As with every proposed change in copyright regulations, there is a public comment period.  The period for commenting on these proposed regulations closes October 11, 2009. Several industry associations have commented, including the American Society of Media Photographers (ASMP), the Association of American Publishers (AAP), the American Library Association (ALA), the Software and Information Industry Association (SIIA), and the Professional Photographers of America and the Newspaper Association of America.  One concern identified goes to one of the most critical reasons for mandatory deposit:  proof of the work, for purposes of litigation.  In copyright infringement litigation, the mandatory deposit frequently comes into play as evidence of what exactly constituted the work at the time of registration.  Not having a mandatory deposit will greatly increase the possibility that a plaintiff or defendant in an online copyright plagiarism dispute might change the contents of an online work to help its legal case.  Another concern is the Copyright Office’s proposal to require a deposit of all code associated with an online-only publication (including scripts and metadata) raises both technological and digital rights issues.  What constitutes a “complete copy” of the “best edition” of an online work?

The proposed federal regulations to change the copyright mandatory deposit procedure are here [PDF].  Existing public comments on the proposed mandatory deposit regulations are at the Copyright Office site.  I consider this to have far-reaching implications for all websites, bloggers, and online publishers: it’s the most significant change in copyright law for these industries since the DMCA.  The Copyright Office particularly needs feedback on the technological issues.  If you are in the industry, as many of my clients are, you owe it to yourself to read the materials and educate yourself (and possibly the Copyright Office).

In 2008 both Nevada and Massachusetts passed data privacy laws requiring encryption of personal data. The Nevada law requires all businesses to encrypt personally-identifiable customer data that are transmitted electronically. The Massachusetts law requires encryption of personal information on laptops and portable devices. Both states’ laws apply not only to resident businesses, but also to out-of-state companies with operations or customers in those states. Any company doing business in all 50 states will have to comply with these data encryption requirements.

For purposes of both laws, the personal information affected by the data privacy encryption law includes an individual’s name, plus one of the following: driver’s license, credit card information, or social security number (SSN).

Both laws establish liability standards for failing to encrypt personal information as required. The Nevada law allows companies complying with the encryption requirements to benefit from a $1,000 per individual cap on liability, which are otherwise unlimited under a lawsuit for negligence. Links:

Text of Nevada data privacy security and encryption law (NRS 597.970)

Text of Massachusetts data privacy security and encryption law (201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth)

Michigan and Washington are among states currently considering similar laws.

Social media‘s social activist moment is officially here. Votereport.com is using Twitter and special applications for the iPhone and Android cell phones, to monitor polling conditions, voting wait times, voter registration problems, and voting machine dysfunction in the US presidential election.

Anyone with a Twitter account, or with an iPhone or Android phone, can participate:

http://twittervotereport.com/spread-the-word/

http://williampatry.blogspot.com/

Patry cites the “depressing state of copyright law” and the direction of recent copyright law developments as among his personal and professional reasons for not continuing the blog.

His contributions over the last several years to copyright scholarship from a private practice point of view have been valuable and unique and will be missed. Several of us are trying to persuade him to maintain his archive of over 800 thoughtful and incisive posts on key developments (which he has removed).

If anyone is inclined, he or she should add opinions to the comments section.

Just ask Johnny Depp.

According to Finjan’s May 2008 Malicious Page of the Month (free registration required), the vulnerable health data was accessible via compromised login information for healthcare systems using Citrix remote access software. Social Security Numbers (TINs – “tax ID numbers” for individuals) were accessible via a compromised IRS employee login.

In early May, Finjan reported on a different server being controlled by hackers that contained a 1.4GB cache of stolen data. Compromised data involved 571 log files from the US, 621 from Germany (DE), 322 from France (FR), 308 from India (IN), 232 from Great Britain (GB), 150 from Spain (ES), 86 from Canada (CA), 58 from Italy (IT), 46 from the Netherlands (NL), and 1,037 from Turkey (TR) and resulted in the company notifying 40 major international financial institutions and law enforcement agencies located in the US, Europe and India.

Are DMCA bots applying the ‘racial profiling’ equivalent of copyright law enforcement? I’m waiting to see if public rights advocates such as the EFF and ChillingEffects.org will begin to actively use the sanctions already present in Section 512(f) against wrongful and overreaching DMCA takedown demands as a strategic weapon against the shotgun effect of enforcement by “unmonitored” monitoring agents.  The courts have so far declined to impose penalty damages against most rights owners making technically defective claims (the case against Diebold for using the DMCA to suppress criticism of defects in voting machine software is one of the notable exceptions where large damages were awarded).  Carpet-bombing users with defective DMCA cease-and-desist demands is irresponsible and should expose the content industry to money damages for abusive DMCA claims.

A few of my clients this week reported receiving one or more phishing emails about the 2008 Economic Stimulus Payment from the US government. Then I received one myself this morning. (“Gee, how could the IRS possibly know I switched email addresses?” was my first thought.) Here’s the email I received:

Don’t click on the link.  Don’t click on the link.
The rule is worth repeating.  Practice safe Internet computing — don’t click on a link in an email seeming to come from your bank, eBay, PayPal, or your federal government about your “account details” or to “apply” for something. Go to the official site and do your business starting from there (or investigate or report the phishing email, from there).

The grammatical and formatting errors which allow users to identify phishing scams are becoming much more subtle as the phishes and the phishers themselves become more refined. Note to Phish-Dude: there are some big issues in your general approach here. It is generally a tip-off to us where the federal government uses an exclamation (“!”) point at the end of any communication. We’re just not that officially enthusiastic about anything here in the U.S. Also, while I personally consider the stimulus payment to be a kind of ‘moral refund’ for putting up with the last 8 years of government, the payment is technically not a refund, but a disbursement. (Readers are welcome to offer other grammar and spelling observations and feedback in the Comment section.)

Clicking through (don’t click on the link!) redirects the email recipient to the following page:

While you don’t have to, I frequently amuse myself by picking the IP address out of the email link (my email program, Thunderbird, allows me to right-click and copy a link). Phishing scam emails have URL links that almost always show an IP address rather than text, as this one did:

http://211.32.47.11:443/irs_redi/

When I went to DomainTools and did a reverse IP search on the 11.32.47.11 IP address, it came back “unknown”. Finally, I also note: Thunderbird and Firefox (my recommended email and web browser software of choice) both tried to warn me several times that the email and the website were a scam. Ignoring all of this “Danger, Danger, Will Robinson!” and directing yourself straight into harm’s way is possible, but much less likely with these than it is with other software.

Introducing the PHISHY: Arborlaw’s new annual award for phishing and other email scams
Is there an annual award for phishing campaigns? I couldn’t find one, so I’m announcing the Arborlaw PHISHY™ Award. You can document your submissions for the Best Phishing Attempt of 2008 in a comment here: Arborlaw 2008 PHISHY™ Awards — Submissions Page.