Thursday, July 28, 2005

FTC Raises Do Not Call Fees

The Federal Trade Commission issued a Final Rule, on Wednesday, July 27, to amend their telemarketing rules, revising fees companies have to pay to access the Do Not Call list.

The 2004 fees were $40 for each area code, with the first 5 free, with a maximum annual cost of $11,000.

The new fees are $56 per area code, or $28 per area code during the second 6 months of an annual subscription.

The new maximum is $15,400 for 280 or more area codes of data. The first 5 areas codes are still free.

The new fees are effective September 1, 2005.

see, Federal Register, Vol. 70, No. 143.

Wednesday, July 27, 2005

Washington State Spam Law Upheld

The federal CAN SPAM Act is a federal anti-spam law that generally preempts state anti-spam laws, but does allow for the application for state anti-fraud statutes which can function as anti-spam laws (or, if you prefer, the other way around.)

A federal District Court judge has ruled that a Washington state anti-spam law is not preempted by the CAN SPAM Act because has a broader application than the narrow federal law. The state law, the court observed, it "prohibits misrepresentation in the transmission path or in identifying the point of origin, and... prohibits false or misleading information in the subject line. . . ." Because of this, the judge wrote, "the Court concludes that Washington's Commercial Electronic Mail Act is excepted from federal preemption because it prohibits 'falsity and deception.'”

See: Gordon v. Impulse Mktg. Group Inc., E.D. Wash., No. CV-04-5125-FVS, 7/11/05

John Roberts, Part 2

Between 1989 and 1993, under President George H.W. Bush, John Roberts served as Deputy Solicitor General. While in this job, he argued 39 cases for the government before the Supreme Court, winning 25.

It was at this time that John Roberts was listed as the third coauthor on a brief before the Supreme Court in Rust v. Sullivan, 500 U.S. 173 (1991), which defended a Department of Health and Human Services regulation which prohibited recipients of funding under the Public Health Service Act from not only providing abortions, but also counselling, advising, or promoting the idea that a woman seek an abortion. An excerpt from the brief:

"We continue to believe that Roe v. Wade was wrongly decided and should be overruled. As more fully explained in our briefs, filed as amicus curiae, in Hodgson v. Minnesota, 110 S. Ct. 2926 (1990); Webster v. Reproductive Health Services, 109 S. Ct. 3040 (1989); Thornburgh v. American College of Obstetricians and Gynecologists, 476 U.S. 747 (1986); and City of Akron v. Akron Center for Reproductive Health, 462 U.S. 416 (1983), the Court's conclusions in Roe that there is a fundamental right
to an abortion and that government has no compelling interest in protecting prenatal human life throughout pregnancy find no support in the text, structure, or history of the Constitution."

Roberts has written that "he would also like to point out that his views as a commentator on those cases do not necessarily reflect his views as an advocate for his former client, the United States."

If there were more pertaining to his views in this area, I would post it. I'm still looking.

So does John Roberts believe in right to privacy? We still don't know.

Tuesday, July 26, 2005

Does John Roberts Believe in a Right to Privacy?

We don't yet know the answer to that question.

This is from his Senate hearing to be confirmed to the D.C. Circuit Court in April of 2003.


"So, in 1991, you are in the Solicitor General's Office, and
in Rust v. Sullivan, you end up signing on to a brief which
calls for overturning Roe v. Wade, one of the more
controversial Supreme Court cases of my lifetime. When we asked
repeatedly in questions of you what your position is on Roe v.
Wade, you have basically danced away and said, "No, no, my
personal views mean nothing. I am just going to apply the

"This, in my mind, is evasive. I need to hear something more
definitive from you. Was the statement in that brief an
expression of your personal and legal feelings about Roe v.
Wade, that it should be repealed? What is your position today, in terms of that decision?"


"The statement in the brief was my position as
an advocate for a client. We were defending a Health and Human
Services program in which the allegation was that the
regulations issued by the Department of Health and Human
Services burdened the constitutional right to an abortion
recognized in Roe v. Wade."

"At that time, it was the position of the administration,
articulated in four different briefs filed with the Supreme
Court, briefs that I hadn't worked on, that Roe v. Wade should
be overturned."

"Now, if Roe v. Wade were to be overturned, the challenge to
the regulations that we were tasked with defending would fail,
and so it was appropriate in that case to include that
argument. I think it was all of one or two sentences. The bulk
of the brief was addressed to why the regulations were valid,
in any event."

"But since that was the administration position, and the
administration was my client, I reiterated that position in the
brief because it was my responsibility to defend that HHS


"Understood. I have been an attorney,
represented a client, sometimes argued a position that I did
not necessarily buy, personally. And so I am asking you today
what is your position on Roe v. Wade?"


"I don't--Roe v. Wade is the settled law of the
land. It is not--it's a little more than settled. It was
reaffirmed in the face of a challenge that it should be
overruled in the Casey decision. Accordingly, it's the settled
law of the land. There's nothing in my personal views that
would prevent me from fully and faithfully applying that
precedent, as well as Casey."


"Then, let me ask you this question. You
make a painful analogy, from my point of view, when you suggest
that calling for the overturn of Roe v. Wade was not any
different than the Government calling for overturning Plessy v.
Ferguson and Brown v. Board of Education. Plessy v. Ferguson,
separate, but equal, was really the basis for racial
discrimination and segregation in America for decades. I hope that that is just a strict legal analogy and does
not reflect your opinion of Roe v. Wade policy compared to Plessy v. Ferguson policy."


"Senator, the question I was asked, were there
other occasions in which the Department--if I am remembering
correctly--if there were other occasions in which the Solicitor
General had urged that a Supreme Court precedent be overturned,
and that is just--Brown v. Board of Education is the most
prominent one. The answer wasn't meant to draw a particular
substantive analogy."


"And I will not push any further because I
was hoping that is what your response would be."



"All right. How about Roe v. Wade?"


"Roe v. Wade is an interpretation of the
Court's prior precedents. You can read the opinion beginning
not just with Griswold, which is the case everybody begins
with, but going even further back in other areas involving the
right to privacy, Meyer v. Nebraska, pierce v. Society of
Sisters, cases involving education. And what the Court
explained in that case was the basis for the recognition of
that right."

"Now, that case and these others--certainly Brown was
subjected to criticism at the time as an example of judicial
activism. Miranda was as well. But, again, all I can do as a
nominee is look to the rationale that the Supreme Court has

SENATOR SCHUMER: "So you don't think Roe v. Wade was
judicial activism as you defined it in your..."


"The Court explained in its opinion the legal
basis, and because the Court has done that, I don't think it's
appropriate for me to criticize it as judicial activism. The
dissent certainly thought it was and explained why, but the
Court has explained what it saw as the constitutional basis for
its decision. My definition of judicial activism is when the Court
departs from applying the rule of law and undertakes
legislative or executive decisions. Now..."


"Well, can you--since you seem to make the
argument if the Court rules that it is not judicial activism,
that would not be true of many people who write and comment and
everything else, can you give me a Supreme Court case that you
think was judicial activism?"


"Senator, again, you are sort of getting back
into the area where following Justice Ginsburg's...."

Senator Schumer. "Getting back into the area of a hard
question, that is all."


"No. With respect, Senator, you're getting back
in the area of asking me to criticize particular Supreme Court


It goes on from there, but they don't bet back the subject of privacy. I will add more later.

Monday, July 25, 2005

Montana: No Right to Privacy in Garbage

The Montana Supreme Court has ruled that a citizen has no right to privacy in their garbage.

The Montana Constitution, in effect, requires a warrant for the government - that is, law enforcement officers - to search and seize a citizen's property or effects where that person has an expectation of privacy. But that does not apply to garbage thrown away by that person.

The court stated that "when a person intentionally abandons his property, that person's expectation of privacy with regard to that property is abandoned as well."

Police officer's searched garbage cans behind a suspect's home and found evidence of drug activity. This evidence was used to get a search warrant for the house. The defendant, convicted, claimed all the evidence should have been thrown out because it was tainted by the unconstitutional warrantless search of his trash.

The decision was 5-2. The dissenting justices argued that citizens of the state should expect privacy even in the trash they have left outside.

CardSystems Appears Before Congress - Security Breach May Drive Them Out of Business

According to the Washington Post, John M. Perry, chief executive of CardSystems Solutions Inc., appeared before the House Financial Services Committee subcommittee last Thursday, to talk about the security breach at his company which exposed information on holders of 40 million credit cards.

He said the company is "facing imminent extinction" and seemed to imply that security breach notification laws were to blame, and that other companies would keep such breaches secret from now on, because of such laws.

"As a result of coming forward, we are being driven out of business," he said.

But wouldn't that argue just as strongly, if not more so, in favor of such laws? What would the alternative? And without such laws, what would be the incentive for companies like his to prevent such breaches in the first place?

In any case, as the article pointed out, the company's existence in not being threatened at the moment by government action or lawsuits, but by the fact that Visa and American Express don't want to do business with them anymore. I believe those companies probably have "security breach notification" provisions written into the contracts of all the companies they do business with now - along with other contractual provisions.

While it is unfortunate that people might be put out of work is CardSystems indeed goes under, I hope he wasn't trolling Capitol Hill for sympathy or attempting the lay the blame for the problem somewhere besides CardSystems.

Rep. Carolyn B. Maloney (Democrat -New York.) is quoted as saying: "The CardSystems incident is a spectacular failure", and "We need to provide the legal structure to fix it."

On the other hand, Rep. Tom Price (Republican-Georgia), is quoted as cautioning against "greater regulation and greater penalties, which is oftentimes the knee-jerk reaction."

A number of national security breach notification bills are pending in Congress. Many have already been enacted in the state legislatures.

Thursday, July 21, 2005

New Hampshire Anti-Spyware Law

New Hampshire has enacted an anti-Spyware law. (House Bill 47)

The law is effective immediately.

The law provides that: "A person or entity conducting business in this state, who is not an authorized user, shall not knowingly cause a computer program or spyware to be copied onto the computer of a consumer and use the program or spyware to do any of the following:

I. Take control, through intentionally deceptive means, of the consumer’s computer by doing any of the following:

(a) Transmitting or relaying commercial electronic mail or a computer virus from the consumer’s computer, where the transmission or relaying is initiated by a person other than an authorized user and without the authorization of an authorized user.
(b) Accessing or using the consumer’s modem or Internet service for the purpose of causing damage to the consumer’s computer or causing an authorized user to incur unauthorized financial charges.
(c) Using the consumer’s computer as part of an activity performed by a group of computers for the purpose of causing damage to another computer, including launching a denial of service attack.
(d) Opening multiple, sequential, stand-alone advertisements in the consumer’s Internet browser with knowledge that a reasonable computer user cannot close the advertisements without turning off the computer or closing the consumer’s Internet browser.

II. Modifying, through intentionally deceptive means, any of the following settings related to the computer’s access to, or use of, the Internet:
(a) The page that appears when an authorized user launches an Internet browser or similar program used to access and navigate the Internet.
(b) The default provider the authorized user uses to access or search the Internet.
(c) The authorized user’s list of bookmarks used to access Web pages.
(d) An authorized user’s security or other settings that protect information about the authorized user, for the purpose of stealing personal information of, or causing harm to, an authorized user.
(e) The security settings of the computer for the purpose of causing damage to one or more computers.

III. Collecting personal information through intentionally deceptive means, such as through the use of a keystroke logging function, and transferring that information from the computer to another person.

IV. Preventing, through intentionally deceptive means, an authorized user’s reasonable efforts to block the installation of, or to disable, software by doing any of the following:
(a) Presenting an authorized user with an option to decline installation of software such that, when the option is selected, the installation nevertheless proceeds.
(b) Falsely representing that software has been disabled.
(c) Causing software that the authorized user has properly removed or disabled to automatically reinstall or reactivate on the computer without the authorization of an authorized user.

V. Intentionally misrepresenting that software will be uninstalled or disabled by an authorized user’s action, with knowledge that the software will not be uninstalled or disabled.

VI. Inducing, through deceptive means, an authorized user to install a software component onto the computer, including deceptively misrepresenting that installing software is necessary for security or privacy reasons or in order to open, view, or play a particular type of content.

VII. Deceptively installing and executing on the computer one or more additional computer software components with the intent of causing an authorized user to use the components in a way that violates any other provision of this section.

VIII. Through intentionally deceptive means, removing, disabling, or rendering inoperative a security, antispyware, or antivirus technology installed on the computer.

The law defines “Advertisement” to mean:

"a communication, the primary purpose of which is the commercial promotion of a commercial product or service, including content on an Internet website operated for a commercial purpose."

The law defines “ Spyware” to mean:

Software residing on a computer that:

(1) Employs a user’s Internet connection in the background, via a backchannel, without his or her knowledge or explicit permission.
(2) Sends information about the computer’s usage to a remote computer or server; or displays or causes to be displayed an advertisement in response to the computer’s usage.
(3) Sends or causes to be sent personal information residing on the computer to a remote computer or server.

“Spyware” does not include any of the following:

(1) Software designed and installed primarily to prevent, diagnose, or resolve technical difficulties, to protect the security of the user’s computer, or to detect or prevent fraudulent activities.
(2) Software or data that solely report to an Internet website information stored by the Internet website on the user’s computer, including cookies, HTML code, or Java Scripts.
(3) Software that provides the user with the capability to search the Internet.
(4) Software installed with the consent of an authorized user whose primary purpose is to prevent access to Internet content that is inappropriate for minors.

Wednesday, July 20, 2005

University of Southern California Security Breach

Acording to the University of Southern California, a database of about 270,000 records of past applicants to the school was hacked into last month. The records contained the applicants' names and Social Security numbers. Not all the records in the database were accessed.

Apparently the school found out about the security breach from a journalist.

Of course, they are notifying everyone affected about the breach, thanks to the California law enacted in 2003 requiring such notification.

Tuesday, July 19, 2005

Illinois Limits Social Security Numbers

Illinois has enacted a law (Senate Bill 445) which prohibits printing an individual's Social Security Number on an insurance card.

The new law also printing a student's Social Security Number on college or university ID cards.

Monday, July 18, 2005

Are Security Freezes A Good Idea?

An article I just read from the San Francisco Chronicle bothered me enough to comment on it.

The headline is:

"New Credit-Freeze Laws Could Backfire"

Below that, the subhead reads:

"In California and Texas, you can seal your credit report from prying eyes. It's a way to thwart identity theft - but lenders say it also could mean losing your dream house."

The opening sentence reads:

"The law of unintended consequences may be striking again, this time with state laws that allow consumers to freeze their credit files, according to some mortgage professionals who say the rules could prevent borrowers from snapping up a low loan rate or jumping on fast-selling houses."

Notice the emphasis on "could." I doubt the critics of the security freeze could cite one instance where someone lost their "dream house" due to the dreaded security freeze.

First, as a matter of logic, the rules "permitting" security freezes are not going to "prevent" borrowers from getting anything. The consumer must first decide to place a security freeze - not any easy thing to do, and most likely the result of identity theft. The rules permit a security freeze, they don't impose it.

According to the artile officials of the National Association of Mortgage Brokers warned at their annual convention in Minneapolis last month that so-called credit-freeze laws could backfire because their members will be unable to generate credit scores for their clients.

Secondly, it was my impression that lenders in the U.S. right now, are, if anything, able to lend too much, too easily. Aren't consumer debt and housing at an all time high? My point being, is waiting five days for a loan really too much?

But sure, I'll concede anyone in the process of buying a home should probably see to it that any security freeze they do have is lifted.

Even if you buy a new house every 10 years, that would still leave 9 years and 11 months to have freeze and not worry about losing your dream house.

Anti-freeze types say that people might forget they ever had a freeze placed on their credit reports. It's possible, I suppose, but consumer education should help with that.

The article makes a good point quoting Fraud prevention consultant Robert Siciliano, of Safety Minute Seminars in Boston, who says identify theft "has a much better chance of gumming up the process than a credit freeze ever will."

Considering credit reports are key to identity theft, consumers are going to want, and need, more control how their reports are used and disclosed.

Security Breach of Medical Information

Somone broke into Arizona Biodyne, a a managed care company in Phoenix, AZ, and stole a safe containing backup tapes with personal information on 57,000 people.

It's a relatively small number, by recent standards, and the good news is the thieves probably weren't look to steal personal information. Still, there was medical treatment information in the files on the tapes, so I imagine the patients, who are being notified, will not be pleased.

Biodyne has set up a toll-free number and e-mail address to answer questions from people who are notified that their information was on the stolen tapes.

Friday, July 15, 2005

I'm Going to Disney World!!! To Get Fingerprinted!!

I've said it before - biometrics is the future.

All people entering Walt Disney World in Florida must now get electronically fingerprinted in order to get in.

People place their middle and index fingers onto a machine that records the information.

It's a security measure designed to prevent people from getting into the park without a legitimate ticket. They've already been doing for people with annual passes for years. Linking fingerprints to the person is the natural way to do this. The machine creates a unique code using a person's fingerprint. More and more businesses and government facilities will do this in the future.

Privacy advocates are troubled, of course, but they can't stop it. "Slowly but surely we're just giving away our right of privacy, and the question is what are we getting in return?" said Larry Spalding, spokesman for the American Civil Liberties Union.

Here's an interesting question: Disney officials claim that, if a crime were to occur inside a park, police would not be able to use the images to match a fingerprint to a person. Why? Because the numerical values -- not fingerprints -- are saved in Disney's system.

But couldn't the "numerical values" be recreated just by having a suspect place his fingers onto the Disney machine?

Even if the answer is "yes," it still is possible that the numerical values, and thus, the identity of the person, could not be receated using a fingerprint lifted from a crime scene. I'm not enough of an expert to know.

Tuesday, July 12, 2005

Equifax CEO on ID Theft

According the Associated Press, Thomas Chapman, chairman and CEO of Equifax, said about ID theft: "It's an epidemic that worries me to death."

He also apparently admitted, or claimed, that checking your credit report once a year is not enough: "It's not going to help, and the public is starting to learn that."

He also said that he is against laws allowing people free access to their credit report:

"I'm all for good laws, laws that protect people. But this isn't one of them."

According to the AP, he "also opposes the law because it forces the companies to give away their product, which he called 'un-American.' "

Given the key role played by Equifax in the problems created by what we have come to call "identity theft," most people come down on the side of such laws being as American as Apple Pie.

But Chapman does have a point, in that, generally, it's easy for politicians to call for a product to be given away.

I would submit that we could rescind such laws, but that, in fairness, we would also have to admit that it is also Un-American to ruin someone else's repuation unfairly.

So maybe we could replace the free-credit-report laws with laws which allow companies like Equifax to be sued for defamation every time they issue a credit report with information flawed enough to injure a person's reputation.

This shouldn't be a problem for a Equifax, unless of course, their reports are not 100% accurate. Is that possible?

Security Breach Notification - State laws

States with Security Breach Notification:

North Dakota

Who's Next? Pennsylvania -- (Senate Bill 711 - passed the Senate)

Monday, July 11, 2005

Delaware Security Breach Law - Right to Sue for Triple Damages

Delaware has enacted a Security Breach notification law (House Bill 116).

The new law requires that any person or company that:

(A) Conducts business in Delaware


(B) Owns or licenses computerized data that includes personal information


(a) Discovers that the unencrypted personal information of a
Delaware Resident was,


(b) Is reasonably believed to have been,

Acquired by an unauthorized person,


Notify the Delaware resident of any breach of the security of the system.

The law also requires a person or a company that maintains computerized data with personal information to that the do not own to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery of a breach, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

“Security Breach” means:

“The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity.”

The law provides that:

“Good faith acquisition of personal information by an employee or agent of an individual or a commercial entity for the purposes of the individual or the commercial entity is not a breach of the security of the system, provided that the personal information is not used for or is not subject to further unauthorized disclosure.”

The law allows Delaware residents to sue for TRIPLE damages, plus attorney’s fees.

The state Attorney General can also sue.

Thursday, July 07, 2005

Senator Introduces Security Breach Notification Bill

Senator Jeff Sessions has introduced a Security Breach notification bill in the U.S. Senate.

S. 1326 is titled the "Notification of Risk to Personal Data Act".

The bill would require that any agency or person who owns or uses computerized data containing sensitive personal information to "implement and maintain reasonable security and notification procedures."

The law would also require such entities to, if it determines, "after discovery and a reasonable investigation, that a significant risk of identity theft exists as a result of a breach of the system," to notify any individual who is known to be a citizen of the United States.

Companies would also have to notify the credit reporting agencies in the event of breach.

The bill defines "security breach" to mean:

"compromise of the security of computerized data containing sensitive personal data that establishes a reasonable basis to conclude that a significant risk of identity theft to an individual exists, and does not include the compromise of computerized data, if the agency or person concludes, after conducting a reasonable investigation, that there is not a significant risk of identity theft to an indiviudal . . . including a situation where the agency or person maintains or participates in a security program reasonably designed to block unauthorized transactions before they are charged to an indivudal's account and the security program does not indicate that the compromise of sensitive personal information has resulted in fraud or
unauthorized transactions."

The bill would pre-empt all state laws relating to security breaches.

Tuesday, July 05, 2005

Senator Pryor Introduces ID Theft Bill

According to a press release, U.S. Senator Mark Pryor has introduced an identity theft bill in the U.S. Senate.

He calls his bill, the Consumer Report Security Freeze Act, the "the strongest legislation to date targeted at preventing identity theft."

The bill gives consumers a federal right to place a security freeze on their credit reports.

Credit reporting agencies would also have to tell consumers the names of any third parties trying to get information from their credit reports.

“My legislation ensures that no one will be able to open up a credit account using someone else’s information and it eliminates the need for consumers to keep a fearful eye over their credit files,” Pryor said. “With over 10 million people at risk from security breaches this year alone, it’s only right to place privacy rights first.”

Also from the press release:

"All consumers deserve the right to freeze credit files so they can prevent thieves from using stolen identities to open new accounts," said Susanna Montezemolo, Policy Analyst with Consumers Union. "At a time when identity theft has become increasingly common, Senator Pryor's bill offers consumers a powerful tool to keep crooks from damaging their financial futures."

Pryor said that California already allows consumers to put a security freeze on their credit reporting file at any time.

Legislators in Colorado, Connecticut, Louisiana, Maine and Nevada have passed similar security freeze laws that have not gone into effect yet.


Friday, July 01, 2005

FTC Chair Benefits From Security Breach Law

Oh, the irony.

A spokeswoman for the head of the Federal Trade Commission, Deborah Platt Majoras, has announced that she received a letter last week from shoe retailer DSW telling her that her credit card information had been stolen.

DSW had a security breach of it's stored credit card numbers in March of 2005. At 1.4 million, it was a relatively small breach, these days.

In June, the Attorney General of Ohio, where DSW is based, filed a lawsuit against the shoe retailer, trying to get them to contact all their customers whose information may have been breached. Should he really have to sue the company to get them to do the right and sensible thing?

Sandra Day O'Connor Will Leave U.S. Supreme Court

Although everyone expected William Rehnquist to be the first to leave, (he is suffering from cancer) Sanda Day O'Connor will leave the Supreme Court.

Because she is a, perhaps "the" swing justice, the battle to replace her will be fierce.

No justice is recent history has been more likely to vote with the majority. She will probably be replaced with someone more conservative that she is, given that Bush is the President.

Of course, William Brennan, Anthony Kennedy, David Souter and O'Connor were appointed by Republicans, so you never know.