Cyberspace March 2012

Twits

You’re probably not as loose-tongued as as your average Twitterer (http://twit.com), but some people have managed to ruin their holidays. The Sun reported (http://goo.gl/5NpGf) that two UK citizens recently arrived in Los Angeles for a holiday and were promptly returned to the UK. Why? One of them had tweeted in a fit of pre-holiday excitement that he was going to dig up Marilyn Monroe (a TV show quote), and he tweeted another friend if she was “free this week for a quick gossip/prep before I go and destroy America? x”. Leigh Van Bryan said that “destroy” in slang meant “partying.” The couple were flagged by the USA Department of Homeland Security, and were handcuffed and imprisoned overnight. Watch your tongue.

Digital ownership
Now that many of us download audio books, electronic texts on the Kindle, and download music, the concept of lending second-hand books and LPs/CDs is waning fast. But, why not sell your electronic assets when you’re done with them? You’ve often paid a high price, so why not sell them on? Why can’t you transfer that licence (and the related media) to another person? There are some technical difficulties, since you might have to reliquish usernames and password, but there may be license issues too.

ReDigi (https://www.redigi.com/) decided to have a go at this market by facilitating “the verification and hand off of a digital music file from the seller to the buyer.” They work to ensure the source is legitimate, the vendor really is the licence holder, and that any copies held by the vendor are deleted. Capitol Records didn’t think much of this idea, and in the US District Court, Southern District of New York, in Capitol records, LLC v ReDigi Inc (No. 12 Civ. 95 (RJS)) Capitol sought an injunction preventing ReDigi from carrying on that business. The court denied the injunction, but the real issue is yet to be tried.

The USA has a “first sale” doctrine which permits the purchaser of a copyrighted work to transfer for value a copyrighted article to another person. However, it’s common for licence agreements to state that they are not transferable, and the litigation has been endless. There are cases on CAD software, promotional CDs, the World of Warcraft game and others.

I might buy a CD for $15, or I may “buy” the same album electronically for the same amount. Have I purchased something less by buying the latter? I know I can loan, give or sell to you the CD and I’ve done nothing wrong. If I give you copies of the downloaded music on a USB key, and delete all my copies, where do I stand? Common sense tells me that if I have bought a physical thing for value (like a car) then I should be able to transfer it for value. My car is full of copyright software, and is no doubt subject registered designs, and patents. Of course I can sell it, so what’s the difference? One key difference is that I haven’t copied anything in my car, but to give you my electronic music I have to copy it from my computer. Is that an infringing copy provided that I delete my copy? I have paid the same amount for the music in each case.

I think the real answer lies in the commerciality of the deal. If the purchase price reflects that I no longer receive two rights (the right to loan an article to my friends or family, and the right to sell it second hand) I’m happy. Sadly there’s not much evidence of that in the market.

Cyberspace February 2012 Cyberspace February 2012

Save the trees
Sick of photocopying trolleys of paper for subpoenas to produce? The Supreme Court has issued Practice Note No. SC Gen 18, which commenced on 3 January 2012. It notes that under the UCPR it is possible to produce scanned copies rather than photocopies, as well as copies of electronic documents on disc. Since scanning is physically a similar task to photocopying there should be some savings available.

However, scanned files (the Court suggests PDFs, but the format must be acceptable to the issuing party) need to be named. These might be automatically named by the scanner, but these names are usually fairly arbitrary. The alternative is to check and rename them, which also takes time. At least with photocopies you put them through the machine and you’re done with them.

When producing the documents you can provide them on DVD, CD or a USB device, or even email them to the registry with a scanned copy of the subpoena. This might be very useful where timeframes are short.

The Court also suggests that it is sufficient to produce emails as PDFs. Unfortunately this inherently removes a lot of the meta data from the emails, and it doesn’t satisfactorily deal with attachments. You probably want to specify to the producer that emails should be produced in native form, such as a Microsoft pst file or a Lotus Notes database. Where emails are in other forms, such as Gmail or Hotmail there exist export functions to achieve a similar result.

Documents that are printed to PDF are generally able to be searched by full text tools or using the Find function in your PDF reader. However, documents scanned to PDF require further work before this is possible, and the accuracy of the conversion depends on the quality of the scan. Still, it’s usually better than a pile of paper.

To gain access to the produced material you must provide to the registry blank optical media or a USB device. A one terabyte 2.5” external hard disc can be purchased for $120 these days, and that will hold at least a million of documents. If the volume of informaiton is limited then the registry may simply email you the produced documents.

No internal emails
Atos (http://atos.net) is an IT service company with 74,000 employees and revenues of €8.6B. It recently announced that “Atos' aim is to eradicate all emails between Atos employees by using improved communication applications as well as new collaboration and social media tools.” No more internal emails.

I’m old enough to have received paper memos and distribution group memos that you read, initialled, and passed on. You didn’t receive a lot of them, and when you did they were usually worthwhile. Internal email, of course, is now a different proposition, although it still has great value.

Atos says that “The focus of Atos is to adopt innovative social business solutions in the workplace to bridge the “social business” gap. Built on collaborative technology these solutions provide a more personal, more immediate and importantly more cost effective means to manage and share information ... and enables the Smart Organization... it is encouraging the use of tools such as Office Communicator and has set up social community platforms to share and keep track of ideas on subjects from innovation and Lean Management through to sales. Initial feedback is that these types of tools reduce email by between 10 and 20% immediately.”

This has generated a lot of conversation in the informaiton community, and while I don’t think it’s appropriate to remove email altogether, I have to agree with the Gartner statement: “Email doesn’t erode productivity and encroaches work into our personal lives, bureaucracy does.”

Log into Gmail without typing a password

[UPDATE: This site has been taken down - it was an experiment by Google]

A few sites have mentioned an undocumented method of logging into Gmail (or iGoogle) without typing your password.

Why is that a good thing? Well, if you're using a computer you don't trust (such as in an internet café/hostel/hotel) then a keystroke logger or other malware won't be able to capture your password.

You need to install a QR Reader on your phone - there are lots out there such as Norton Snap QR reader or QRRreader (free). These readers can interpret codes like the one in this article.

To use the system:

1. On the untrusted PC navigate  to http://accounts.google.com/sesame
2. Start your QR reader and point the camera phone at the code that appears on the PC monitor
3. [The first time you do it you will need to link your phone to your Google account]
4. Click the Gmail button on your phone to log in. The browser window on the PC will magically show your Gmail account!

This system also allows you to have a really long (and more secure) password that even you can't remember. Just use this whenever you want to log in on a PC or laptop!

Oh, and Google - we'd love some info on how clicking a browser button on a phone then sends a redirect to the PC in question!

© Andrew Calvin 2012

OnLive Intros Virtual Windows 7 Desktop With Office for iPad - Mac Rumors

OnLive Intros Virtual Windows 7 Desktop With Office for iPad - Mac Rumors:

VERY interesting announcement from OnLive - Windows 7 virtualised on your iPad. This may be one of the biggest steps toward the redundancy of laptops that we've seen.

OnLive have done a good job virtualising games so far, so this is one to watch.

'via Blog this'

Free Skype 'much better' than Labor's $7.2m telehealth grant

Interesting article on how Skype might be more usable than custom video conferencing software for remote doctors.

Of course, it only provides part of the story, but it is often the case that commercial off the shelf software can be far more cost effective than custom installations that offer 5% more for a much greater cost.

I have to say that I find Skype video works as well as Microsoft Communicator, albeit without Active Directory integration (which is required for enterprises). I'd say a GP doesn't need that though.

Free Skype 'much better' than Labor's $7.2m telehealth grant:

'via Blog this'

Virtualizing storage for scale, resiliency, and efficiency - Building Windows 8 - Site Home - MSDN Blogs

For you Windows Home Server version 1 users out there who don't want to migrate to WHS 2 (like me), there is hope ahead in the guise of Windows 8!

The features described in this MSDN Blog are similar to Drive Extender, but take them way further. I'm looking forward to seeing how this can be implemented for consumers. One key usage will be twin drives in a laptop.

Virtualizing storage for scale, resiliency, and efficiency - Building Windows 8 - Site Home - MSDN Blogs:

'via Blog this'

Happy New Year from Sydney

Andrew

Anzac Bridge

Can anyone explain why, since Anzac Bridge is closed to traffic during
fireworks, there is black plastic and fences preventing pedestrians
from watching the fireworks from the bridge?

I counted 15 NSW Police and 6 private security oafs carefully guarding nothing.

Great use of resources, NSW Government, police and RTA (and it's successor).

Mégane RS 250 Cup, MY11, Extreme Blue

TomTom Traffic HD Australia

After poor previous experience with TomTom HD Traffic around Sydney on an iPhone, I strangely resubscribed hoping that over time it would improve... but it hasn't.

This morning there was an accident in North Sydney near the Sydney Harbour Tunnel. As I drove along the Gore Hill Freeway at 80 km/h the TomTom showed me traffic at a standstill. A few kilometres later as I was actually at a standstill for 10 minutes the TomTom showed no incidents and a happy green symbol...  

And of top of that, I can drive for 1/2 hour to work some days while the TomTom tries to download traffic information unsuccessfully. Of course, this morning it managed to do it before I even got out of my street (for all  the good it did).

I can't recommend it, no matter how much I want to. I get better results from Waze http://www.waze.com/.

I'm not sure this Mégane is working out

Top judge opens way for court tweets

Tweeting in court...

http://www.smh.com.au/technology/-1owpr.html

ISP filtering in Europe

In May 2011 I wrote about the SABAM case, in which Scarlet Extended SA (an ISP) had been sued by Société belge des auteurs, compositeurs et éditeurs SCRL, better known as SABAM.

That case seems to hit finality in Scarlet's appeal to the Cour d'appel de Bruxelles. The court requested a preliminary ruling from the Court of Justice of the European Union in Case C-70/10, and judgement was handed down on 24 November 2011. It held:

EU law precludes the imposition of an injunction by a national court which requires an internet service provider to install a filtering system with a view to preventing the illegal download of files (press release)  

The case turned on the E-Commerce Directive, which prevents Member State laws from requiring ISPs to carry out general monitoring of information passing through its network. The Court recognised the importance of protection of intellectual property rights, but found that the SABAM injunction would not respect fundamental rights of citizens - particularly their right to personal data and the right to receive or impart information. The personal data issue arose because Scarlet would have had to collect and identify IP addresses, which are protected personal data.

Accordingly, the Court’s reply is that EU law precludes an injunction made against an internet service provider requiring it to install a system for filtering all electronic communications passing via its services which applies indiscriminately to all its customers, as a preventive measure, exclusively at its expense, and for an unlimited period.

The full text of the judgement can be found here.

iTunes Match in Australia

iTunes Match launched in Australia, after a fashion, on 14 December 2012. However, signing up didn't result in anything happening until 16 December, when it seems that someone flipped a switch at Apple and the status started updating from "Waiting" to "Matched".

So if you're using the Australian iTunes Store then be patient, and perhaps quit iTunes once or twice to give it a kick along.

Don't forget to go into Music preferences on your iOS device and turn on iTunes Match as well!

Nothing ever works properly these days

Back to Peter Warren for a recall of my Mégane RS 250 after one week!

News Limited and security of your passwords

News Limited has had a lot of problems this year, and I predict that there is plenty of potential for more.

One cause may well be the fact that it stores its subscribers passwords in the clear, rather than hashing them or using other techniques to ensure that a username and password database can’t be stolen.

How do I know? I recently signed up for a trial subscription with The Australian newspaper. After signing up, they very “helpfully” sent me an email with my password in it!

So:

1. - my password is stored as plaintext on their system; and
2. - it was emailed in plaintext across insecure systems (the internet).

These are clear security threats. To quote Hitachi ID Systems, Inc.:

Security threats

Passwords are simply secret words or phrases. They can be compromised in many ways:

• Users may write them down or share them, so that they are no longer really secret.
• Passwords can be guessed, either by a person or a program designed to try many possibilities in rapid succession.
• Passwords may be transmitted over a network either in plaintext or encoded in a way which can be readily converted back to plaintext.
• Passwords may be stored on a workstation, server or backup media in plaintext or encoded in a way which can be readily converted back to plaintext.

The moral of this story? Don’t give News Limited any personal information that you don’t have to, and don’t use your News Limited password on any other site or system.

© 2011 Andrew Calvin

The decline of Usenet

Optus recently posted the following on its web site:

Message posted at:
2011-10-18 16:27
What:
Optus News Server removal

Impact:
Optus has previously provided usenet service (Optus Newsgroup) to customers. However, following evaluation of the services that we offer to our customers, and the declining usage of usenet by our customers over the past several years, it is no longer viable to continue to provide this service. As a result, the usenet service is in the process of being disabled and removed. This service will close as of 21/11/2011. If you still want to use usenet, there are a number of commercial usenet providers that will be able to provide this service to you.

You might know these as newsgroups. usenet was one of the earliest systems available on the internet - it is, more or less, an incredibly large bulletin board with many thousands of topics and many, many posts within each topic. It was decentralised, so an organisation could choose to run its own server, and then subscribe to all or just topics of its own choosing, and in turn, share its own posts with other usenet servers.

There is a sense of hierachy, so comp.networking.tokenring was part of networking, which was part of computers. There are roughly nine major top levels, such as comp, news, rec and alt.  Many years ago I used to frequent rec.sport.mountainbiking and aus.legal for example.

The system was clever, in that a server didn't need to be online all the time. It could dial up another server or ISP, exchange posts, then disconnect again, much the way email used to be transmitted using UUCP.

As you can see, Optus is decommissioning its usenet servers, but various sources how that the amount of data posted per day continues to rise. However, I suspect that much of that data is unlawful sharing of binary data, such as movies, software, TV and music.

Usenet also helped give birth to actions for defamation on the internet. The most famous cases revolve around Dr Laurence Godfrey, who sued a number of internet service providers and universities who hosted usenet servers. In each case he requested that a defamatory posting be removed from the usenet server. Of course, since usenet posts are propagated across the world very quickly it is almost impossible to control them. If a usenet server is subscribed to a particular newsgroup it will simply receive all the posts.

His first action against Demon Internet Limited (Godfrey v Demon Internet Limited [1999] 4 All ER 342) was relatively novel, dealing with the "secondary publisher defence" under the UK Defamation Act 1996. Demon failed to take down a posting after being notified of its existence, and the UK High Court upheld Godfrey's argument that it ceased to be a protected secondary publisher once it was on actual notice. An excellent analysis of the British law at the time and proposed reforms can be found here. The case has been followed many times since, and formed the foundation of changes to laws all over the world.

Various organisations have attempted to archive usenet postings, including Google Groups, where I can find things I wrote in usenet from 1994 onwards, such as those celebrating the birth of my daughter, and issues using HyperCard 2.2 with Oracle 7.

So, while not being a huge user of usenet any more, I'll be sad to see its demise.

Cyberspace November 2011

Web sites
You’re a (or part of) a small firm, and you’re busy. Does your firm have a web site? Can you articulate the goal of having it? Who maintains it? Who is responsible for each piece of content on it? Has the content been carefully designed so that it achieves your goals?

Web sites can have many functions: an electronic white pages so your clients can look up your contact details; a yellow pages so potential clients can find you based on your location or expertise; a place to provide information on areas of law to current and potential clients; and a portal for communication between clients and lawyers. Understanding why you have a web site will help you ensure that you have the right information on it. Let’s say that you use it to provide contact details only (and that’s a perfectly acceptable use) - does it have all your details? How about a Google map?

Have you thought about how it looks on a mobile phone? Many web sites are simply unusable on smaller screens. It’s easy to have a web site that detects the type of device in use and formats the content appropriately. For mobile pages you might take care so that on appropriate devices a user can simply tap your phone number to call, or your address to switch to maps or a GPS. Avoid large images, background images, and technologies that don’t always work well on mobiles, such as Flash.

Design

Getting some marketing and design advice will assist in getting the best out of this important marketing tool. Don’t talk to a tech person - speak to someone with a proven track record in design. Make sure it’s clearly laid out, free of clutter and uses fonts and colours that make it readable to all types of human conditions.

Consider what your core messages are, and what images (no clichéd images, please) might be appropriate to provide an attractive and appropriate presence. Don’t have an annoying landing page that does nothing except require someone to click on it -  and they often cause problems on a mobile browser.

Information

If you want to give clients some basic grounding by linking to other sites, such as, say the NSW Fair Trading home page (http://www.fairtrading.nsw.gov.au), then make sure that link opens the page into a new browser window, rather than replacing your own.

What are your core competencies? Consider writing a primer for your clients to read before they come in to see you - it will help them be a better client and save you time on routine matters.

Content value

Don’t clutter the site - don’t add anything unless it has a purpose and enhances the core messages. Consider “search engine optimisation” which, although often spruiked by unsalubrious types, can be very important if you want to come up in a search “Newcastle small business lawyer.”

Diarise to review your site at least every month. Make sure all the content is owned by someone, and that they understand it is part of their job to care for it. Make it easy to add and alter content by using a quality content management system.  A CMS, whether commercial or open-source will assist in SEO, avoid technical errors and eliminate broken links.

Process

To get going: How much money and time do you want to spend? Do you need to get someone to do everything for you, or can you (recognising you’re a lawyer and not a marketer or technologist) contribute? Some people may be able to go to a reputable hosting company, register a domain name, and have a CMS running within an hour. There are many of these (eg www.dreamhost.com) who offer tools that require low-medium technical skills for a quality self-service site. You may find that a blog alone is all you need (eg: http://blog.calvin.it).

iPhone location services and battery life

I've noticed that compass calibration seems to be permanently on. You can tell by enabling the indicator under System Sevices.

Are there any developers out there who know, technically, what happens and its effect on battery life?

The law and hacking

Privacy and bad security

Recently a major superannuation fund (pension fund to those of you overseas) in Australia was "hacked" - First State Super complained to the police that Patrick Webster had told them that member accounts were easily accessible by anyone, and proved it to them.

The so-called hack was incredibly embarrassing for First State. It seems that the URL for a member to access their account simply used the member's account number! As quoted in the Sydney Morning Herald by Asher Moses:

Plenty of computer security experts have rounded on First State, not only for the heavy-handed way it treated Webster but also for failing to detect such a glaring and easily exploited security flaw. "Changing a number in a URL bar isn't even hacking ... anyone who configures their systems to work that way is negligent," said Patrick Gray, a specialist security journalist who first broke the First State story on his podcast, Risky.biz.

I think I might have written a web site using a similar technique in the first few weeks I learned to code for .NET. Who knows what First State was thinking in deploying this software if this story is true.

Privacy

The discussion that has arisen around mandatory data breach notification laws is timely. In this case First State only notified people whose account was listed by Mr Webster, but the fact was that the entire web site was flawed and it could have easily been harvested entirely by someone with a few scripting skills. Instead of blaming Mr Webster for accessing the data, First State should have blamed itself for poor security. Instead of threatening him it should have thanked him.

The letter from Minter Ellison (three and a half weeks later) apparently was a typical lawyer's job - I trust Mr Webster obtained some good advice in response. The quotations in the SMH obviously can't give the full picture of what has gone on, but there's a flavour that First State are more interested in having a crack at Mr Webster than looking at their own failings. What First State should be doing is not worrying so much about Mr Webster deleting any data (and goodness, if he was going to misuse it or sell it it would have been long gone after three weeks) - it should be setting out to prove to its customers that no-one else has done it (a serious criminal isn't going to tell First State they've done it), and offering them free identity theft monitoring.

I'm pleased to see that the NSW Privacy Commissioner is going to take a look at this case - particularly since the limited notification by First State was not acceptable in his opinion.

Is hacking a crime? 

By way of example, the Criminal Code 1995  (Commonwealth) doesn't deal with hacking - it deals with unauthorised access to data. The Crimes Act 1900 (NSW) also deals with unauthorised access to data. Section 308B defines it as

acesss to... data... is unauthorised if the person is not entitled to cause that access...

It gets interesting when you read s 308H. It says (my paraphrase):

A person who accesses restricted data, and knows the access is unauthorised, and does it intentionally is guilty of an offence. (Max penalty 2 years imprisonment).

But did Webster access restricted data?

Restricted data is defined by s 308H (3) of  the Act to be:

data held in a computer, being data to which access is restricted by an access control system associated with a function of the computer.

Is it possible to say that First State had restricted access using an access control system? It's a pretty close call, and strongly arguable that they didn't.

Rather than an access control system we probably actually have a data access system inherent in software for extracting data from a database and displaying it through a web server. I'll make a few assumptions here:

• Mr Webster logged in - presumably using his own account;
• which set a session cookie or other session identifier allowing him to use the web site; 
• he typed things into the URL box in his browser;
• that data was parsed by normal operation of the software, put into a SQL query, and the results returned. 

That's not access control - that is just how simple web applications work.

So, if Minter Ellison actually told Mr Webster that he had breached various pieces of criminal legislation, they probably want to have a good look at themselves.

An example which borders on access control is someone who gets a new home internet router, such as a D-Link, and turns it on leaving the well-known admin username and password  of admin and password. Is that an access control system? It's a little sturdier than a URL with an account number, but it's still fundamentally flawed.

If First State Super used a master password of  "password" would that be an access control system? For a security consultant neither an account number in the URL nor an easily guessed password would be considered an access control system of any commercial value.

Why is all this important?

The law, if misunderstood by ill-informed people, makes it an offence to poke around your bank's or anyone else's web site to see how good their security is. If an account number in a URL is an "access control system" then it becomes a free-for-all for the baddies, because the goodies can't look. Luckily that is probably not the case.

Worse still, if you live in the USA you might run foul of the DMCA, where even the most hopeless access control system has been used to prevent competitors from producing rival compatible products, such as garage door openers.

Voice control on the iPhone

I've been a fairly happy user of voice control on my iPhone 3GS and later the iPhone 4. I only use it for making calls, but it's very accurate both holding the phone and via the Bluetooth in the car.

Writing text and emails via Bluetooth would be nice, but I found the Dragon products didn't work well with an Australian accent.

The iPhone 4S will have much more, but I've found Vlingo (http://www.vlingo.com/) and it is better than I thought it might be. You can draft emails and SMS as well as a few other things. It's not perfect, and deeper integration into the system a la the 4S would be better, but it's an acceptable substitute.

Mythbusters duo to host Discovery documentary on Jobs

Macintosh News Network report:

"Mythbusters duo to host Discovery documentary on Jobs:

Entertainment Weekly has revealed that the Discovery network is assembling a documentary on the life of Steve Jobs, co-hosted by Adam Savage and Jamie Hyneman, the duo behind the popular show "Mythbusters."

An interesting choice of presenters... but what will be more interesting is who the researchers and scriptwriters will be!

Lots of old re-posts

You may have seen a lot of re-posts lately - I have moved the management of my blogs from my old Google account to another. You shouldn't see any difference (although I'm still investigating whether RSS feeds have changed.

The address of this blog is http://blog.calvin.it, but you can also get here using the old address http://blog.calvin-au.com. If you're interested in our holiday travels, keep an eye on http://holidays.calvin.it from time to time. You can always email me at andrew@calvin.it.

While discussing the blogs, I've been interested in the new dynamic templates that Google has released. I'd like to use one for this blog, but they lack a few features such as the right-hand column. Maybe one day... but in the meantime you can see the templates on the calvidays blog.

Thanks for reading!
Andrew

AustLII for iOS - iPad, iPhone and iPod

If you haven’t tried the AustLII app for iOS yet, you should. It’s very handy for looking up legislation in particular.

See this page on AustLII or click here to download http://itunes.apple.com/au/app/austlii/id440459400

Simple accounting software for lawyers

I regularly (and was recently by an old university colleague) get asked about simple accounting software for lawyers - i.e. where no trust accounting is required.  

1. One question that has to be asked, unless you're a barrister, is whether you are completely sure you won't need at least something to help you with controlled monies or transit money.  See for example in New South Wales s 256 of the Legal Profession Act 2004. Your State may have other regulations. 
2. A good starting point is to contact your professional association (Law Society of NSW, Law Institute of Victoria, Bar Association etc) and find out what other people are using. They probably won't want to recommend anything, but it is useful to know what other practitioners in your situation are doing.
3. If you're just going into sole practice for the first time and you attend a practice management course, it's a good idea to discuss this with your fellow students and lecturers.
4. The various law societies often examine and certify software - while this is normally only for trust account packages, you will often find that the same vendors offer other modules that will do the job for you.
5. Be careful when purchasing cheap packages - if you want or need support one day you may not find it forthcoming!
6. Ask your bookkeeper what he/she has used in the past, is familiar with, or can suggest.

Do you have any suggestions? Please post them in the comments.


© 2011 Andrew Calvin

Cyberspace October 2011

Facebook in the courts
A USA court recently ordered a defendant to return his Facebook page to its original, allegedly infringing, state on the grounds that there was spoilation of evidence. In Katirol Co., Inc. v Kati Roll & Platters, Inc (http://goo.gl/P5sJM) the USDC in New Jersey dealt with a claim for sanctions against the defendant who had removed his profile picture which infringed the plaintiff’s intellectual property rights. The plaintiff issued a a take down request, and the defendant complied, but the plaintiff wanted the picture put back on Facebook so it could obtain PDFs of the evidence. The court held that the defendant had “spoiled” the evidence by modifying the Facebook pages. The defendant argued that it was a public site and the plaintiff could have PDFd the pages at any time. However, because the pages were in the control of the defendant it had a duty to preserve them for the purposes of the litigation. The pages were put back in the original state for a short time so that the plaintiff could PDF them for evidence.

In State of Connecticut v Robert Eleck (AC 31581) the Conn Court of Appeal dealt with a claim that the trial judge erred in not admitting (attacking credit) a Facebook printout documenting messages sent to him by a victim after an assault. The victim admitted that the Facebook account used was hers, but denied that the messages were sent by her. She claimed that the account had been hacked, the password changed, and she was locked out. The appeal point turned on whether Eleck could authenticate the authorship of the messages to the required standard. The court considered a similar case involving MySpace where messages were excluded due to lack of appropriate evidence.


A key point was that “we recognize that the circumstantial evidence that tends to authenticate a communication is somewhat unqiue to each medium.” The evidence required will differ for a telephone call, paper, email or other medium. The court held that there was insufficient evidence to connect the victim to the messages. 

Who’s the defendant?
You may recall that New Zeland has enacted the Copyright (Infringing File Sharing) Amendment Act, which provides for simplified actions against internet account holders, but has the very real risk of punishing the wrong person. This was discussed in Boy Racer, Inc., v Doe (USDC Calif C-11-02329 PDG)  (http://goo.gl/fnaHD). The Plaintiff (a copyright owner) used a BitTorrent monitoring tool and discovered that a computer at a certain IP address was torrenting one of its works. The Plaintiff’s lawyer stated in a court filing 

“At this time, the remaining unidentified Doe Defendant ... who used IP address 173.67.109.59 to illegally infringe on Plaintiff’s copyrighted works has not been served for the simple reason that he has yet to be identified.  

While Plaintiff has the identifying information of the subscriber, this does not tell Plaintiff who illegally downloaded Plaintiff’s works, or, therefore, who Plaintiff will name as the Defendant in this case.  It could be the Subscriber, or another member of his household, or any number of other individuals who had direct access to Subscribers network.  ... Plaintiff will require further discovery in this case, including  Federal Rule of Civil Procedure 34 Request for Production of Documents and Things.  That FRCP 34 Request will specifically ask to inspect Subscriber’s computer, and all those computers that subscriber has reasonable control over/access to (my emphasis), for the limited purpose of discovering who accessed the BitTorrent protocol, entered a swarm containing a File with Plaintiff’s copyrighted video, and unlawfully downloaded it.  Of course, Plaintiff’s discovery will stop there” 

I couldn’t say it any better.


© 2011 Andrew Calvin

Guess where the programmer lives?

This is an app from SAP showing a map of Sydney. In the right-middle can you see the one street out of the many thousands in Sydney that has a name? :-)

Navigation on iOS with Tom Tom live traffic

I've been a fairly happy user of Tom Tom Australia (and Europe) for some time. I'm pleased that we'll see an iPad native version soon, and live traffic recently came to Australia.

I subscribed to the traffic service for a month ($9) to see if I would take it for a year. Sydney traffic is pretty nasty, particularly on weekends, and I had high hopes.

They were dashed. I was in heavy traffic in Pymble for quite some time last Sunday without a peep from the Tom Tom. However, Google Maps showed it (for free).

In all, it was sometimes helpful, but if Google can do it for free then Tom Tom should do better.

© 2011 Andrew Calvin andrew@calvin.it

Cyberspace September 2011

Also published in the Journal of the Law Society of New South Wales

What about the children?

Software licences are usually long, poorly drafted and unreadable. A lot of this is in an attempt to protect the author from liability which is never likely to arise. However, there are other hazards for them... The USA has the Children's Online Privacy Protection Act, which prohibits collection of email addresses from children under 13. You may be aware that Facbook prohibits children under 13 from using its product to avoid COPPA issues. However, a number of iOS (iPhone, iPad, iPod etc) applications have collected email addresses from kids, and W3 Innovations has just paid the Federal Trade Commission $50,000 as a result.

This is by no means a first for the FTC, but it reinforces the need to: think globally when writing software; consider that there are different requirements for users of various ages; and consider other diversity issues. More importantly, the FTC considers that it applies to any website from anywhere in the world which is directed at USA children. http://www.ftc.gov/privacy/coppafaqs.shtm

FOI Twitter

The UK body responsible for FOI has made it clear that applications can be submitted to government bodies via Twitter. The Information Commissioner's Office http://goo.gl/EuMLR said that "While Twitter is not the most effective channel for submitting or responding to freedom of information requests, this does not mean that requests sent using Twitter are necessarily invalid. They can be valid requests in freedom of information terms and authorities that have Twitter accounts should plan for the possibility of receiving them." It is important that the request comply with the Act, such as using a real name. Since that occurs rarely on Twitter the ICO said that it is sufficient for the user's Twitter profile to have the required information.

Section 15 of the Freedom of Information Act 1982 (Cwlth) http://goo.gl/Nq8Ho alows for a request be made in writing, giving details for notices such as an electronic address, and it be made by sending by electronic communication to an electronic address specified by the agency. I'd have to say that a request via Twitter can satisfy all those requirements, especially with the obligation on the agency under s 15(3) to assist in making a compliant request. I look forward to hearing about the first one.

Tips & tricks

1. IP Australia has released a simple tool to assist in choosing business names (http://goo.gl/Ggjje). It can assist in the early stages of branding development by helping to rule out some names.  
2. The Australian Business Number lookup (http://goo.gl/XXeQ8) has a new interface, and also makes it easier to cross check details on ASIC's site. This is a great way to check an ABN, ACN, business name or company name. With a little interpretation it can also alert you to when you're dealing with a trustee, so you can make the appropriate contractual amendments, or whether a business is registered for GST..  
3. Legify (http://legify.com.au) is a great way to quickly look up Australian legislation and regulations.  
4. My current favourite iOS applications are TuneIn Radio, TripIt, TripView, Evernote, GoodReader, ShopShop, Remember the Milk, Roboform, Tom Tom Australia, Collins English-French Dictionary, LogMeIn Ignition, Mocha RDP and Bloomberg.

Unsocial networking

The English Crown Courts have been busy sentencing prisoners for their roles in the London riots. A number of these were for using Facebook to incite rioting, and they received four years imprisonment. The Crown Prosecution Service (http://goo.gl/DPgrX) said that they were convicted under ss 44 and 46 of the Serious Crime Act 2007 for using "Facebook to organise and orchestrate serious disorder...". The pages were quickly closed and no riots occurred as a result, and the defendants were previously of good character, but the pages caused panic and revulsion in the community.

First published by Andrew Calvin andrew@calvin.it

© Copyright 2011 Andrew Calvin, Sydney, Australia

Cyberspace August 2011

Managing foreign evidence

There are war crimes trials all over the world at present, and the United Nations teams that support them have a difficult job support them in multi-language proceedings. IDC recently wrote a paper (http://www.idc.com) on how the UN supports millions of documents in many formats and many languages. A litigation support system must meeting the UN’s rules as well as other standards such as the local law, rules, and regulations.

Trials of Milosevic, Karadzic and Mladic set the scene for processes to support these complex and very lengthy trials, with legal teams from many countries. Not only was the evidence in several languages, but it also had to be free-text searchable and made available in other languages. The Yugoslavian trials have used over 13 languages.

What’s so hard? Free-text in multiple languages is challenging, because the system needs to understand that words spelled the same may mean very different things, and word-stems that you think might work just won’t. A library in French is a bibliotheque, whereas a librairie is a bookshop. Caution in French can mean bail; and chair in French means flesh. During war crimes trials these things can cause grave confusion. But these are basic problems - when you have millions of documents from many sources it is important for a system to understand if the word is being used as a noun or verb, and to know that Mr Black is not a colour. We haven’t even considered the difficulties arising from Eastern European character sets such as Cyrillic.

There are other issues - quite often the evidence in such trials is from the media - newspaper reports and television footage. This material must be carefully managed, made available to legal representatives, and a chain of custody ensured so that there can be no allegations of tampering.

The Yugoslavian trials used products by ZyLAB, who have a small presence in Australia but are not well known in the litigation support space. The IDC paper reported that the same free text search results could be achieved querying in multiple languages, and the various types of professionals working on matters had customised workspaces. The paper doesn’t cover this, but I imagine in such cases there will be prosecution and defence lawyers, military, law enforcement, anthropologists and others who all need varying levels of access to this information.

Security

Do you like using your smart phone or iPad on the bus? Of course you are careful to hide the keyboard when entering a username or password,  but that may not be enough. According to The Unofficial Apple Weblog a jailbreak app for iOS allows your seat-mate to aim the camera at your device and look for the slight blue glow on the virtual keyboard after typing. It can then reassemble the username and password.

The Cloud...

Dropbox is a popular application that will synchronise the contents of folders between many computers, mobile phones and tablets. It’s tempting to use it as the filing system for a small firm where the principal is on the move and needs documents.
However, Dropbox recently accidentally turned off its password authentication system for four hours, and it has also been disclosed that your documents are not fully encrypted on their servers. In other words, they can provide your documents to others under subpoena. So much for that part of the cloud.

On the topic of the cloud, an iPad app idocument REVIEW (http://goo.gl/wK2rm) offers you the chance to review discovery on your iPad from the cloud while biding your time in the registrar’s list. I’ve not used it, but it seems that you upload your documents to the vendor, who processes them  and you then sync them to your iPad. You then review the docs on the iPad, and upload a datafile back to the vendor when you’re done. It might even be therapeutic.

Australian web host Distribute.IT hacked

The Sydney Morning Herald has reported (http://www.smh.com.au/technology/security/4800-aussie-sites-evaporate-after-hack-20110621-1gd1h.html) that Distribute.IT has irretrievably lost the data for 4,800 web sites hosted on its infrastructure.

I have no idea if this is accurate, but we can easily examine some possibilities...

There are many ways to back up these days, and a popular way is to use "snapshots" which capture (on the initial snapshot) a copy of the data, and on subsequent snapshots only the delta (or changes) are snapped. This is very quick and involves no downtime. Many snapshots can be kept and restores can be instant.  Many storage network providers such as NetApp work in just this way. The primary backups are on spinning disc and it's fast and convenient.

However, prudence suggests that a belt and braces approach is best. Normally an enterprise will have a primary data centre and a redundant data centre at a separate physical location. If one centre loses power or collapses in a heap due to storage or networking issues the redundant centre comes on-line. Since they are on separate subnets and likely to be fire walled, a hack on one centre won't affect the other. Controls can also be put in place to prevent automatic mirroring of more than a certain percentage of changes without human intervention.

So, snapshots provide a great first line of defense, but there is no substitute for disconnected storage. Even Google uses tapes to back up data, as shown in some recent Gmail outages. It doesn't have to be tape, but either way you have disconnected storage, stored off-site, that can't be affected by a hack or a fire. A weekly offline backup in combination with 2 hourly snapshotting would seem to be an enterprise grade approach to Disaster Recovery.

What's Disaster Recovery? Just that. If you have a disaster, you can recover. What's an example of a disaster? Let's see, maybe a hacker getting in, trashing your servers, your SAN and your snapshots? What's your plan to recover from that? My corporation does very real, very detailed DR tests and they are audited. DR is a real problem, and there are real solutions.

If you did your tape or other offline backup weekly, you may lose up to a week's work, but that's better, way better, than nothing.

Now we also need to consider the terms of service between Distribute.IT and its clients. I have not seen it, but it is common to see any or all of the following clauses:

- disclaimer for any indirect or consequential loss arising out of system unavailability;
- limitation of liability to the equivalent of one year's hosting fees or re-supply of the services;
- disclaimer for any direct losses.

These all mean that customers will have minimal recourse to the web host, and even more so if they go out of business. You might check whether your web host is appropriately insured for events like this, and you should have a chat with your broker about your own insurance. Business interruption insurance may not cover something like this, so you need to treat your web site like a core business asset - just the same as a insuring your factory or buildings.

Andrew Calvin
andrew@calvin.it