain personal information on thousands of customers. 

The breach itself occurred in December 2007 when hackers used a "SQL injection" attack to obtain data on over 100,000 Davidson's customers from the firm's online account system.  (FINRA's announcement alleges that the breach affected 192,000 customers, but court filings and the hackers'  own claims put the number as high as 300,000).  Davidson remained unaware of the breach until January 2008, when they received an email from Robert Borko, an Eastern European man, who demanded that Davidson pay him $80,000 for the return of the data and a "security consultation."  Borko suggested in broken English that Davidson did "not want to involve FBI here and we can have agreement like businesman.”

Davidson instead worked with the U.S. Secret Service to snare the hackers / "security consultants" behind the breach.  Ultimately, this led to the indictment of not only Borko, but also Aleksandrs Hoholko, Jevgenijs Kuzmenko and Vitalkijs Drozdovs, three Latvian men who attempted to pick up Davidson's blackmail payment in a Western Union in the Netherlands.  Hoholko, Kuzmekno and Drozdovs were arrested in February 2008 by the Netherlands High Tech Crime Unit and extradited to the United States, where they have pled guilty to extortion charges.  [These and other colorful details of the breach and blackmail attempt can be pulled from the filings in the criminal case against the Latvian men, including the defendant's motion to dismiss (.pdf) and the government's response (.pdf).]

Davidson spent $1.3 million on credit monitoring for its customers and settled a class action last year by agreeing to pay up to $1 million for any harm to its customers [see the Davidson settlement site].  At present, Davidson reports that no customer has been the victim of identity theft as a result of the intrusion.

According to the FINRA press release and the parties' April 9, 2010 letter of consent (.pdf), FINRA claims that Davidson failed to adopt the minimum security measures required by Regulation S-P, when it made its customer database available over the Internet.  In particular, FINRA found that Davidson violated Reg S-P because the firm:

  • did not encrypt the customer database;
     
  • did not review web server logs which identified the SQL injection attacks;
     
  • did not regularly review perimeter security logs (even though "the attacks were not visible on those logs");
     
  • did not have any written procedures in place for the review of web server logs;
     
  • did not have an intrusion detection system in place; and
     
  • did not have any written procedures "setting forth an information security program designed to respond to intrusions."

FINRA specifically found it a compelling that that Davidson had retained independent security consultants in 2006 and 2007 and implemented the majority of the consultants' recommendations, but had failed to put in place the recommended intrusion detection system.  Even without the system, the security consultants were apparently unable to breach Davidson's security.

Regulated broker-dealers and other financial institutions subject to Regulation S-P or other Gramm Leach Bliley Act (GLBA) regulations, including the FTC's Safeguards Rule, should take note of the alleged violations in this case.  Regulated entities with online customer accounts should consider whether they have implemented intrusion detection systems, routinely monitor web server logs, and have adopted written incident response procedures.

Tags: , , , , , , , , ,

One Million Impacted by Blue Cross Blue Shield of Tennessee Data Breach: How Do You Remediate on that Scale?

Posted on April 13, 2010 by Colin J. Zick

Blue Cross Blue Shield of Tennessee announced last week that nearly 1 million of its members have been affected by the theft of hard drives containing unencrypted personal data.  BCBSTN had previously announced in January that 1.6 million files with unencrypted personal and protected health information of about 500,000 members in 32 states were breached in October 2009, due to a theft of 58 hard drives.

While the breach itself is significant for its size, the subsequent remediation efforts are also worthy of note.  As of April 2, a total 998,422 current and former BCBSTN members have been identified and 550,873 notifications have been sent indicating that their personal information was included on the stolen hard drives. 

BCBSTN has published a detailed analysis that explains how it has gone about remediating the breach.  The affected individuals have been broken into tiers. There are 238,589 members in the Tier 3 category – who had the most data on the stolen hard drives (their name, address, Blue Cross member ID number, diagnosis, Social Security number and/or date of birth).  Those in Tier 3 have been sent a notification detailing the services available to them through BCBSTN. They will receive free credit monitoring for one year, free identity monitoring and access to the Kroll ID TheftSmart program free for one year. 

Another 312,284 current and former members fell into the Tier 2 category (they had their name, address, Blue Cross member ID number, date of birth and/or diagnosis on the hard drives).  An additional 447,549 current and former members were placed in the "lowest" category – Tier 1 -- for having their name, address, Blue Cross member ID number and/or date of birth on the hard drives.  Those current and former members in Tiers 1 and 2 will receive access to the Kroll ID TheftSmart program free for one year.

Tags: , , , ,

Is the Rejection of Security Advice by Users Really Rational? A Response to Cormac Herley

Posted on April 10, 2010 by Colin J. Zick

In the April 11, 2010, Boston Globe, there is an extended discussion of an article by Cormac Herley of Microsoft entitled, "So Long, And No Thanks for the Externalities:  The Rational Rejection of Security Advice by Users."  In his paper, Mr. Herley argues thoughtfully that compliance with even simple security measures, like changing your passwords, is so time-consuming that it is not worth the effort for most users.

This is an interesting argument and article (although it is a mite technical), as it poses an argument worthy of real consideration.  There is no dispute that security measures do decrease productivity to some extent.  The question that needs to be asked is how much does security actually impair productivity and is the cost in lost productivity less than the costs from an actual security breach?

As Mr. Herley suggests, the answers to this question are difficult, because of "externalities" -- economic costs that are visited on some people by the actions of others.   His solution is not simply to reject security measures, but to analyze them and determine what works and what does not, so that it is easier to determine what measures are worth users' time and what measures do not pay off.  In Mr. Herley's words, "security advice that has compelling cost-benefit trade-offs has a real chance of user adoption."  This trade-off analysis is a worthy exercise for any individual and for any organization.

Tags: , , , , ,

Albert Gonzalez Gets 20 Years for TJX / Heartland Breaches

Posted on April 2, 2010 by Gabriel M. Helmer

Last week was a tough week for Albert Gonzalez, the so-called "leader of the largest hacking and identity theft ring ever prosecuted by the U.S. government."  Gonzalez received a sentence of 20 years of imprisonment in two separate federal cases against him.  The hacker, known variously as "segvec," "soupnazi" and "j4guar17" pled guilty in the New Jersey and Massachusetts cases for his role as mastermind of the two largest financial data breaches ever, those involving TJX and Heartland Payment Systems. 

The federal court sentencing entries states that after Gonzalez serves his 240-month sentence, he will be subject to 3 years of supervised release, fines and substantial restitution, to be determined at hearings scheduled in June.  The Department of Justice press release (.pdf) details some of Gonzalez's activities, which included:

  • Wardriving: "driving around in a car with a laptop computer looking for unsecure wireless computer networks of retailers."
  • Installation of sniffer programs to capture credit and debit card numbers used at retail stores.
  • Selling credit and debit card numbers to others for fraudulent use.

The DOJ press release also indicates that while six of Gonzalez's co-conspirators have been captured (as far away as in Germany and Turkey), Gonzalez's activities may have compromised "tens of millions of credit and debit card numbers, affecting more than 250 financial institutions."

In January, we posted details from the debate during Gonzalez sentencing including his claim that he suffered from "internet addiction."  At that time, Gonzalez's attorneys requested a sentence of 15 years for his crimes. 

Tags: , , , , , ,