Archive for Legal

RB | October 16, 2010
One comment

Apple Seeking to Patent Spyware

The Electronic Frontier Foundation (EFF) is reporting that Apple, Inc., (NASDAQ : AAPL)  has filed a patent application for a “Systems and Methods for Identifying Unauthorized Users of an Electronic Device. ” The patent is for a device to investigate a user’s identity to decide if that user is “unauthorized.” Here’s a sample of the kinds of information Apple plans to collect:

  • The system can take a picture of the user’s face, “without a flash, any noise, or any indication that a picture is being taken to prevent the current user from knowing he is being photographed”;
  • The system can record the user’s voice, whether or not a phone call is even being made;
  • The system can determine the user’s unique individual heartbeat “signature”;
  • To determine if the device has been hacked, the device can watch for “a sudden increase in memory usage of the electronic device”;
  • The user’s “Internet activity can be monitored or any communication packets that are served to the electronic device can be recorded”; and
  • The device can take a photograph of the surrounding location to find where it is being used.

The EFF believes that as a result of this new technology, Apple will know who you are, where you are, and what you are doing and saying and even how fast your heart is beating. In some embodiments of Apple’s “invention,” this information “can be gathered every time the electronic device is turned on, unlocked, or used.”  When an “unauthorized use” is detected, Apple can contact a “responsible party.” A “responsible party” may be the device’s owner or as the EFF points out the “responsible party may also be “proper authorities or the police.” Once an unauthorized user is identified, Apple could wipe the device and remotely store the user’s “sensitive data.” Apple’s patent application suggests it may use the technology not just to limit “unauthorized” uses of its phones but also to  shut down a stolen phone.

However, the EFF says Apple’s new technology would do much more. The EFF believes that this patented device enables Apple to secretly collect, store and potentially use sensitive biometric information about the user. This is dangerous in two ways according to the EFF:

  1. It is far more than what is needed just to protect you against a lost or stolen phone. It’s extremely privacy-invasive and it puts you at great risk if Apple’s data on you are compromised. But it’s not only the biometric data that are a concern.
  2. Apple does not explain what it will do with all of this collected information on its users, how long it will keep this information, how it will use this information, or if it will share this information with other third parties. We know based on long experience that if Apple collects this information, law enforcement will come for it, and may even order Apple to turn it on for reasons other than simply returning a lost phone to its owner.
  3. Apple’s technology includes various types of usage monitoring — also very privacy-invasive. This patented process could be used to retaliate against users who jailbreak or tinker with their your device in ways that Apple views as “unauthorized” even if it is perfectly legal under copyright law.

rb-

The EFF says this is a new business opportunity: spyware and what they are calling “traitorware.” The patent would allow Apple to find and punish users who tinker with their devices. The EFF says it’s not just spyware, it’s “traitorware,” since it is designed to allow Apple to retaliate against customers who do something Apple doesn’t like.

This patent is downright creepy and invasive — certainly far more than would be needed to respond to the possible loss of a phone. Spyware, and its new cousin traitorware, will hurt customers and companies alike — Apple should shelve this idea before it backfires on both it and its customers.

Related articles
Category: Legal, Malware | Tags: , , , , , , , ,
RB | April 8, 2010
No comments

Update Email Policy

A court case coming out of New Jersey could impact most firms’ privacy and security practices according to an article on DarkReading. The New Jersey Supreme Court recently ruled in Stengart v. Loving Care Agency, Inc., 408 N.J.Super. 54, 973 A.2d 390 (Superior Ct., A.D. 2009) that an employer can not read email messages sent via a third-party email service provider, even if the emails are accessed during work hours from a company PC.

The court found the company’s policy on email use to be vague, noting it allows “occasional personal use.” “The policy does not address personal accounts at all,” the decision said. “The policy does not warn employees that the contents of such emails are stored on a hard drive and can be forensically retrieved.”

The ruling written by Chief Justice Stuart Rabner in part states that the employee could, ” reasonably expect that emails she exchanged with her attorney on her personal, password-protected, Web-based email account, accessed on a company laptop, would remain private.” Rabner continues that the employee, “Plainly took steps to protect the privacy of those emails and shield them from her employer,”. “She used a personal, password protected email account instead of her company email address and did not save the account’s password on her computer.”

The law firm of Jackson Lewis provides a legal overview of the case on their blog, The Workplace Privacy Data Management and Security Report recommends that employers consider modifying their existing electronic communication policies to include:

  • Clear notice that personal, web-based emails accessed using company networks and stored on company networks or company computers can be monitored and reviewed by the company (of course, care should be taken here to avoid concerns under the Electronic Communications Privacy Act and the Stored Communications Act);
  • Definitions of the specific technologies and devices to which the policies apply;
  • Warnings that web-based, personal e-mail can be stored on the hard-drive of a computer and forensically accessed;
  • No ambiguities about personal use.

Rb-

I am no lawyer, be sure to consult your attorney about this and all legal issues, in my opinion, this ruling is new law-making. The new laws are currently applicable only in  New Jersey. However, unless the U.S. Supreme Court overturns this new law it will be the starting point for all other ligation. Firms should begin reviewing and updating their technology policies to protect themselves from this new law.

An interpretation of the ruling suggests that employees have to be specifically warned that it is possible to forensically retrieve data from the firms computers. In this ruling, the Court found, “the Policy does not warn that the contents of personal, web-based e-mails are stored on a hard drive and can be forensically retrieved and read.”

Sounds like another shot in the arm for the content filtering firms.

Category: Legal, Policy, Security | Tags: ,
RB | February 6, 2010
No comments

Taxman Still Coming

Updated 04-13-2010 It is being reported that the U.S. House has scheduled for April 15th consideration of the Taxpayer Assistance Act of 2010—a bill whose major provision would remove cell phones and similar telecommunications devices as listed property, effective for tax year beginning after 2009.

Ways and Mean member John Lewis (D-GA) was expected to introduce the bill. It would include several individual taxpayer assistance measures. As offsets to the bill’s cost of $411 million, it would expand the bad-check penalty to electronic payments and increase information return penalties.

rb-

By 2013 mobile phones will overtake PCs as the most common Web access device worldwide according to Gartner forecasts. The IT research firm says the total number of PCs in use will reach 1.78 billion in 2013. By 2013, the combined installed base of smartphones and browser-equipped enhanced phones will exceed 1.82 billion units and will be greater than the installed base for PCs afterwards.

Despite these projections, the U.S. Internal Revenue Service (IRS) continues to treat mobile phones as a luxury.  According to an article on Mobile Enterprise,  since 1989 IRS regulations have identified the cellphone as “listed property.” A listed property is  an  item obtained for use in a business but designated by the Internal Revenue Code as lending themselves easily to personal use. According to the IRS, “unless the employer has a policy requiring employees to keep records, or the employee does not keep records, the value of the use of the phone will be income to the employee.” The IRS goes on to say, “At a minimum, the employee should keep a record of each call and its business purpose. If calls are itemized on a monthly statement, they should be identifiable as personal or business, and the employee should retain any supporting evidence of the business calls. This information should be submitted to the employer, who must maintain these records to support the exclusion of the phone use from the employee’s wages.” On the other hand, if the phone is employee-owned, the IRS says “the listed property requirements do not apply. Any amounts the employer reimburses the employee for business use of the employee’s own phone may be excludable from wages if the employee accounts for the expense under the accountable plan rules.”

After proposing in June 2009 to tax up to  one quarter of an employee’s use of a work cellphone, the IRS has since decided to let Congress handle the matter.  IRS Commissioner Doug Shulman announced on January 8, 2010,  the IRS is now taking a “wait-and-see” attitude that leaves its current regulations in place until Congress passes new legislation. Shulman said on the C-Span’s “Newsmaker” program: “We’re quite hopeful Congress is going to act on this. In the meantime, we’re not doing anything special or moving forward with any initiatives. Our hope is that there will be legislation to clean this up.” Senator John Kerry (D-MA) sponsored the Modernize Our Bookkeeping In the Law for Employees – Mobile Cell Phone Act of 2009, (S. 144/H.R. 690) to remove mobile devices from the listed property rule to exempt them from the tax. The House approved the bill during the last Congress, but is still in committee in the current session.
The Cellular Telecommunications & Internet Association (CTIA) trade association welcomed the news. In a Jan. 11, 2010, prepared statement CTIA President Steve Largent said, “The existing rule is an anachronism and it can’t be saved simply by giving it a facelift. That’s why we are focused on continuing to secure congressional support for the Mobile Cell Phone Act , which enjoys broad bipartisan support on both sides of the Capitol. It is our hope that Congress act soon to help employers and employees alike by repealing this absurd, outdated rule.” According to CTIA,  employees are still required to maintain logs detailing their business use on a mobile device. The IRS expects individuals to record the following items , according to the CTIA:
  1. the amount of such expense or other item
  2. the time and place of the use of the property
  3. the business purpose of the expense, and
  4. the business relationship to the taxpayer of the persons using the property.
The results of  the stalled legislation have been predictable, the article cites the example of Rocky Mount, VA, which stopped issuing cellphones to employees. Town employees whose job requires 24×7 availability via cell phone are required to purchase their own phone and will be given a flat stipend for using the phone for work purposes. If employees do not keep careful records, despite paying for their own cellphones for business purposes they may not be able to claim the service as a business deduction.  The article notes that “For a for-profit business, the designation of an item as ‘listed property’ has implications for depreciation deductions taken by the business and the computation of net income.”
To comply with existing tax rules, Thompson’s Employer’s Guide to Fringe Benefits Rules says employers must  satisfy the onerous substantiation requirements by requiring annotated monthly statements from employees to support deductions and employee income exclusions or they must treat the value of the benefits as wages for Federal employment tax purposes and report this value as wages on Forms W-2.

For practical reasons, Thompson says, some employers opt to reimburse employees for cell phone purchases on an after-tax basis to negate the employer’s ownership of the phones and the requisite fixed asset tracking that follows. Employers should also provide reimbursements of service and usage fees on an after-tax basis unless they collect annotated documentation from employees to substantiate the reimbursements. Employers should either collect all monthly statements from employees or, at a minimum, require employees to maintain those records to effectively respond if the IRS inquires into the claims.

What should a firm do if they provide employees with cellphones?

  1. Assess your existing policies for corporate-issued smartphones, and require employees to keep records of each call and its business purpose.
  2. Regularly audit smartphone records and require employees to reimburse the company for all personal use.
  3. Consider whether an individual-liable model for the cellphone users in your enterprise would work.
  4. Get involved and contract your Senator or Representative and tell them to update the IRS code.
Category: Legal, Policy | Tags: , ,
RB | July 4, 2009
No comments

Data Destruction Policy Suggestions

datadestructionHumans have now created more digital information than we have the ability to store according to EMC‘s digital universe survey. ComputerWorld recently published an excellent article with a lawyer’s point of view regarding data destruction. Attorney’s Mark Grossman is a tech lawyer and the founder of the Grossman Law Group and Tate Stickles a partner in the Grossman Law Group provide some insight into provide some pointers for creating an effective data destruction policy.

Highlights of a data destruction policy according to the attorneys include:

  • Data destruction is intended to be permanent
  • Policies must be consistently enforced
  • The goal is to identify and classify what data the firm has and create effective policies for disposing of it
  • Legal and proper data destruction may prevent extensive fishing expeditions by your opponents
  • A regular business process addressing data destruction should provide some “safe harbor” protections under the Federal Rules of Evidence relating to electronic evidence
  • Have a data retention policy – A data destruction policy is the second part of your data retention policy which will help determine where data is stored and make it easier to delete old data
  • The general rule for the disposal of any data is that simple deletion and overwriting of data is not enough
    • When reusing media, wipe the old data, validate that the data is gone and then document the process then the media can be reused
    • Media that leaves the control of the firm by destroying old media or reselling it to another party require additional processes up to the physical destruction of media
  • Obligations to take certain data destruction steps depend on the laws, rules, or regulations that regulate the firm:
    • Sarbanes-Oxley
    • Graham-Leach-Bliley
    • the Fair and Accurate Credit Transactions Act
    • HIPAA
    • Check with your tech attorney who can provide guidance on what laws, rules, and regulations apply to your company’s situation
  • Not heavily regulated firms can look to other destruction standards
    • U.S. Department of  Defense standards and methods (DoD 5220.22-M)
    • National Institute of Standards and Technology’s Guidelines for Media Sanitization (NIST SP 80-88)
    • International, national, state, and local laws, rules and regulations
  • Should address how to classify and handle each type of data residing on the media
  • Needs a process for the review and categorization of the types of data your company has and what kinds can be removed
  • Classifications and contents of data will play a role
  • Data and media containing confidential information, trade secrets, and the private information of customers requires the strictest controls and destruction methods
  • Data and media containing little to no risk to the firm may have relaxed levels of control and destruction
  • Review contracts with other companies to ensure proper handling of data destruction within the terms of those contacts. I.e., non-disclosure agreements can contain data destruction terms which must be complied with
  • When reselling or recycling media, take samplings as appropriate to ensure that the proper levels of data destruction are maintained
  • In-house data destruction requires verification that the data sanitation and destruction tools and equipment are functioning properly and maintained appropriately
  • Document the entire  policy so the firm will know what media is sanitized and destroyed. The documentation should allow easy answers to who, what, where, when, why, and how questions
  • The last step of an effective policy is to have a process in place so the firm can follow up with regularly scheduled testing of the process and media to ensure the effectiveness of the policy

Category: Business, Hardware, Legal, Security |
RB | April 25, 2009
No comments

Wi-Fi Settlement to Cost Billions

CSIRO logo

Australia’s national science agency, the Commonwealth Scientific and Industrial Research Organization  (CSIRO) confirmed (4-22-09) that the patent cases being heard in the Eastern District Court of Texas over CSIRO’s claim to inventing the technology behind Wireless Local Area Networks (WLANs) has concluded “successfully.” CSIRO claims to have patented core elements of the technology used in 802.11a and 802.11g wireless devices.

“CSIRO has negotiated settlement with each of the 14 companies involved in four concurrent litigation cases,” the agency said in a statement. “The commercial terms of the settlements with these companies will remain confidential.”

The CSIRO first applied for the US patent in 1993 and was awarded US patent number 5,487,069,  entitled “Wireless LAN”, on 23 January 1996, and is for a “peer-to-peer wireless LAN” that can operate in the kind of multi-path environment created by radio echoes in typical office buildings. The patent describes three ways to get high speed transmission despite the hostile conditions in an office environment by transmitting over a relatively large number of parallel sub-channels within the available bandwidth so that each channel has a low bit rate; transmitting data in small packets with forward error correction (FEC); and using interleaving. These concepts are all featured in descriptions of the 802.11 physical layer. claims to have patented core elements of the technology used in 802.11a, 802.11g and 802.11n wireless devices.

CSIRO has previously said that its patent allowed speed increases up to a factor of five over previous WLANs by a factor of five, and that it had “offered licences on reasonable and non-discriminatory terms to major suppliers as soon as they started selling devices which used the CSIRO technology.”

However, troubles began following Cisco Systems’ acquisition of Radiata from Macquarie University, which it had carried out for the purpose of commercializing CSIRO’s technology, which forms a key component of commonly used Wi-Fi products

The CSIRO filed patent infringement suits against 3Com, Accton, Asus, Belkin, D-Link, Fujitsu, Marvell (manufacturers of Apple‘s iPod), Nintendo, SMC and Toshiba. Several large technology vendors bit back – with  Apple, Dell, HP, Intel, Microsoft and Netgear bringing cases against CSIRO in an attempt to have the patent invalidated.

In June 2007, the CSIRO won a case in the US Federal Court against Japanese manufacturer Buffalo Technologies, the basis of which the firm has used to demand royalties from a broader set of manufacturers that market Wi-Fi equipment.

As the case has played out in the last few weeks in and out of the Texas court, CSIRO struck individual deals with its adversary’s including; Dell, Fujitisu, HP, Intel, and Microsoft

HP Logo

HP was the first to settle on 04-02-09. CSIRO spokesperson Huw Morga  said “CSIRO can confirm that a settlement has been reached with Hewlett-Packard Company (HP) in relation to the wireless patent case,” Morgan continued  in the Sydney Morning Herald, “There will be no further comment at this time due to confidentiality and on-going litigation.”

Fujitsu Logo

Fujitsu Computer Systems Corp. was dismissed by the Court with prejudice the claims and counterclaims between CSIRO and Fujitsu in the first  court-approved settlement to emerge in the case on April 8 with terms  of the settlement to remain  confidential.

Microsoft Logo

PC manufacturer Asus and Microsoft separately settled their lawsuits with the CSIRO on 04-14-09 terms of the settlement were not disclosed. CSIRO had accused Microsoft of wrongfully using its patent, while Microsoft was seeking a ruling of non-infringement for its networking wireless technology that includes an adapter for the Xbox video-game system.

Intel and Dell, also settled on 04-19-09 for undisclosed and confidential terms.

Accton Technology Corp., SMC Networks, Belkin Corp. and Belkin International, Inc., D-Link Systems, Inc., Netgear, Inc., Nintendo of America, Inc., Toshiba America Information Systems, Inc., and 3Com Corp., announced on 4-20-09 that they had reached a settlement with CSIRO.

Cisco and its Linksys division aren’t on CSIRO’s  list because Cisco agreed to patent terms when it acquired an Australian network authentication firm a few years ago. Apple dropped out in December 2006.

Dr. Alex Zelinsky, director of the CSIRO ICT Center confirmed that all of CSIRO opponents had chosen to settle the wireless case rather than go ahead with another trial.  CSIRO deputy chief of operations Mike Whelan said that the terms of the settlement would remain strictly confidential. Dr Zelinsky speculated to ITNews , however, that the pay off could be worth upwards from $100 million up to a billion dollars and keep royalty payment flowing into the agency for up to a decade.

Timeline

  • November 1993: CSIRO lodges US patent for the invention of a wireless LAN.
  • January 1996: US patent 5,487,069 is issued to CSIRO.
  • 1997: CSIRO and Macquarie University form Radiata, a company established for the purposes of commercializing the patent.
  • 2001: Cisco Systems acquires Radiata for US$295 million.
  • 2003: CSIRO engages in patent licensing discussions with several manufacturers, none of which agree to pay licensing fees.
  • February 2005: CSIRO lodges a suit against Buffalo Technology for alleged patent violation in the Eastern District of Texas Court as a test case for its patent.
  • May 2005: Two groups of industry heavyweights — including Dell and Intel, and Microsoft, HP and Netgear, lodge lawsuits against CSIRO seeking to overturn its patent.
  • November 2006: CSIRO has its patent upheld by the Eastern District of Texas Court in its case against Buffalo Technology.
  • September 2006: CSIRO counter-sues the industry parties attempting to overturn its patent, claiming these companies infringe on its patents.
  • September 2007: CSIRO refuses to offer any amnesty to IEEE members that infringe on its patent.
  • April 02, 2009 HP settles suit.
  • April 13, 2009 Microsoft settles suit
  • April 20, 2009 all other firms settle suit.

rb-

If your installation includes Aruba, Meru or Trapeze, you can hope that CISRO goes back to developing  Wearable Instrument Shirts or Airhockey Over a Distance, rather than squeezing more revenue for the tax payers of Australia out of this initial victory by going after all of the other Wi-Fi vendors.  If upheld, CSIRO will collect what it has frequently described as a small royalty on all devices containing Wi-Fi.

The cases are:

  • Intel Corp. v. Commonwealth Scientific and Industrial Research Organisation, 06cv551
  • Microsoft Corp. v. Commonwealth Scientific and Industrial Research Organisation, 06cv549, U.S. District Court, Eastern District of Texas (Tyler)
Category: Legal, Networking, wi-fi, Wireless | Tags: , ,
  Recent Entries »

Switch to our mobile site