[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips December 3, 2002

Clips December 3, 2002

ARTICLES


Judge Orders Madster to Pull the Plug
Digital copyright trial opens in S.J.
Brokerage Firms Fined $1.6 Million
Content discontent - Colleges shocked to discover servers helped speed porn, gaming sites
FTC Settles Fake Web Case for $300,000
OMB finds security leverage
Infiltrating agency ops
E-gov agenda takes shape
New opportunities for NIST
Homeland agency charged with outreach
Navy taps service's e-gov advocate as new CIO
Homeland defense commander stresses 'need to share' information
New Jersey's CIO resigns
Parents, athletes put GPS to work
A Move to Muzzle E-Mail


*****************************
Los Angeles Times
Judge Orders Madster to Pull the Plug
By Jon Healey
December 4 2002

Stiffening the pretrial restraints he imposed in October, a federal judge has ordered the operator of the Madster file-sharing service to disable all computers he controls and pull the plug on his Internet services immediately.

U.S. District Judge Marvin E. Aspen issued the order after Madster, formerly known as Aimster, did not comply with his earlier injunction against piracy on its system. The major music and movie firms are suing Madster creator John Deep and the firms he controls in Troy, N.Y., for alleged copyright infringement.

Aspen said the restraints, which he applied Monday, would remain in place until Dec. 22. He also scheduled a hearing Dec. 19 to determine whether to find Madster in contempt for failing to comply with the October injunction.
*****************************
Mercury News
Digital copyright trial opens in S.J.
By Howard Mintz

A San Jose jury Tuesday was given two starkly different images of the small Russian software firm at the heart of a precedent-setting test of a controversial federal copyright law.

During opening statements in U.S. District Court, federal prosecutors depicted Moscow-based ElcomSoft as a digital pirate out to undermine a popular copy-protection scheme sold by Adobe Systems. They said ElcomSoft deserves to be the first defendant charged with violating the criminal provisions of the 4-year-old Digital Millennium Copyright Act.

``This case is about selling a burglar tool for software in order to make a profit,'' Assistant U.S. Attorney Scott Frewing told jurors.

But ElcomSoft's lawyers offered an alternate theory on the first day of a trial being closely watched by cyberlaw experts. When the trial is over, ElcomSoft attorney Joe Burton promised, the jury will view ElcomSoft as just another Internet entrepreneur that believed it was marketing innovation, not violating U.S. law.

``This case is about two companies, a new software industry and a new law,'' Burton said. ``ElcomSoft and Adobe were both companies that believed in good faith that the actions they took were appropriate, proper and legal.''

Prosecutors have accused ElcomSoft of illegally selling a software program that allowed users to copy and distribute electronic books protected by Adobe's eBook Reader. E-book retailers including Amazon.com and Barnesandnoble.com rely on Adobe's program to control sales and distribution of e-books.

Attracting attention

The case has attracted widespread attention since July 2001, when federal agents arrested Dmitry Sklyarov, an ElcomSoft programmer, at a Las Vegas conference where he was praising the company's technology. Prosecutors broke new ground by charging Sklyarov and ElcomSoft under the DMCA, a law that has been criticized by Internet rights groups and academics who warn that it is overly broad and threatens the free flow of information in cyberspace.

U.S. District Judge Ronald Whyte, in a decision that could have major implications for the copyright law in future cases, has upheld the constitutionality of the DMCA. The law was enacted to stiffen copyright protections for a host of industries worried about the Internet's impact on their ability to prevent computer piracy.

The government dropped charges against Sklyarov, but he is expected to be one of the star witnesses during the trial, and may testify as early as Thursday. The company, if convicted, could face millions of dollars in fines. It earned only several thousand dollars from the product at issue.

Alexander Katalov, ElcomSoft's chief executive officer, also is expected to testify. He declined through his lawyer to discuss the trial.

In remarks to the jury Tuesday, Frewing outlined the case in simple terms, saying ElcomSoft ignored warnings from Adobe in June 2001 that it was marketing a product that undermined U.S. copyright protections. Frewing told the jury that the sole purpose of the ElcomSoft program, which unscrambled the encryption codes in Adobe's software, was to allow illegal copying of e-books.

Legitimate tool?

But Burton, ElcomSoft's lawyer, insisted that ElcomSoft openly marketed the program because the company considered it a legitimate tool for e-book customers to gain more flexibility in using what they bought. Burton said there is no evidence that anyone used ElcomSoft's program to copy and distribute e-books illegally.

The jury, to convict ElcomSoft, must find that the company intended to skirt federal copyright laws.

The government's first witness in the case was Thomas Diaz, an Adobe official involved in developing the eBook Reader. The trial resumes today with his testimony.
******************************
New York Times
December 4, 2002
Brokerage Firms Fined $1.6 Million
By GRETCHEN MORGENSON

Regulators fined five of the nation's largest brokerage firms yesterday for failing to preserve internal e-mail communications as required under securities laws.

The Securities and Exchange Commission, NASD and the New York Stock Exchange announced joint actions against Deutsche Bank Securities; Goldman Sachs; Morgan Stanley; Salomon Smith Barney; and U.S. Bancorp Piper Jaffray. Each firm was fined $1.65 million and was told to review procedures to ensure that record-keeping practices comply with regulations in the future. All the firms settled the actions without admitting or denying the accusations.

The fines, which total $8.25 million, are the largest ever in a record-keeping case, regulators said.

"The message here to our member firms is the form of the communications doesn't matter, it's the substance," said Barry Goldsmith, executive vice president for enforcement at NASD, "and that the rules requiring broker-dealers to keep those records apply to e-mails and will be enforced."

Securities laws require that brokerage firms preserve electronic communications related to the business of the firm for three years. Such messages must be kept in an accessible place for two years.

But during the investigations into analyst practices on Wall Street and the firms' allocation of hot new stock offerings to favored clients, securities regulators began to see how haphazard the retention of e-mail messages was at some brokerage firms.

For example, regulators found that some firms discarded, recycled, or wrote over the e-mail tapes that should have been kept, sometimes after less than a year. While some firms relied on their employees to preserve copies of their e-mail messages on their computers' hard drives, there were no systems in place to ensure that the e-mail messages were in fact maintained. In some cases, the hard drives of computers used to preserve e-mail messages were erased when an employee left a firm.

In recent years, securities firms have argued to regulators that retaining e-mail messages is too onerous and that it is unclear which messages have to be kept. The firms have also been lobbying Congress to exempt e-mail messages from the records that must be maintained under securities laws. But the S.E.C. reaffirmed its position in November 2001 that e-mail messages are among the documents that must be preserved.

Stuart Kaswell, general counsel of the Securities Industry Association, said in a statement yesterday: "We hope this settlement paves the way for a final resolution to the record-keeping challenges that are currently confronting the industry. These challenges include clarifying the vague `business as such' standard applicable to communications so as to more precisely define which internal e-mail communications a firm must retain."

But several regulators rejected any notion that the law was imprecise. Linda C. Thomsen, deputy director of enforcement at the S.E.C., said, "Everyone is free to try and change the existing law, but until it is changed you are obliged to comply with it."

One person involved in the investigation said: "What was disturbing here was not that someone made a good faith determination of a rule and was maybe wrong in how they interpreted it. They didn't like the rule and they were talking about changing it and in the meantime they just did not comply."

Regulators involved in the case were careful to say that the brokerage firms had failed to comply with the law, not that they had deliberately destroyed documents. But the regulators said cases would be brought against firms if evidence of the destruction of e-mail messages surfaced in any of the continuing Wall Street investigations. Intentional destruction of e-mail messages could result in suspension or expulsion from the securities industry.

All five firms said they were pleased to have resolved the matter. A spokeswoman for Salomon said, "This settlement resolves a complex regulatory issue that has been the subject of much discussion with regulators in recent years."

A Piper Jaffray spokeswoman said that while the firm did retain large volumes of e-mail messages, its retention procedures were deemed inadequate.

Andrew S. Duff, the president and chief executive of Piper Jaffray, said, "We are confident that our current e-mail procedures and enhanced software fully meets all of the regulatory requirements for e-mail retention.".

A Deutsche Bank Securities spokesman said the firm was improving its systems to ensure future compliance.
*****************************
Boston Globe
Content discontent
Colleges shocked to discover Akamai servers on campuses helped speed porn, gaming sites
By Peter J. Howe, Globe Staff, 12/4/2002

Akamai Technologies, the Cambridge Internet company, is using server computers installed on networks at university campuses to help deliver content for teen-pornography Web sites and offshore gambling sites whose legality is in question.

Under a partnership intended to give schools faster, cheaper Net access while they defray some of Akamai's operating costs, Akamai has installed devices to speed delivery of Web sites to millions of Net users at schools including the Massachusetts Institute of Technology, the University of Massachusetts, Babson College, Brown University, Dartmouth College, the University of Vermont, and Wesleyan.

Besides carrying content from Web sites such as Boston.com and CNN.com, research by the Globe found that the on-campus computers are also storing images for many explicit porn sites. The campus servers are also in many cases speeding content from gambling sites such as casinoonet.com and playbigcasino.com that have located their main computers outside the United States because many state and federal prosecutors expect the sites violate US and state laws, although their legality has not been fully established.

Officials at several schools said they were surprised to learn the servers on their campuses were being used this way and were looking into whether these types of content violated the terms of their contracts with Akamai.

Babson spokesman Michael Chmura said last night the Wellesley college was assured by Akamai that it was winding down its business with porn and gambling sites.

''We're going to monitor them to see if they do get out of these contracts. Hopefully, they will, and if they don't, we will ask them to remove the servers,'' Chmura said. ''We don't want to have them here with that kind of content, and we don't want to do business with them if that's the kind of content they're going to have on these servers.''

James D. Bruce, vice president for information systems at MIT, one of Akamai's earliest business partners, also said he had not known about the porn or gambling sites.

''I'd prefer it not be here, if I knew a way to filter out things that are inappropriate, but it gets us into the whole First Amendment issue, which is very slippery,'' and also runs up against MIT's commitment to the free exchange of ideas.

Rosio Alvarez, associate chancellor for information technologies at UMass-Amherst, said officials there were investigating ''information about possible objectionable material being facilitated through the campus's network.''

Alvarez said UMass officials were examining ''the terms of our contract with Akamai to determine whether there have been any violations of campus policy,'' but noted: ''As a campus, the university maintains an open network, and does not monitor or control content.''

Akamai spokesman Jeff Young said yesterday that pornography and gambling sites each represent no more than ''a fraction of 1 percent'' of Akamai's more than $100 million in annual revenue.

Young said Akamai is winding down its contracts with the gambling sites and is not actively seeking new business from what he called ''adult content sites,'' including one that advertises ''the Web's youngest teen girls'' in sex acts.

Akamai, which was founded in 1998 and once was one of the stars of the local Net boom, operates a global network of more than 12,000 server s that speed the delivery of Web content by storing it closer to Web surfers. Akamai has servers on 1,100 networks in the United States and 65 countries.

Instead of going through a half-dozen Web connections to download content that may originate several states or countries away, the Akamai service stores frequently downloaded content on thousands of widely distributed machines so users get it on their computers more quickly.

To a larger extent than most of its competitors, Akamai uses servers installed in college, university, and school district computers as part of that network, serving both students and computer users outside the universities.

The upside for the schools is that on-campus users get much speedier access to Web sites, and the schools can save thousands of dollars by paying for much less ''bandwidth,'' or Internet traffic capacity, to connect to the Net.

Issues about what kinds of content are being delivered from public and private higher-education networks by Akamai were raised with the Globe by Internet industry sources who have both moral concerns and in some cases financial ties to companies that compete with Akamai. The sources asked not to be identified.

Kurt Schwartz, chief of the criminal bureau in Attorney General Thomas F. Reilly's office, said the issue of whether it is illegal for Massachusetts residents to do business with online gambling sites is an unresolved question.

Three Massachusetts laws appear to cover the issue of online gambling. But one state law banning the use of telephones to register bets has not been tested in court to see whether it applies to the Internet, Schwartz said.

Stressing that he was speaking in general terms and not specifically about Akamai, Schwartz said: ''As part of a criminal case, you would have to prove that the defendant was keeping a place with apparatus for registering bets. We would have to look and see what was on the computer here in Massachusetts.''

Akamai's Young said the company does business with only three gambling sites, which operate under multiple names, and in each case it only delivers images and text for the sites, which makes them work more speedily for online gamblers. ''We do not and have not ever operated any online gaming transactions'' such as credit-card charges or payoffs on winnings, Young said.

Chad Couser, a spokesman for Cable & Wireless, a London-based global telecom company that is one of Akamai's biggest competitors in Web content delivery, said his company does not think it serves any gambling sites.

''That's not a customer base that we would actually go after'' because of the legal issues involved, Couser said. Couser said C&W thinks there is a ''0.1 percent chance'' that it handles any traffic from pornographic sites.

Young said that ''we really are just like any telecom company'' including a phone company that lets people call sexually explicit 900 numbers. ''We're just a delivery mechanism. It is true that we deliver some adult content and some gaming content, but we no longer pursue this type of business, and we are not renewing these contracts'' as they expire. Also, Young noted, Akamai does not ''push'' content to users but makes it more readily available based on which sites Web surfers connecting to its servers have been visiting recently.

Young said Akamai has refocused its business on large corporations, government accounts, and the 250 most frequently visited Web sites. In the first nine months of this year, it reported a net loss of $148.8 million on sales of $109.6 million, as revenues have dropped 13 percent from last year. Akamai shares, which traded over $300 two years ago, have plummeted to a closing price of $2 yesterday.

Some universities said that regardless of issues about porn and gambling Web traffic, they have been pleased with their relationship with Akamai, under which many of them pay for the cost of powering and operating the servers Akamai uses.

Justin Harmon, a spokesman for Wesleyan, said: ''They make it easier for our students and faculty to access sites like CNN.''

MIT's Bruce said with a network that handles 1 million ''page views'' every day, having Akamai servers on MIT's network ''helps us keep the total amount of bandwidth going out of this place down,'' which saves MIT considerable sums on the cost of Net access.

''I'm not sure that even if we were extremely conscientious about trying to know who Akamai's clients were, we would have to go back to them on a regular basis, every month or every week, to know exactly what content was on the site. I just don't know how anyone could practically do that.''

Peter J. Howe can be reached at howe@xxxxxxxxxx
*********************************
Government Computer News
FBI continues push to improve records management
By Wilson P. Dizard III

To get a grip on its files, the FBI is busy converting 750,000 documents a day to a common electronic format.

The bureau is scanning its records at a facility dubbed the DocLab. The DocLab uses a dirty optical character reader process, as opposed to a corrected OCR process, to speed up operations, said William L. Hooton, assistant director of the FBI's new Records Management Division.

"We just don't have the time right now to do very high-quality OCR," he said.

The purpose of scanning the records is to create databases to which the bureau can apply data mining techniques, Hooton said.

"We need to figure out how to manage our case files effectively," he said. "We have no real, in my opinion, records management system at the bureau."

The FBI plans to conduct an inventory of its records, he said, and separate them into three groups: records to be destroyed, records that haven't been requested in the last five years but must be kept and records that have been requested in the last five years. The second group of records will be stored in offline systems; while the records used most recently will be housed in the Records Management Application system that the division is building.

The FBI in the spring consolidated almost 1,000 employees into the Records Management Division, bringing together staffs from 22 organizations to form the largest division at bureau headquarters.

The massive records effort came in response to criticism of the FBI's management of evidence. At Senate hearings early this year, the Justice Department's inspector general lambasted the bureau's record-keeping.

Hooton described project at a recent meeting of the National Capital Chapter of the Association for Information and Image Management in Arlington, Va.
*******************************
Associated Press
FTC Settles Fake Web Case for $300,000
By DAVID HO, Associated Press Writer

WASHINGTON (AP) - Four companies agreed to repay customers a total of $300,000 to settle federal charges that they sold fake Internet addresses ending in ".usa" with an advertising campaign pegged to the Sept. 11 terrorist attacks.



The Federal Trade Commission said Tuesday that the companies TLD Network Ltd., Quantum Management Ltd., TBS Industries Ltd., and Quantum Management U.S. Inc. last year jointly sold Internet domain names ending with ".brit" and ".scot." After Sept. 11, the companies began an e-mail campaign advertising ".usa" domain names, with statements such as, "Be Patriotic! Register .USA Domains."


The FTC said the ".usa" domain names are not usable over the Internet and probably never will be. Many new Internet suffixes have joined the familiar ".com," ".net" and ".org," but not the names sold by the four companies.


The settlement bars the companies, primarily based in London, from deceptive promotions involving domain names and from selling their customer lists, the FTC said.


An attorney for the companies did not immediately return calls seeking comment Tuesday. By settling, the companies don't admit breaking any law.


The FTC complaint, filed last February with the U.S. District Court for the Northern District of Illinois in Chicago, argued the companies violated federal law by misleading consumers, many of whom purchased multiple domain names for $59 each. The FTC said the operation made at least $1 million in sales.


While three of the companies are British, they did business in the United States and are subject to U.S. law.


The government lawsuit said the companies used Web sites and advertising that looked professional and hid their location from consumers, making it nearly impossible to get refunds.


U.S. District Judge James Holderman on Feb. 28 issued a temporary restraining order that froze the companies' U.S. assets and shut down their "DotUSA" Web site.
****************************
Federal Computer Week
OMB finds security leverage
The Bush administration uses security law and funding threats to push agencies to offer security solutions
BY Diane Frank
Dec. 2, 2002

Two years ago, if someone brought up information security in a meeting of agency managers, the most likely response would have been, "The technology folks are taking care of it."

But that attitude is changing. Now, federal security experts say, even some Cabinet-level secretaries could provide details about their agencies' security policies.

Not every top government executive is so well informed, but information security clearly is a topic agency managers outside the information technology office are discussing in detail. As a result, they are no longer just discussing specific security strategies they are also planning for them and putting them into practice, said an administration official who asked not to be named.

"Now it is all about implementation," he said.

Many experts trace the change back to the Government Information Security Reform Act (GISRA) of 2000, which requires agencies to conduct annual assessments of their security programs and strategies and submit reports to the Office of Management and Budget.

"I think it started with the requirement that the department head had to sign your GISRA report, and therefore it had to be staffed through your executive management who asked questions, who forced the business unit leaders and executives in the department to be accountable for cybersecurity," said Lisa Schlosser, assistant chief information officer for IT security at the Transportation Department.

Officials from the General Accounting Office, which has issued many scathing reviews on agencies' security practices during the years, have noticed the shift in attitude.

"All agencies had weaknesses in security program management, which can often lead to weaknesses in other control categories," said Robert Dacey, GAO's director of information security. "But at the same time, a number of actions to improve information security are under way, both at an agency and governmentwide level."

Dacey testified last month before the House Government Reform Committee's Government Efficiency, Financial Management and Intergovernmental Relations Subcommittee. At the hearing, Rep. Stephen Horn (R-Calif.), subcommittee chairman, released his latest security grades for agencies, giving the government an overall failing grade.

Dacey was cautiously optimistic about agencies' progress in securing systems. "Some of these actions may require time to fully implement and address all of the significant weaknesses that have been identified, but implementation of [GISRA] is proving to be a significant step in improving federal agencies' information security," Dacey said.

OMB's Big Stick

Federal IT security experts say agency IT managers have begun to make improvements in information security because they are focusing on security management, rather than security technology.

In the past, IT managers typically would focus on simply buying technology on an ad hoc basis to secure systems, but they learned that technology alone did not solve the problem. GISRA pushed managers to take a methodical approach to identify vulnerabilities across an organization and develop a comprehensive strategy to fix them.

In their GISRA reports, agencies must measure the performance of managers in charge of information security, the effectiveness of security training programs, the integration of security programs and the enforcement of security policies in agency contracts.

With help from those GISRA reports, OMB last winter began reinforcing a February 2000 policy as part of the fiscal 2003 budget process. According to the policy, programs will not receive funding unless "adequate" security plans are in place.

The policy had been in place, but GISRA made agency managers take notice. "This past summer, if you said 'GISRA,' people knew what you were talking about," said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection at the General Services Administration. OMB's policy tends to get even the highest officials' attention, McDonald pointed out.

OMB's strategy forced agencies to think about security as part of a larger question of how they invest in information systems one of the provisions of the Clinger-Cohen Act of 1996.

It has been a long struggle through both the Clinton and Bush administrations to "hitch the security program wagon to the Clinger-Cohen capital-planning train [to] tie security so tightly to the budget process that no one could ignore it and when the opportunity came up, codify it in law," the administration official said.

Security will not improve unless agencies view it not only as one of the basic elements of any program, but also as an ongoing management focus, experts say.

"I believe that if you can demonstrate that you have a sound management strategy for cybersecurity, then you should get the appropriate funding," Schlosser said. "But if you can't demonstrate that, you shouldn't get increased funding."

OMB officials withheld fiscal 2003 funding for some IT projects, and the office is now working with agencies to straighten out the problems in their system and program designs, said Mark Forman, OMB's associate director for IT and e-government, testifying at Horn's hearing last month.

"Generally, the agencies would rather work through their security problems than not get funding, so that incentive structure seems to work," he said.

OMB is prepared to make life difficult for agencies that are not fixing existing security problems before tackling new ones.

"One of the recurring problems that we've seen is agencies' desire to invest in new IT, [but] at the same time they can't remediate legacy system problems," Forman said. "There's a trade-off to be made. We're making it very clear to the agencies that we're simply not going to fund new investments and short remediation or accreditation and certification."

OMB and agency officials have also incorporated information security into management score cards, which measure agency support for the President's Management Agenda.

Learning the Tricks

OMB may be getting involved at the front-end of agency planning right now, but agencies need to learn how to think about security measures as part of program planning, Forman said.

Some agencies have already gotten with the program. The Energy Department, for example, has included security in its Innovative Department of Energy E-Government Applications (IDEA) project, said John Przysucha, associate CIO for cybersecurity at DOE, speaking recently at a breakfast sponsored by the Bethesda, Md., chapter of AFCEA International.

Through the IDEA project, the department is investing in initiatives that demonstrate how e-government can support agency operations. Some of the 19 initiatives focus on security problems, but none of the initiatives will be successful without good security, he said.

Numerous agencies now require programs to pass through system certification and accreditation reviews, which forces program managers to focus on security upfront. It's similar to OMB's strategy: If a program fails a review, it cannot go forward.

Still, security problems will occur, despite the best planning, so agencies are working with industry to find ways to detect and respond to problems within systems and across departments.

Transportation officials recently signed an enterprise license for Foundstone Inc.'s vulnerability scanning and management solution. The department also uses Computer Associates International Inc.'s eTrust intrusion-detection system and several other companies' security products.

Now the department is working with those industry partners to bring those products together into a single, departmentwide incident-management solution.

"We're piloting that, working with industry right now to facilitate that next evolution," Transportation's Schlosser said. "The government isn't usually the leading edge on these kind of new initiatives, but in this case, we're trying to be. This is what we've challenged our industry partners to put together: Tell us, show us, integrate your point solutions so that we have a management perspective on vulnerability management and remediation."

GSA, which houses the Federal Computer Incident Response Center, has been tackling the same challenge governmentwide, developing an analysis tool that can pull together incident reports across civilian agencies.

Predicting the Future

The further agencies push into security management, however, the tougher it gets.

A good management strategy makes it easier to deploy solutions for detecting and responding to attacks. But the ultimate goal is prevention. "If you can predict what the threat's going to be and [assess] your vulnerability, you can go back to making better...and smarter investments," Schlosser said.

The FedCIRC data analysis tool is also intended to help with this effort, McDonald said.

Another boost will come from increased investments in cybersecurity research and development by the federal government.

Last month, Congress passed the Cyber Security Research and Development Act, authorizing more than $900 million during the next five years for grants through the National Science Foundation and other agencies. This will help immensely, experts say.

"Government scholarship programs that have started are a step in the right direction, but they need to be expanded over the next five years to help build the university infrastructure we need for the long-term development of trained security professionals," said Richard Pethia, director of the CERT Coordination Center at Carnegie Mellon University.

The fight has already begun to make sure that the authorization is followed with appropriations. Basic security education will require sustained attention and resources.

Agencies are working to raise the awareness of all their employees, making everyone understand that security is the responsibility of anyone who uses a computer and works on a network. More specific training for program managers and security staff are also being developed.

Online IT security training and coursework are available at the government level, Forman said. And the e-Training Initiative, led by the Office of Personnel Management, will soon incorporate additional security courses, he said.

Many security experts have spent much of their time during the past few years making the same speeches, pointing out the same problems and calling for the same fixes. The mindset is changing, but it has not changed completely. The speeches will not end anytime soon, McDonald said.

"Those of us who are out there proselytizing need to continue," she said.
******************************
Federal Computer Week
Infiltrating agency ops
BY Diane Frank
Dec. 2, 2002

Including security as a basic feature of every system and program isn't as easy as it sounds.

"Our philosophy has been and our key objective for the cybersecurity program is to improve executive management of the program by integrating [information technology] security controls into all the major business processes of the department," said Lisa Schlosser, assistant chief information officer for IT security at the Transportation Department.

This approach is outlined in a diagram that shows how all the components of the agency's security strategy build on one another including the security management programs, technical framework and governance structure. Without any one piece, the entire structure could collapse, Schlosser said.

Building on the President's Management Agenda score cards which grade an agency's status on e-government, financial management and other priorities DOT and other agencies are putting security at the forefront for every manager.

"I'm a very strong believer in performance metrics and accountability through performance metrics. So, we integrated security metrics into the e-government component of the president's management score card, and that got briefed at the senior team management meetings within the department on a quarterly basis," Schlosser said. "That got a lot of visibility."

Identifying the right performance metrics is not an easy task. But agencies already are required to use the minimum metrics outlined in the Office of Management and Budget's guidance for the Government Information Security Reform Act of 2000.

Those metrics are not just for the performance of systems and programs, but also for the performance of the people overseeing them, said Mark Forman, OMB's associate director for IT and e-government, testifying late last month at a House committee hearing.

Metrics provide the best way to demonstrate that security is not just a black hole where money goes in and a solution never comes out, Schlosser said.

You've succeeded "when you can demonstrate through a strong performance measurement system that you are decreasing your risk through tracking of metrics," she said.
*******************************
Federal Computer Week
E-gov agenda takes shape
E-Government Act promotes Web standards, procurement reform, security policies
BY Judi Hasson
Dec. 2, 2002

In one of the most dramatic changes in information technology policy since the passage of the Clinger-Cohen Act of 1996, President Bush is expected to sign into law this week the E-Government Act of 2002, which lays out the rules of engagement for agencies providing information and services online.

The bill affects nearly every aspect of IT management and rules. It defines e-government and its basic parameters from Web sites for managing crises, to electronic archives and directories that give the public a road map to government information. For the first time, lawmakers earmarked money $345 million during four years to fund e-government programs.

The legislation also extends existing rules for security, outlines new initiatives for training the federal government's IT workforce and creates new buying rules to help drive down the cost of IT.

"It is one of the most significant pieces of legislation passed since Clinger-Cohen," said David McClure, vice president for e-government at the Council for Excellence in Government. "It covers so many angles of information that it goes beyond many of the other pieces of legislation."

The Clinger-Cohen Act aimed to end years of poor federal IT management and billions of dollars of cost overruns in IT systems development.

Rep. Tom Davis (R-Va.), who pushed for passage of many key provisions in the new bill, said the e-government act will "revolutionize Americans' relationship with their government.... The Web-savvy citizen of the 21st century is accustomed to the standard of service on commercial Web sites and will accept nothing less from government sites."

Turning Up the Volume

The bill, which comes more than a year after the Bush administration launched its 24 e-government initiatives, does not stake out new territory, federal IT experts said. Instead, it provides a formal management structure for a disparate array of e-government concepts and initiatives. "It is an accelerator," McClure said. "It really is broadening citizen interaction and access to government."

As expected, the bill calls for the creation of a permanent position in the Office of Management and Budget for an e-government administrator, appointed by the president, to develop policies related to e-government. The role is similar to the one played by Mark Forman, OMB's associate director for IT and e-government.

Some e-government projects are already under way, from e-grants to e-filing, as part of the administration's 24 e-government initiatives. But the bill will give those projects greater vitality and more velocity, according to experts.

"The e-Grants initiative is currently funded by 11 partner agencies and how the [e-gov] bill...is going to impact us will be determined by the setup of the electronic government office," said Diana King, who is detailed to e-Grants Program Management Office at the Department of Health and Human Services.

Reflecting the revolution in online services both in the government and the private sector, the bill also imposes discipline and standards on the haphazard universe of government information on the Internet, where more than 24,000 federal Web sites reside.

One provision requires that all of the information agencies publish in the Federal Register also must be posted on the agency's Web site, where the public can more easily find it.

The bill also requires that an interagency committee develop standards establishing how government information is organized and categorized so that it can be searched electronically across agencies.

The idea is to ensure that agencies provide at least a basic level of essential information to the public via the Internet, said Melissa Wojciak, staff director of the House Government Reform Committee's Technology and Procurement Policy Subcommittee, which Davis chairs.

It also calls for building a federal Internet portal as a single point from which citizens can access all government information and services. FirstGov serves that purpose now but is not as comprehensive or user-friendly as the portal envisioned for the future, said Kevin Landy, who was involved in drafting the E-Government Act for Sen. Joe Lieberman (D-Conn.).

Owen Unangst, the e-government coordinator for the Natural Resources Conservation Service in the Agriculture Department, said the bill bolsters the USDA's Web efforts to automate certain functions.

"My agency has recognized that there's a certain part of agriculture that still needs to have a face-to-face approach, but there's definitely a growing desire to do more self-service work," Unangst added.

Buying Power

Lawmakers also used the bill to support other IT initiatives, including a long-fought effort to allow state and local governments to buy products and services through General Services Administration schedule contracts.

Davis and other lawmakers have been pushing this concept, known as cooperative purchasing, since the mid-1990s as a way to increase the volume of GSA schedule business, potentially lowering prices for federal agencies and giving state and local agencies easier access to IT products.

Davis spokesman Dave Marin said e-government transformation cannot happen without state and local governments.

"Cooperative purchasing is an invaluable tool that gives state and locals access to contracting vehicles that let them acquire the latest IT products in the world," Marin said.

Nevertheless, the verdict from states is still out on whether they want the option, according to Larry Allen, executive director of the Coalition for Government Procurement, a Washington, D.C., industry group.

Some states, he said, require that all purchases come from businesses within their borders. Others, such as North Carolina, have found that the federal schedules often "do not represent the best value," said John Leaston, North Carolina's state purchasing officer.

"Over time, our competitive bidding process has demonstrated that we can get better prices," he said.

Another Davis provision in the bill promotes the use of share-in-savings contracts, in which a vendor forgoes some upfront payment in exchange for a share of the savings realized by using an IT solution. With a five-year contract, an agency will have 10 years to pay off a vendor for services, using the money saved from more efficient solutions.

"It has the potential for having a much higher return on investment," said Chip Mather, senior vice president of Acquisition Solutions Inc. "You can really make a profit if it works."

The e-government bill, like the homeland security bill signed last week, includes two initiatives aimed at improving security. It incorporates the Federal Information Security Management Act, which extends the Government Information Security Reform Act of 2000. GISRA combined many federal security policies into one law and mandated an annual assessment to track compliance.

The two laws also give the National Institute for Standards and Technology a potentially larger role in setting security policy.

Diane Frank and William Matthews contributed to this story.
**************************
Federal Computer Week
New opportunities for NIST
BY Diane Frank
Dec. 2, 2002

Both the Homeland Security Act of 2002 and the E-Government Act of 2002 include provisions that attempt to raise the profile of cybersecurity initiatives. Central to each bill is a potentially larger role for the National Institute for Standards and Technology.

NIST has developed security guidance for years, but agencies are not required to follow it because the secretary of the Commerce Department has rarely used the authority granted in the Computer Security Act of 1987 to make NIST's standards and guidance mandatory.

Underscoring the importance of security, the e-government bill reaffirms that authority and "a lot of us hope that the secretary will use that authority more extensively than in the past," said Franklin Reeder, chairman of the federal Computer Systems Security and Privacy Advisory Board.

The bill "stresses the importance of this set of responsibilities" and could be important as NIST follows through on new requirements in both the e-gov and homeland security acts to develop and revise performance measures for agencies' security policies and programs, said Ed Roback, director of NIST's Computer Security Division.

Federal security could improve if the secretary should decide to make additional NIST guidance and standards mandatory, but such a decision could also have drawbacks, said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection at the General Services Administration. "But you don't get people's cooperation for the right reasons," and involuntary compliance could lead to agencies just checking off another requirement box instead of using the guidelines to improve their security management, she said.
***************************
Federal Computer Week
Homeland agency charged with outreach
Security strategy at risk if coordination fails
BY Diane Frank, Megan Lisagor and Dibya Sarkar
Dec. 2, 2002

When President Bush signed the Homeland Security Department into law last week, he triggered activity on two fronts.

Internally is the much-publicized effort to bring 170,000 employees from nearly two dozen agencies into a single department, if only virtually.

Externally is the often overlooked effort to coordinate the department's work with a multitude of organizations across state and local government and the private sector. This second front, many observers say, is equally vital and equally at risk for failure.

The Homeland Security Act of 2002 highlights more than a dozen different requirements to ensure that federal agencies and their state and local counterparts have access to the information and technology they need to carry out their jobs.

The law, for example, sets up a central office led by the undersecretary of management to coordinate with state and local governments and requires the undersecretary of information analysis and infrastructure protection to develop policies and procedures for sharing law enforcement information.

It also sets up several partner organizations, such as the Homeland Security Advanced Research Projects Agency, which will support long-term technology research through grants to public- and private-sector organizations.

Yet while the act spells out the objectives, the means for reaching them is left vague, observers say. So while the intentions are admirable, the execution is a concern, they say.

"We've now spent over a year battling over what this thing should look like moving boxes, creating new ones now we're going to spend much more time making sure those new boxes work the way they're supposed to," said Don Kettl, executive director of the Century Foundation's Working Group on Federalism Challenges in Homeland Security.

There is no way to tell at this point, however, whether the single structure outlined in the law is the best way to make the nation more secure.

"You could do as much harm as good with a one-size-fits-all, heavy-handed approach," said Warren Suss, president of Suss Consulting Inc., an information technology consulting firm. "Execution is everything in this business."

Creating Accountability

Many instances of reorganizations in the public and private sectors have shown that creating a new entity does not guarantee new service, much less the intended results, observers say.

"Congress can say you shall coordinate or you shall be damned to hell forever, [but] that isn't necessarily going to be done," said Richard Varn, chief information officer for Iowa. "It all comes down to people and good processes and good organization and just good implementation."

Homeland security officials have the benefit of a head start, Suss said, because the Bush administration's transition team "will provide them some momentum going into this."

The administration already decided on four basic department divisions: border and transportation security; emergency preparedness and response; chemical, biological, radiological and nuclear countermeasures; and information analysis and infrastructure protection.

Clearly, the first task is bringing together the different agencies and organizations that will make up each of the divisions, such as the Coast Guard, the Transportation Security Administration and others merging to form the border and transportation security division.

But there is no assurance that the new department structure will make that task any easier than it was when the agencies were scattered across other departments.

"No matter how much you say you are going to make this one-stop shopping, this is still a huge organization with sweeping policy mandates," Kettl said.

Clear accountability structures holding specific people responsible for ensuring first responders get everything from bulletins about possible terrorists in their area to the right technology to detect disease outbreaks should help significantly when it comes to making coordination and information sharing happen, experts say.

"They need to have single points of accountability as well as contact," Varn said. "Someone has to have the role of being identified as the accountable person for making sure [that coordination happens]."

And progress that already has occurred could accelerate.

Some coordination and information sharing has occurred, but cultural and organizational barriers still existed, said Patrick Schambach, associate undersecretary for information and security technology and TSA's CIO.

"With accountability now going to be consolidated to a large degree in this new agency, we can start to expect real information sharing," he said.

A Need for Union

State and local agencies, which will be doing much of the day-to-day work in the homeland security fight, ultimately hope the new department will help create a single strategy for communications and information-sharing technology.

"We have not been able to address those concerns with the existing agencies, so certainly I'm very hopeful that the whole Department of Homeland Security will be able to do that," said Karen Anderson, mayor of Minnetonka, Minn., and president of the National League of Cities (NLC).

"Just the fact that those new agencies will be in one place [and] will be able to communicate with one another will be a head start for us," she said.

At all levels, one of the biggest challenges for IT leaders may be getting everyone to understand that resources for the information-sharing infrastructure are just as important as resources for vaccines and bomb-proof buildings in the homeland security effort, said Gerry Wethington, CIO for Missouri and president of the National Association of State Chief Information Officers.

"Those are all important aspects in first responder communities and public health arenas, etc., but there's also a need for infrastructure growth and expansion to accommodate information sharing," he said.

"My hope is that that's recognized at the federal level; and when they begin to put their programs together that they set funds aside to make sure that they address the technology needs that are necessary to...support homeland security," he said.

Some state and local officials also are concerned that the department will not look at homeland security technology from a national perspective, said Costis Toregas, president of Public Technology Inc., the technology division of organizations such as the NLC and the National Association of Counties.

Billions of dollars will be spent on procurement for information sharing and communications, but Homeland Security Department officials must develop a strategy to guide procurements based on needs and capabilities at all levels, Toregas said.

***

A federal agency, a national mandate

The Homeland Security Act of 2002 underscores many ways the Homeland Security Department should work with organizations in the public and private sectors.

The department is expected to:

* Ensure compatibility of department databases and state and local systems.

* Create advisory groups to assess the needs of federal, state and local law enforcement agencies.

* Award grants to public and private groups for technology research.

* Improve policies and procedures for information sharing.

* Promote existing and new public/private partnerships.
********************************
Federal Computer Week
Group urges air traffic upgrades
BY Megan Lisagor
Dec. 2, 2002

The government needs to create a joint program office to coordinate the deployment of a highly automated air traffic management system, according to a presidential commission.

In findings released Nov. 18, the Commission on the Future of the U.S. Aerospace Industry called for a range of actions including development of real-time, space-based communications.

The commission made nine recommendations to the Bush administration and Congress that, if implemented, would impact aerospace initiatives at several agencies the Defense Department, NASA, the Federal Aviation Administration, the National Oceanic and Atmospheric Administration and others that must begin working together, it emphasized.

"We stand dangerously close to squandering the advantage bequeathed to us by prior generations of aerospace leaders," the commission wrote in the executive summary to its 300-page final report, which covered vision, air transportation, space, national security, government, global markets, business, workforce and research issues. "We must reverse this trend and march toward rebuilding the industry."

The commission backed funding for the FAA's modernization effort.

Rep. Sherwood Boehlert (R-N.Y.), chairman of the House Science Committee, said, "The report makes a strong case that government must increase its investment in aerospace research and?must increase investment in math and science education to ensure a continuing pipeline of motivated, talented men and women."
******************************
Federal Computer Week
Bill pushes security, but no money so far
BY DIANE FRANK
Dec. 2, 2002

A new bill awaiting President Bush's approval heralds the importance of cybersecurity, but the funds to bolster security education and research are yet to come.

The Cyber Security Research and Development Act (H.R. 3394) of 2002 is expected to kick-start the education and research support structure that has long been lacking in the security world.

The act would provide $903 million for grants and scholarships through the National Science Foundation and the National Institute of Standards and Technology, among other things. While the bill is expected to become law, there will still be a battle for the money that it authorizes.

The bill is being hailed by agencies, academia and industry as the best way to encourage long-term, focused information security research and, in turn, encourage students and professors to seek careers in the information security field.

Without the money authorized for programs at NSF and NIST, the push to increase security proficiency in the United States will not be as effective, according to security experts.

But talks are already under way, said Rep. Sherwood Boehlert (R-N.Y.), chairman of the House Science Committee and a co-sponsor of the bill.

"We are engaged in conversations with the appropriators, and we are bringing [the bill] to their attention," he said.

The bill's sponsors are checking with White House staff particularly at the Office of Management and Budget to make sure the funding requests are included in the president's budgets.

Officials will be "unyielding" in their efforts to make sure that actual money follows the bill, but the private sector, because of its power as a lobbying force, also has a large role to play in this fight, Boehlert said.

The Information Technology Association of America, which supports the bill, has already been working on the funding issue with appropriations committee staff members and White House officials, said Harris Miller, president of the Arlington, Va.-based industry group.

Even if the bill gets funding, research and education do not turn out immediate results. "It's not a quick-fix bill. It's a bill to build the human and intellectual capital in the long run," according to William Wulf, president of the National Academy of Engineering.

However, "the sooner we make that funding available, the sooner we create that pipeline of trained professionals," said Rep. Brian Baird (D-Wash.), a co-sponsor of the bill.

***

Follow the money

The Cyber Security Research and Development Act authorizes $903 million during the next five years for several internal and grants-based federal security programs, such as:

* National Science Foundation research grants: $233 million.

* NSF graduate scholarships: $90 million.

* NSF faculty development scholarships: $25 million.

* National Institute of Standards and Technology research program: $275 million.

Source: House Science Committee
********************************
Federal Computer Week
TSA preps smart ID pilot programs
BY Colleen O'Hara
Dec. 2, 2002

The Transportation Security Administration is ramping up its smart card-based programs designed to put identification into the hands of transportation workers nationwide and allow frequent travelers to get through airports quickly.

TSA is preparing to launch two regional pilot projects for its Transportation Worker Identification Credential (TWIC) System that will provide workers at airports, ports, railways and other locations with secure access to buildings and systems.

TWIC is "a system of information systems," said Elaine Charney, TSA's TWIC program manager. The goal is to produce an integrated system that can support one identification card, which then can be used across all transportation industries, she said.

TSA officials will soon begin the three-month planning phase of the TWIC pilot project in the Philadelphia/Wilmington, Del., region, Charney said, and soon after will begin the planning phase for the Los Angeles/Long Beach, Calif., region pilot project.

Each planning phase will be followed by a four-month technical evaluation. TSA will then conduct a four-month prototype so agency officials can evaluate and refine the products, including determining how effectively the pilot projects incorporated the different agency systems used to check employees' backgrounds.

During the technical evaluation phase, the administration plans to test access technologies that include digital photographs and holographic images, optical media stripes, memory-microprocessor chips, magnetic stripes, 2-D bar codes and linear bar codes.

TSA also will evaluate TWIC components such as the enrollment center, a regional database and regional card production, personalization and issuance, said Charney, who spoke Nov. 19 at the CardTech SecurTech ID 2002 show in Washington, D.C.

The TWIC program would form the foundation of another program TSA hopes to begin testing soon: the Registered Traveler Program, which will allow certain credentialed and pre-screened passengers to speed through security checkpoints in airports.

The program would reduce the "hassle factor" associated with passenger screening and allow airport officials to focus their security resources on passengers who present a greater security risk, said Michael Barrett, Registered Traveler Program manager at TSA.

TSA plans to consider "a lot of options," Barrett said, including biometric technologies and cost-sharing options.

This "trusted traveler card" should improve privacy, said James Hall, managing partner of Hall and Associates and former National Transportation Safety Board chairman.

Encoding information on a card with a fingerprint is a secure way to protect the identity of card users, according to Hall.
******************************
Government Computer News
Navy taps service's e-gov advocate as new CIO
By Dawn S. Onley

Dave Wennergren, champion of the Navy Department's e-business initiatives and smart-card deployment, will become the service's next CIO.

Wennergren, former deputy Navy CIO for enterprise integration and security, will replace Dan Porter, who retired Dec. 1. Porter accepted an early retirement option from the Navy and has taken a job as senior vice president for strategic development at Vredenburg Inc., a professional services company in Reston, Va.

Porter is the third top official in the service's CIO office to retire this year. Alex Bennet, former deputy CIO for enterprise integration, left earlier this year; Ron Turner, deputy CIO for infrastructure, systems and technology, has announced he will retire next month.

As CIO, Wennergren will oversee an annual IT budget of $5.6 billion. He also will manage the $8.82 billion Navy-Marine Corps Intranet program.
********************************
Government Executive
December 3, 2002
Homeland defense commander stresses 'need to share' information
By Molly M. Peterson, National Journal's Technology Daily


Officials at the newly established U.S. Northern Command may have to consider abandoning the military's traditional system for classifying information as they build crucial lines of communication with federal, state and local homeland security agencies, the Northern Command's chief information officer said recently.

Speaking to reporters at a homeland security summit late last month, Maj. Gen. Dale Meyerrose said inter-agency information sharing is a "blossoming requirement" for the Northern Command, which is headquartered at Peterson Air Force Base in Colorado Springs, Colo. The command is charged with consolidating the military's homeland defense and civil-support missions.

The Defense Department's current classification system allows military offices to share information on a need-to-know basis, and requires security clearances and background checks for access to information with such labels as "top secret" and "classified." But Meyerrose said that system could hinder the Northern Command's ability to share real-time information with civilian agencies that classify their information differently.

"My mantra is that I need to change from a 'need to know' to a 'need to share' foundation," Meyerrose said. "That is fundamentally a different level of information-exchanging requirement."

Federal law generally prohibits direct military involvement in domestic law enforcement, but during terrorist attacks and other national emergencies that might exceed the capabilities of federal, state and local agencies, the Pentagon can assign the Northern Command to provide civil support.

Meyerrose noted that in order to provide that assistance, the Northern Command must be able to communicate quickly and efficiently with emergency management officials at all levels of government, using radios, computers and other technologies.

"I am not advocating that we undo the need to know [classification] associated with national security information, but my requirements are going to be driven by a need to share, not a need to know," he said. "But we're developing a lot of things, so we have not formally stated that requirement."

Meyerrose said the Northern Command also must build on existing information-sharing architectures, such as those that have allowed the Federal Aviation Administration to exchange data with the North American Aerospace Defense Command.

"We're trying to make sure we don't reinvent any of those wheels," Meyerrose said, adding that the Northern Command is interested in ideas from the private and academic sectors. "We have our catcher's mitt open. We're listening."

Lockheed Martin will play a key role in meeting the Northern Command's information technology requirements. The company recently won two contracts, totaling $5.8 million, to help the command integrate various systems and develop new information operations capabilities.

"We have begun work on the contracts, and we're looking forward to helping them with their IT and infrastructure," Lockheed spokesman Joe Wagovich said on Tuesday.
*****************************
Government Computer News
12/04/02
New Jersey's CIO resigns
By Trudy Walsh

Judith Teller will resign from her post as New Jersey CIO on Dec. 31.

Gov. James McGreevey appointed Teller as the state's IT chief in January. Besides her duties as CIO, Teller was on the board of directors for the intergovernmental Geospatial One Stop committee as a representative of the National Association of State CIOs. The committee is working on spatial data collection and classifications standards for use by federal, state and local governments.

Before becoming New Jersey's CIO, Teller worked for Accenture LLP of Chicago for 27 years, specializing in state and local IT. Her clients at Accenture included New York City, Philadelphia, Fairfax County, Va., and New Jersey. She is a graduate of the Wharton School at the University of Pennsylvania.
********************************
Washington Post
President Signs 'Dot-Kids' Legislation


By David McGuire
washingtonpost.com Staff Writer
Wednesday, December 4, 2002; 11:08 AM


President Bush today signed legislation that seals off a G-rated "neighborhood" for kids on the World Wide Web.

The Dot-Kids Implementation and Efficiency Act creates a dot-kids domain within America's dot-us addressing space.

Sen. Byron Dorgan (D-N.D.), who co-sponsored the bill in the Senate, said in a recent interview that a dot-us domain would provide a "step forward for parents."

"Everyone who's a parent appreciates the difficulty of supervising their children on the Internet. This is a tool for parents," Dorgan said. "We're not censoring anything. We're just going to try to provide a domain that's safe for children."

The Senate altered the House language after NeuStar Inc., the company that would be responsible for operating dot-kids, said that running the domain could cost too much money and effort.

The new language grants NeuStar an extra two years on its four-year contract to operate dot-us if it upholds its dot-kids obligations. The legislation also would allow NeuStar to throw its hat into the ring when the government re-bids the dot-us contract.

The changes represent a potentially lucrative set of extensions for NeuStar if it abides by its contractual obligations. NeuStar's primary responsibility is to police the new domain, ensuring that Web sites bearing kids.us addresses abide by the child-friendly standards established by Congress.

"We think this has created a more fair approach to the kids.us space. It's definitely legislation we think we can work with," NeuStar Director of Business Development James Casey said.

NeuStar holds the government contract to run dot-us. Like dot-uk in England and dot-jp in Japan, dot-us is America's sovereign Internet domain, existing alongside dot-com, dot-net and dot-org in the Internet's global addressing system.

Because of the Internet's hierarchical nature, domain name owners can easily use their addresses as "second-level" Internet domains. Since the U.S. government has reserved the address kids.us, it can assign a virtually infinite number of names within that address (for example, address.kids.us, playground.kids.us, school.kids.us, etc.).

The dot-kids legislation represents a step back from an earlier proposal calling for the creation of a stand-alone dot-kids suffix to be included alongside dot-com, dot-net and dot-org in the Internet's Domain Name System (DNS).

The U.S. Commerce Department and the Internet Corporation for Assigned Names and Numbers (ICANN) -- the entities that share responsibility for the DNS -- criticized that proposal, prompting the compromise.

The act says that Web site with a kids.us address cannot post hyperlinks to locations outside of the kids.us domain. It also prohibits chat and instant messaging features, except in cases where a site operator can guarantee the features adhere to kid-friendly standards developed for the domain.
*******************************
USA Today
Parents, athletes put GPS to work
By Donna Rosato, Special for USA TODAY

GPS is no longer just for hikers, pilots and drivers. Consumer devices using global positioning navigation technology are rapidly being developed for multiple purposes, such as finding lost children and measuring speed and distance in sports such as skiing, surfing and golf.

GPS, made up of a network of 24 satellites placed into orbit by the U.S. Department of Defense, was originally intended for military use. In the 1980s, the government opened the system to civilians.

Athletes grab on

GPS can be used by anyone who tracks their location and the direction they're moving. GPS is often used by automobile drivers, pilots, surveyors, boaters and hikers. But with smaller chips, batteries and other electronic components and a steady drop in component prices GPS is finding a slew of new commercial uses.

Suunto, a Finnish company whose name means "direction," last month began selling in the USA a wristwatch-like personal golf computer with GPS. The G9, about $750, allows golfers to measure distance from tee to hole and the length of each shot. It advises on the best club based on a golfer's history, average length of shots and distance to the green.
It also displays course information, such as hazards, and automatically records scores. All the data can be downloaded to a PC for analysis.

GolfLogix and ParView make GPS devices for golf carts. The GolfLogix device, about the size of a cell phone, can be mounted on the cart or clipped on the golfer's belt. The "xCaddie" displays the distance to the green's center.
At the end of the game, the information is downloaded into a computer at the pro shop, and golfers get a three-page printout detailing each shot.

About 25 U.S. golf courses have the GolfLogix system. They charge a fee for the system or add the cost onto greens fees.

The ParView system, meanwhile, is permanently mounted in a golf cart a 10.4-inch video screen that sits where a rearview mirror would be. ParView displays a hole and green overview, exact distancing and electronic score-keeping. It also allows golfers to put in food and drink orders, get pro tips and do two-way text communication. If threatening weather is coming, golfers will be alerted by a text message. The ParView system has been adopted by about 160 courses, which lease the system for a monthly fee.

"Purists say they'd rather mark off the distance themselves, but this is so much faster, it really speeds up play," says Mark Van Patten, general manager of the Daily News, a newspaper in Bowling Green, Ky.


Garmin, one of the biggest manufacturers of GPS devices for consumers, teamed up with Timex to develop an Ironman sports watch that incorporates GPS. The Timex Speed and Distance Monitor uses GPS to calculate how fast the wearer is going and the distance covered. The device, which costs $225, consists of a watch and a 5-ounce GPS receiver worn on the arm or a belt.
GPS satellites have atomic clocks built in, so time is extremely accurate. Unlike other tools such as pedometers that track speed and distance, no calibration or input is needed. "It's a great tool for athletes like downhill skiers and surfers who have never been able to gauge their exact distance and speed," says Jim Katz, a spokesman for Timex, which launched the watch in May.

Garmin also recently began selling the Rhino Radio, $169, which combines GPS and a two-way radio. It allows users to communicate and send their positions so they can see where they are in relation to each other.
Safety first

Other companies are using GPS to target safety and security.

Several companies are marketing GPS "personal locator" devices.

Wherify just started shipping its GPS Personal Locator for children. It sells for $399.99, plus a monthly service charge of $25 to $49.

Like a bracelet, the device combines GPS and digital wireless technologies to pinpoint a wearer's position within a few feet, Wherify says. Parents can view satellite or street maps on Wherify's Web site or call an 800 number, day or night, to obtain their kids' location and movements. By using cellular technology, plus GPS, the device can work inside buildings and underground locations that GPS can't penetrate.

If the wearer is abducted or lost, he or she can contact 911 by pressing a panic button on the bracelet. The locator, marketed for children ages 4 to 11, has a built-in numeric pager and is made of water- and cut-resistant material. Parents lock the bracelet onto their children's wrists and can unlock it by key or remotely.

Cutting or forcibly removing the band would activate an alarm for the company's emergency operators.

Earlier this year, Applied Digital Solutions began selling Digital Angel, a combination watch and clip-on tracking device that also uses GPS. The Digital Angel costs $400, with a monthly fee of $30. The owner of the unit can go on the Net to view a map showing the wearer's location, and the watch also can be programmed to alert someone when the wearer has wandered outside of designated boundaries.

The alerts can be automatically sent to any number of devices, including cell phones and pagers.

The University of Washington, meanwhile, is developing a handheld computer that incorporates GPS to assist early-stage Alzheimer's patients. The current prototype memorizes an Alzheimer's patient's daily routine and offers directions when they become lost or confused. The device won't be available for at least five years.

"The applications are limitless," says Tim Neher, founder and president of Wherify. He says he was inspired to build the personal locator after temporarily losing his niece and nephew at a zoo five years ago. The next model, due in January, will be a personal locator for elderly people.

"Our goal is to get as many of these products into consumer hands as possible, whether it's on your wrist when you're jogging, for your child or your pet," he says.
*******************************
Los Angeles Times
A Move to Muzzle E-Mail
A court may decide if a fired employee's mass messaging to Intel workers is legal or electronic 'trespassing' on the firm's system.
By Maura Dolan
December 4 2002

Ken Hamidi lost his job at Intel Corp. after a long fight over a workers' compensation claim, but he did not go quietly.

The engineer, 55, formed a support group for current and past Intel workers. He then sent six waves of e-mails critical of the company's labor practices to thousands of the firm's employees.

Eventually the giant chip maker obtained a court order preventing Hamidi from "trespassing" on the company's e-mail system. The ruling, now on appeal before the California Supreme Court, has sparked a loud outcry from dozens of civil libertarians but won plaudits from industry.

The outcome of the battle, pitting private property rights against free speech, will help determine whether the Internet is a public forum regardless of the ownership of the servers and computers that make up the world wide system.

The decision is expected to be a milestone in the still-emerging field of cyber law. Because California has so much high-tech industry, many of the rulings on Internet law have come in California cases. It was one of the first states to regulate commercial e-mail, or spam.

Hamidi's case breaks new ground because his messages expressed personal views, which the 1st Amendment generally prevents the government from censoring.

"We look at the Internet as a public resource, but that does not have to be true," said Jennifer Granick, director of the Center for Internet and Society at Stanford University.

If the trespass ruling stands, "it means any Internet provider can become a gatekeeper and keep out e-mail it doesn't like because of its political content," said Ann Brick of the American Civil Liberties Union Foundation of Northern California.

But the U.S. Chamber of Commerce and other business groups said in a brief in the case that courts must assure "American businesses that e-mail is a tool worth having in the workplace, rather than a time bomb waiting to explode."

No one has free-speech rights on private property that is not generally open to the public, said University of Chicago law professor Richard A. Epstein, who was selected by Intel to represent other industries in the case.

"There is no 1st Amendment right to go into the lobby of Intel to speak to its employees, and if he can't use the lobby, why can he use the equipment," which in this case is Intel's server, asked Epstein.

Hamidi, who is married and has two daughters, describes his saga with Intel with the kind of emotion a jilted husband might have toward the wife who left him years earlier.

He began working for Intel in Folsom, Calif., in 1986. He said he loved his job, and believed he would spend the rest of his career with Intel.

Hamidi filed for workers' compensation in 1992 after suffering a back injury in an automobile accident while returning from a conference.

He began gulping down Vicodin for pain, couldn't sleep and was depressed, he said. He eventually asked for workers' compensation for his depression too, contending it stemmed from his chronic back pain. Intel finally gave him a three-month medical leave, he said, but stopped paying for his medical treatments the day the leave started.

"They picked on the wrong guy," Hamidi said over lunch in Sacramento, where he works as a compliance representative for a state agency. "They could not bring me to my knees."

During his protracted struggle, Hamidi described having to wait for months and to drive long distances to see doctors specified by Intel. The firm videotaped him changing a tire after it had been slashed and used the videotape against him, he said.

Intel fired Hamidi in 1995 for failing to return to work after a medical leave. A state workers' compensation appeals board eventually ruled against Hamidi on his psychiatric claim.

The appeals board found that his depression did not stem from his back injury and that he had exaggerated his problems to his doctors.

During his battle with Intel, Hamidi said, he entered a mental hospital twice and was placed under a suicide watch.

Hamidi credits the formation of FACE-Intel, a support group and Web site, with turning his life around. He said he has saved jobs at Intel by counseling employees not to file for workers' compensation and has prevented suicides. Focusing on others' problems distracted him from his own and gave him a voice, he said.

"Annual review time is very close," warned one of six e-mails Hamidi sent over a two-year period. "Unfortunately many of you ... will be terminated.... We can help."

In another e-mail to Intel, Hamidi wrote: "If you are on redeployment, it is highly likely that you are targeted for termination and there will not be any jobs available for you.... NEVER, EVER believe there is something wrong with you. Based on testimonies of numerous Intel victims, there is life after Intel that is rewarding."

When Intel took Hamidi to Sacramento County Superior Court in 1998 to stop his e-mails, the out-of-work engineer could not afford a lawyer and initially represented himself.

His six e-mails had been sent in bunches that ranged from 8,000 to 35,000 at a time, meaning that Intel employees received an average of one e-mail from Hamidi every four months.

His case attracted the attention of legal scholars only after a Court of Appeal in Sacramento upheld the injunction last December, ruling 2 to 1 that he was committing "trespass to chattels."

Chattel is private property other than real estate, and for decades courts have held that that someone can be liable for such a wrong only if the property was damaged or temporarily taken away from the owner.

A simple analogy is this: "If I kicked your dog, it would not be actionable unless the dog was hurt," said UC Berkeley law professor Stephen Barnett, who teaches tort law.

Intel's computer system was not damaged, nor was there even any evidence that Hamidi's messages slowed the company's e-mail service.

But the company said Hamidi's e-mail had distracted employees, reduced morale, forced managers to spend time reassuring workers that their jobs were safe and required technical employees to work on efforts to block future e-mail from Hamidi.

The state Supreme Court has agreed to hear the case, which means it will be the first state high court to rule on the legal theory of "trespass to chattels" as applied to the Internet.

Because of the case's potential impact, many in the legal community have rushed to embrace Hamidi's case. The ACLU, a labor group, 41 law professors and other civil libertarian and Internet activist groups agreed to weigh in on Hamidi's behalf. The state high court has yet to schedule arguments in the case, Intel vs. Hamidi.

William M. McSwain, who is representing Hamidi, wrote a law review article about the case while he was a student at Harvard Law School. McSwain has arranged for the international corporate law firm where he now works in Philadelphia to represent Hamidi at no charge.

No court would have issued an injunction based on trespass if Hamidi had sent his messages through the U.S. Postal Service, and e-mail should not be any different, McSwain maintains.

"We're not talking about commercial advertising here," said McSwain. "This is a gentleman trying to disseminate a message of important public concern to people who want to hear it."

The ruling against Hamidi, if allowed to stand, could potentially turn millions of Americans who use the Internet into law breakers, McSwain said.

"You cannot have a situation where anything, even the movement of electrons, constitutes trespass," he said. "The court needs to put a stop to this madness."

Critics of the early rulings in the Intel case say courts should insist that companies deal with the Hamidis of the world by bringing nuisance or defamation cases against them. Under those legal theories, Hamidi probably would have fared better, analysts said.

The ACLU has asked the court to apply the trespass doctrine only in cases in which there is physical damage or impairment to the computers or the company server. If a barrage of e-mail caused computers to crash or slow down, the company would have a claim against the sender, they say.

But if the content of the message is at issue, free speech guarantees protect it, the ACLU's Brick wrote. In Hamidi's case, the content was the issue because Intel would not have objected if the messages had been laudatory, she said.

Intel declined to allow its lawyer in the case to be interviewed.

But Epstein, who represents industry groups aligned with Intel, said in a brief to the state high court that the uproar over the ruling stems from the fact that people tend to "wax mystical" when it comes to the Internet.

"I think the Internet is a communications tool, not a transformative social revolution," Epstein said

"Intel runs its e-mail system beside -- not on -- the Internet highway," he argued in the brief. "It is no more a part of the public infrastructure of the Internet than an office building or factory that is not open to the public but which happens to operate alongside the public highways."

The United States Chamber of Commerce contends that the case is about a vengeful former employee trying to destroy a corporation that fired him for incompetence.

"If this court permits Hamidi's conduct to continue unchecked in the absence of criminal and civil penalties, American businesses may choose to curb technological development and e-mail privileges in the workplace," wrote Mark Theodore, who is representing the U.S. and California chambers in the case.

In its brief, Intel said Hamidi evaded Intel security measures put in place to block his mail.

"To avoid detection and the various measures Intel might take to block his messages," the brief said, "Hamidi sent e-mails in the dead of night and from different computers."

Hamidi smiled when asked about this. He said he sent the e-mails late at night because computers at the time were slower than they are now, and he had to send his bulk messages when there was less Internet traffic.

He evaded Intel's attempted blocks by switching servers and adding dashes or periods to his name and the name of his organization, he said. He obtained the e-mail addresses of Intel employees from someone inside Intel who sent him the directory anonymously, he said.

Chuck Mulloy, an Intel spokesman, described Intel as a "meritocracy," and "a fair place to work," headquartered in Santa Clara with 80,000 employees worldwide.

He said Intel has not tried to stop Hamidi from expressing his views on his own Web site, in leaflets or in media interviews. "But when he sends e-mail in the volume he does, in our view he is trespassing on our property."

Hamidi's messages contained a section in which recipients could ask to be removed from Hamidi's list. He said he honored about 450 such requests.

When the court barred him from sending e-mails to Intel employees, Hamidi rented a horse and buggy and delivered leaflets to Intel's headquarters. Another time he went to Intel on horseback.

Hamidi runs his support group out of his home office in a working-class neighborhood north of Sacramento. He has two computers, an array of office equipment and a book of press clippings.

"Did you know I was 'Disgruntled Employee of the Year' in 1997?" he asked with a grin. An Internet magazine gave him the title.

Hamidi continues to counsel Intel workers who contact his Web site, www.FaceIntel.com, and he is helping to facilitate three possible class-action lawsuits against the chip maker. He receives e-mail on his site from people around the world, and spends hours each evening at his computers.

"They cannot force me into submission," Hamidi said. "If I have been wronged, I will stand up and say, 'You have wronged me.' That is my constitutional right."
***************************

Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 510
2120 L Street, NW
Washington, D.C. 20037
202-478-6124
lillie.coney@xxxxxxx