E-Mail Hacking Case Could Redefine Online Privacy

By Ellen Nakashima - Washington Post Staff Writer - Wednesday, August 6, 2008
A federal appeals court in California is reviewing a lower court's definition of "interception" in the digital age, in a case that some legal experts say could weaken consumer privacy protections online.

The case, Bunnell v. Motion Picture Association of America, involves a hacker who in 2005 broke into a file-sharing company's server and obtained copies of company e-mails as they were being transmitted. He then e-mailed 34 pages of the documents to an MPAA executive, who paid the hacker $15,000 for the job, according to court documents.

The issue boils down to the judicial definition of an intercept in the electronic age, in which packets of data move from server to server, alighting for milliseconds before speeding onward. The ruling applies only to the 9th District, which includes California and other Western states, but could influence other courts around the country.

In August 2007, Judge Florence-Marie Cooper, in the Central District of California, ruled that the alleged hacker, Rob Anderson, had not intercepted the e-mails in violation of the 1968 Wiretap Act because they were technically in storage, if only for a few instants, instead of in transmission.

"Anderson did not stop or seize any of the messages that were forwarded to him," Cooper said in her decision, which was appealed by Valence Media, a company incorporated in the Caribbean island of Nevis but whose officers live in California. "Anderson's actions did not halt the transmission of the messages to their intended recipients. As such, under well-settled case law, as well as a reading of the statute and the ordinary meaning of the word 'intercept,' Anderson's acquisitions of the e-mails did not violate the Wiretap Act."

Anderson was a former business associate of an officer for Valence Media, which developed TorrentSpy, a search engine that helped users find "torrents," or special data files on the Internet that can be used to help download free audio, software, video and text. According to court documents, Anderson configured the "copy and forward" function of Valence Media's server so that he could receive copies of company e-mail in his Google mail account. He then forwarded a subset to an MPAA executive.

The documents sent to the MPAA included financial statements and spreadsheets, according to court papers. "The information was obtained in a legal manner from a confidential informant who we believe obtained the information legally," MPAA spokeswoman Elizabeth Kaltman said.

Valence Media alleged that the MPAA wanted those documents to gain an advantage in a copyright infringement lawsuit against the company and its officers.

"The case is alarming because its implications will reach far beyond a single civil case," wrote Kevin Bankston, a senior attorney for the Electronic Frontier Foundation in a friend-of-the-court brief filed Friday. If upheld, the foundation argued, "law enforcement officers could engage in the contemporaneous acquisition of e-mails just as Anderson did, without having to comply with the Wiretap Act's requirements."

Those requirements are strict, including a warrant based on probable cause as well as high-level government approvals and proof alternatives would not work.

Cooper's ruling also has implications for non-government access to e-mail, wrote Bankston and University of Colorado law professor Paul Ohm in EFF's brief. "Without the threat of liability under the Wiretap Act," they wrote, "Internet service providers could intercept and use the private communications of their customers, with no concern about liability" under the Stored Communications Act, which grants blanket immunity to communications service providers where they authorize the access.

Individuals could monitor others' e-mail for criminal or corporate espionage "without running afoul of the Wiretap Act," they wrote.

"It could really gut the wiretapping laws," said Orin S. Kerr, a George Washington University law professor and expert on surveillance law. "The government could go to your Internet service provider and say, 'Copy all of your e-mail, but make the copy a millisecond after the email arrives,' and it would not be a wiretap."

In August, 2007, Valence Media shut down TorrentSpy access to the United States due in part to concern that U.S. law was not sufficiently protective of people's privacy, according to its attorney, Ira Rothken.

The Electronic Privacy Information Center also filed a friend-of-the-court brief Friday, arguing that Congress intended to cover the sort of e-mail acquisition Anderson engaged in.
Read more in the Washington Post

Media and Energy

By Faith Chatham - DFWRCC - Dec. 6, 2007
Today Media Consolidation and Energy are hot topics in Washington. Congressman John Dingell's assessment that the FCC has been "short-circuiting procedural norms" and failing to communicate appropriately with members, other legislators and the public is circulating through Washington and across America.

FCC Chairman Kevin Martin ignited a fire storm when he moved to allow consolidation of media in the same market. See HOUSE SUBCOMMITTEE TO INVESTIGATE FCC and HOUSE SUBCOMMITTEE TO QUESTION FCC ON MEDIA OWNERSHIP

On another front, privacy is a hot button for citizens. Advancements in technology now allow internet providors to track every website visited by their customers. See WATCHING WHAT YOU SEE ON THE WEB.

We continue with the same old leap frog pattern between technological advances, profit driven infringements, citizens outcry as privacy erodes, governmental regulations, lobbyist and citizen activists demands for advantages or remedies. It is prudent for citizens to keep tabs on these developments. What news we have access to through media in our hometowns and who watches what we read and write on the internet and how that information is used is up for grabs.

Watching What You See on the Web

New Gear Lets ISPs Track Users and Sell Targeted Ads;
More Players, Privacy Fears
By BOBBY WHITE - The Wall Street Journal - December 6, 2007
CenturyTel Inc., a Monroe, La., phone company that provides Internet access and long-distance calling services, is facing stiff competition from cellphone companies and cable operators. So to diversify, it's getting into the online-advertising business.

And not just any online advertising. The technology it's using could change the way the $16.9 billion Internet ad market works, bringing in a host of new players -- and giving consumers fresh concerns about their privacy.

CenturyTel's system allows it to observe and analyze the online activities of its Internet customers, keeping tabs on every Web site they visit. The equipment is made by a Silicon Valley start-up called NebuAd Inc. and installed right into the phone company's network. NebuAd takes the information it collects and offers advertisers the chance to place online ads targeted to individual consumers. NebuAd and CenturyTel get paid whenever a consumer clicks on an ad.

This technique -- called behavioral targeting -- is far more customized than the current method of selling ads online. Today, it's an imperfect process: companies such as Revenue Science Inc. and Tacoda Inc., which was recently bought by Time Warner Inc., contract with Web sites to monitor which consumers visit them, attaching "cookies," or small pieces of tracking data, to visitors' hard drives so they are recognized when they return. The targeting firms feed the data to Web site owners, who use it to charge premium rates for customized ads. But the information is limited, since the tracking companies can't monitor all of the sites an individual visits.

The newer form of behavioral targeting involves placing gear called "deep-packet inspection boxes" inside an Internet provider's network of pipes and wires. Instead of observing only a select number of Web sites, these boxes can track all of the sites a consumer visits, and deliver far more detailed information to potential advertisers.

Until now, the booming online ad market has been dominated by the likes of Google Inc. and Microsoft Corp. and small techie advertising shops such as Right Media Inc. and AdECN Inc. But new companies are rushing in. Both wireless and wireline Internet-access providers such as CenturyTel, Rochester Telecom Systems Inc. and Embarq Communications Inc., among others, have entered the advertising gold rush. And they've tapped Internet equipment companies like NebuAd, FrontPorch Inc., and Phorm Inc. to provide the gear to help them along.

The technology does raise privacy issues. The Internet-service providers often know other information about consumers, such as their names, locations and age and income ranges, which can be very valuable to potential advertisers, especially when combined with Web browsing habits. "Some of these [Internet equipment] guys are traveling in dangerous territory," says Emily Riley, an advertising analyst with Jupiter Research. "Should one company have all of that data in one place? It's a little troubling."

The idea of matching online and offline information about individual consumers has raised privacy concerns in the past. Many of the major online ad companies have pledged to abide by voluntary standards put forth by the Network Advertising Initiative, an industry group, which call for members to notify consumers that they are being targeted and give them the chance to opt out.

NebuAd says that it isn't a member of the group and that the information provided by the ISPs is fairly standard data that they often make available to third parties. FrontPorch also says it believes it isn't going too far by receiving a small amount of offline user data.

Privacy advocates say transparency is key. "Consumers need to know exactly what is going on and they need to know it at all times," says John Palfrey, executive director of the Berkman Center for the Internet and Society at Harvard University. "Today they say they are using consumer information for ads, but it could be something completely different tomorrow. The ISPs and the companies they are working with need to share as much information as possible."

Some Internet providers are reworking their privacy policies to pre-empt concerns. Many give customers online fact sheets informing them of their new behavioral targeting service along, and ask if they want to participate. If they opt out, the consumers' Internet address is tagged and their Web activity isn't tracked.

If a consumer doesn't opt out of the service, the equipment companies say they take steps to shield a consumer's privacy. NebuAd, for instance, says it doesn't keep a consumer's personally identifiable information, but only builds a profile of a consumer's interests based on the sites a user frequents. The company also doesn't track traffic to sites related to sex, health or politics.

Internet access providers say they take the privacy concerns seriously. "Privacy is a huge issue that you must get right," says Dan Toomey, chief executive of Anacapa Holdings Ltd., a Dublin, Ireland-based company that provides wireless Internet access. "One mistake could spell big trouble." Anacapa, which began using FrontPorch's equipment in September, operates 2,400 wireless Internet networks at hotels and coffee shops in 18 countries in Europe. The company allows consumers to use their wireless Internet service for free in exchange for viewing ads.

The use of the new networking gear to observe online behavior -- while currently nascent -- is growing. Zachary Britton, FrontPorch's chief executive, says his company's advertising business generated $15 million in the first nine months of the year, up 187% from the year-earlier period. The company has signed up 202 new customers for its deep packet inspection boxes this year. Meanwhile, NebuAd is expecting revenue of $100 million in 2008 based on sales of its advertising equipment. NebuAd Chief Executive Bob Dykes says the company has signed up more than 30 new customers, mostly Internet access providers, since it started.

For CenturyTel, the new business has already turned into a healthy sideline. The company estimates it will see a 5% to 10% boost in average revenue per user for its high-speed Internet business, with extra revenue totaling around $2 million a quarter. "We need new revenue streams to survive," says Chris Mangum, vice president of strategic planning of CenturyTel, which notifies its consumers of the behavioral targeting in an online fact sheet and allows them to opt out.

Having been initially skeptical, Mr. Mangum says, "We're now comfortable with how we approach this," says Mr. Mangum. CenturyTel says it's too early to tell what percentage of customers have opted out.
Read more

Senate panel OKs wiretap bill, telecom immunity

By Randall Mikkelsen - Reuthers - Thu., Oct. 18, 2007
WASHINGTON (Reuters) - A U.S. Senate committee approved a bipartisan bill to tighten rules on government eavesdropping on terrorism suspects, but a Democratic presidential candidate said on Thursday he would try to block it.

The Senate Intelligence Committee voted 13-2 for the measure, which Chairman John Rockefeller, a West Virginia Democrat, said strengthened national security and protected civil liberties.

"It ensures that the unchecked wiretapping policies of the administration are a thing of the past," Rockefeller told reporters.

The Senate committee's action came a day after a Democratic effort collapsed in the House of Representatives to pass an eavesdropping bill opposed by the White House.

Intelligence Committee Vice Chairman Kit Bond, a Missouri Republican, called the Senate bill "a delicate arrangement of compromises."

The bill would allow wiretapping without a court order of suspected foreign terrorists, including when they call Americans, committee leaders said.

It would grant lawsuit immunity, demanded by the White House, for telephone companies that participated in a secret warrantless eavesdropping program launched by U.S. President George W. Bush after the September 11 attacks.

The House bill would have required court approval when eavesdropping on terrorism suspects who might call Americans, and omitted the phone company immunity.

To safeguard civil liberties, the Senate bill would require a secret court to approve methods for targeting suspects and eavesdropping, more congressional oversight, and the removal of identifying information from intercepted calls involving innocent Americans.

An amendment added during committee debate would require court approval to eavesdrop on the communications of an American overseas. The bill would expire after six years.

Rockefeller said he was optimistic the White House would support the bill, but Bond indicated an amendment -- evidently the one on overseas Americans -- may need more work.

DODD PLANS 'HOLD'

Sen. Chris Dodd said he intended to put a procedural "hold" on the bill, which could effectively block it from a Senate vote. The Connecticut Democrat, who does not serve on the Intelligence Committee, said on his presidential campaign Web site he opposed the telecom immunity provision.

Sen. Ron Wyden, an Oregon Democrat, said he voted against the committee's bill because of the immunity provision, despite winning passage of the amendment on Americans overseas.

Sen. Russ Feingold, a Wisconsin Democrat, also voted against the bill, citing the immunity provision and the lack of a warrant requirement when a suspect's call involves Americans.

The immunity would not apply to any eavesdropping before September 11, 2001. Bond said that before then, "there was interception of radio communications on a broad basis," but later described that as an allegation.

An administration official said earlier that aides were still reviewing provisions of the deal reached before the Senate committee met and had some concerns, but called it "much better" than the House bill.

Read more

IRS Leans On Auction Sites to Spill Customer Information

By Lisa Vaas - eWeek.Com
May 10, 2007

Would you trust eBay to keep your name, address and taxpayer identification number safe? What about uBid.com, or what about an obscure online broker you've never heard of?

The Center for Democracy and Technology is raising a red flag over the prospect after language appeared in the President Bush's budget that would require brokers of personal property—including online auction houses and consignment stores—to collect personal data from customers and to share it with the Internal Revenue Service.

The push to put personal customer information into the hands of the Feds is coming from the U.S. Treasury Department, which is attempting to track down millions in unreported small business income. There's serious money at stake: The Treasury Department's proposal in the president's budget estimates that it could raise $20 million in 2008, increasing steadily over the years to hit a cumulative $1.974 billion by 2017.

Read more