Complaint resolution service publishes case studies, recall information and consumer news.

The Electronic Frontier Foundation (EFF) went to court to defend the First Amendment rights of a citizen-journalist to link from a public “wiki” to electronic copies of damaging internal Eli Lilly documents relating to the controversial prescription drug Zyprexa.

At the hearing, federal district Judge Jack B. Weinstein refused to change his order blocking publication of material that would “facilitate dissemination” of the Lilly documents.

EFF’s client, an anonymous citizen-journalist, posted the links on the wiki located at http://zyprexa.pbwiki.com. Eli Lilly complained, and Judge Weinstein issued his order on January 4. EFF went to court to challenge this order as an unconstitutional prior restraint on free speech in violation of the First Amendment and to ensure that the right of nonparties in the litigation to link to publicly important information remains protected.

“Preventing a citizen-journalist from posting links to important health information on a public wiki violates the First Amendment,” said EFF Senior Staff Attorney Fred von Lohmann. “Eli Lilly’s efforts to censor these documents off the Internet are particularly outrageous in light of the information reported by The New York Times, which suggests that doctors and patients who use Zyprexa need to know the information contained in those documents.”

According to The New York Times reports, the Eli Lilly documents show that the company intentionally downplayed the drug’s side effects, including weight gain, high blood sugar, and diabetes, and marketed the drug for “off-label” uses not approved by the Food and Drug Administration (FDA). The documents were leaked from the ongoing Zyprexa products liability lawsuit, where Weinstein is the presiding judge.

Copies of the leaked Eli Lilly documents have appeared on a variety of websites and other Internet sources. The links to the documents that were posted on the wiki at http://zyprexa.pbwiki.com were part of extensive, in-depth analysis from a number of citizen journalists. A wiki is a website that allows many users to collaborate on its content, creating a kind of simple database for collecting information — in this case, about the controversy surrounding Zyprexa.

Zyprexa is Eli Lilly’s best selling drug, used to treat schizophrenia and bipolar disorder. Eli Lilly has agreed to pay up to $500 million to settle claims relating to Zyprexa. This latest settlement brings the total paid by Eli Lilly to resolve lawsuits involving Zyprexa to more than $1.2 billion.

Full motion filed in the Zyprexa products liability litigation.

The court’s order of January 4.

http://eff.org/legal/cases/zyprexa/jan4_order.pdf

Posted under Privacy

Guidance Software Inc. has agreed to settle Federal Trade Commission charges that its failure to take reasonable security measures to protect sensitive customer data contradicted security promises made on its Web site and violated federal law. According to the FTC, Guidance’s data-security failure allowed hackers to access sensitive credit card information for thousands of consumers. The settlement will require the company to implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 10 years.

Guidance sells software and related training, materials, and services customers use to investigate and respond to computer breaches and other security incidents.

According to the FTC complaint, Guidance failed to implement simple, inexpensive and readily available security measures to protect consumers’ data. In contrast to claims about data security made on Guidance’s Web site, the company created unnecessary risks to credit card information by permanently storing it in clear readable text. In addition, the complaint alleges that Guidance failed to protect the information by:

* failing to assess adequately the vulnerability of its network to commonly known or reasonably foreseeable Web-based attacks, such as structured query language injection attacks;

* failing to implement simple, low-cost, and readily available defenses to such attacks;

* storing in clear, readable text network administrator credentials, such as user name and password, that facilitated access to credit card information stored on the network;

* failing to use readily available security measures to monitor and limit access from the corporate network to the Internet; and

* failing to employ measures to detect unauthorized access to consumers’ credit card information.

The settlement bars misrepresentations about security measures in the future and requires Guidance to establish and maintain a comprehensive information-security program that includes administrative, technical, and physical safeguards. The settlement also requires Guidance to obtain, every two years for the next 10 years, an audit from a qualified, independent, third-party professional to assure that its security program meets the standards of the order. The company also will be subject to standard record keeping and reporting provisions to allow the FTC to monitor compliance.

Posted under Privacy

Attorney General Rob McKenna has warned consumers to be aware of a new identity theft scam in which a caller claims to be your pharmacist and asks for a list of your medications and a credit card number. He also cautioned consumers about a recent proliferation of foreign lottery and counterfeit check scams.

Seniors in Wenatchee, as well as Southern California and Chicago, have recently reported receiving cold calls along these lines. In the Wenatchee cases, the caller(s) had a foreign accent and the recipients were unable to trace the calls by dialing *69.

“Never provide any personal or financial information to an unknown caller,” McKenna said. “Cons want details about your finances so that they can steal from your account or cause other harm. Legitimate companies that you do business with already have your information and will not call to ask for it. If you questions about whether a call is legitimate, hang up and contact your pharmacist or doctor directly.”

McKenna said the Attorney General’s Office continues to receive an increasing number of calls from consumers inquiring about foreign lotteries.

“The Attorney General’s Office has received numerous calls from consumers who have received notices in the mail indicating they are the big winner of a foreign lottery,” McKenna said. “A check is included, which the recipients are instructed to cash to help cover so-called processing fees. Consumers are then asked to wire money in order to receive the rest of their winnings.

“The checks are an attractive lure, but worthless,” McKenna added. “If you cash one, it will eventually bounce and your bank will withdraw the money from your account. These pitches are always scams.”

To win a legitimate lottery, you must purchase a ticket. It’s also important to know that can’t legally play a foreign lottery in the United States.

Posted under Health, Privacy

The Federal Trade Commission has brought a permanent halt to four illegal spamming operations – including one that offered the opportunity to “date lonely wives” and two that hijacked the computers of unwitting third parties and used them to pelt consumers with graphic sexually explicit e-mail. The FTC charged the operators with sending spam that violated provisions of the CAN-SPAM Act, and has halted the illegal spamming.

The CAN-SPAM Act requires that a spam e-mail contain accurate header and subject lines, identify itself as an ad, and include the sender’s postal address. It also requires that the spam give recipients an opt-out method, so consumers can elect not to receive messages from the spammer in the future. To ensure that consumers are not exposed content they do not wish to view, the Adult Labeling Rule requires that senders use the phrase “SEXUALLY EXPLICIT: ”in the subject line of sexually explicit e-mail messages and ensure that the initially viewable area of the message does not contain graphic sexual images. The consent agreements announced today settle charges that the spammers violated the CAN-SPAM Act, the Adult Labeling Rule, or both.

Cleverlink Trading Limited and its partners will give up $400,000 in ill-gotten gains to settle FTC charges that their spam, or that of their affiliates, violated federal law. The agency charged that their “date lonely wives” spam violated nearly every provision of the CAN-SPAM Act. It contained misleading headers and deceptive subject lines. It did not contain a link to allow consumers to opt out of receiving future spam, did not contain a valid physical postal address, and did not contain the disclosure that it was sexually explicit. It also included sexual materials in the initially viewable area of the e-mail, in violation of the FTC’s Adult Labeling Rule. A U.S. District Court judge halted the illegal spamming at the FTC’s request and froze the defendants’ assets. The settlement announced today ends that litigation. The settlement with Cleverlink, Real World Media, Brian D. Muir, Jesse Goldberg, and Caleb Wolf Wickman bars future violations of the CAN-SPAM Act and the Adult Labeling Rule and requires extensive monitoring of their affiliates for future violations. They also will give up $400,000 in ill-gotten gains.

The FTC charged that Zachary Kinion sent spam hawking adult sites, mortgage rates, and privacy software and paid other spammers commissions to send spam messages for him. The FTC charged that he hid his true originating address by routing his spam through the computers of innocent third parties. The FTC charged him with violations of the CAN-SPAM Act, and a district court judge ordered a halt to the illegal spamming, pending trial. The settlement announced today ends the litigation. The settlement bars him from sending e-mails that contain false or misleading header information, misrepresent the subject matter of the message, fail to include an opt-out option, fail to include a postal address or fail to disclose the spam is an ad. The order contains a judgment of $151,000 – the total amount he made from his illegal spamming – which is suspended because of his inability to pay. Finally, it requires that he monitor any affiliates for CAN-SPAM Act violations.

One spam operation used “spam zombies” – computers used without their owners’ knowledge or consent – to conceal the source of the sexually explicit spam. The FTC alleged that the defendants did not have authorization to use the “zombie”computers and that their spam violated provisions of the Adult Labeling Rule that prohibit sexually explicit images in the initially viewable area of an e-mail and that the label “SEXUALLY EXPLICIT: ” appear in the subject line. The settlement with William Dugger, Angelina Johnson, and John Vitale calls for them to give up $8,000 in ill-gotten gains and bars them from violating CAN-SPAM and the Adult Labeling Rule. It also requires that before they use third parties’ computers to send spam, they must obtain authorization from the computer’s owner and inform the owner how the computer will be used.

Another operator was a professional “button pusher,” who used spam to drive traffic to Web sites run by third parties. The FTC alleged that in an attempt to conceal the source of the spam, the spammer routed his promotions for pharmaceuticals and adult content through unwitting consumers’ computers. The FTC charged Brian McMullen, doing business as BM Entertainment and B Pimp, with violating the CAN-SPAM Act. The settlement bars future violations and imposes a judgment of $24,193, which is suspended based on his inability to pay. In addition, the defendant has pleaded guilty to criminal charges related to spam and unauthorized possession of access devices – credit cards. He currently is awaiting sentencing.

Posted under Privacy

The owner of a massive for-profit software piracy Web site was sentenced last week in federal court to 87 months in prison, Assistant Attorney General Alice S. Fisher of the Criminal Division and U.S. Attorney Chuck Rosenberg of the Eastern District of Virginia announced.

Nathan L. Peterson, 27, of Antelope Acres, Calif. was also ordered by Judge T.S. Ellis, III of the Eastern District of Virginia to forfeit the proceeds of his illegal conduct and pay restitution of more than $5.4 million. The forfeiture involves a wide array of assets, including homes, numerous cars, and a boat, which Peterson had purchased with the profits from his company.

The sentence is the second recent major prison sentence received for software piracy. In August 2006, Danny Ferrer, 37, the operator of www.BuysUSA.com, received a six- year prison sentence. Peterson is believed to be the most prolific online commercial distributor of pirated software ever convicted in the United States, the Department said. “This defendant lined his pockets by stealing the hard work of others,” said Fisher. “Today’s sentence sends a clear message that those who sell pirated software will be convicted and punished.”

Beginning in 2003, and continuing until its shutdown by the Federal Bureau of Investigation (FBI) in February 2005, Peterson operated the www.ibackups.net website which sold copies of software products that were copyrighted by companies such as Adobe Systems, Inc., Macromedia Inc., Microsoft Corporation, Sonic Solutions, and Symantec Corporation at prices substantially below the suggested retail price. The software products purchased on Peterson’s website were reproduced and distributed either by instantaneous computer download of an electronic copy and/or by shipment through the mail on CDs. Peterson often included a serial number that allowed the purchaser to activate and use the product.

“Stealing the intellectual property of others is always a bad idea in any context. It’s theft. And, so, a sentence of seven plus years in prison and restitution of $5.4 million is richly deserved,” said Rosenberg.

The investigation was conducted by agents of the FBI’s Washington Field Office. After receiving complaints from copyright holders about Peterson’s website, an undercover FBI agent made a number of purchases of business and utility software from the site, which were delivered over the Internet and by mail to addresses in northern Virginia.

As a result of the FBI’s investigation, Peterson’s website was taken down in February 2005. Further investigation established that, during the time of its operation, www.ibackups.net illegally sold more than $5.4 million of copyrighted software. These sales resulted in losses to the owners of the underlying copyrighted products of nearly $20 million.

Peterson used the proceeds of his illegal conduct to fund an extravagant lifestyle, including the purchases of multiple homes, cars, and a boat. The government seized numerous assets from Peterson including: a number of bank and trading accounts, a fully restored 1949 Mercury Coupe purchased originally for $44,000, a 2005 Dodge Ram, a 2003 Chevrolet Corvette, a 2004 Toyota Camry, a 2005 Toyota Corolla, and a 2006 Mercedes-Benz S-Class purchased for $125,000.

Peterson pleaded guilty before Judge Ellis on Dec. 13, 2005, to two counts of criminal copyright infringement for selling pirated software. While awaiting sentencing in this case, Peterson was arrested, convicted, and sentenced in California on state gun charges resulting from an investigation by the Los Angeles Police Department. He was sentenced on June 1, 2006, to 16 months of incarceration on those charges. Federal prosecutors then sought his return to the Eastern District of Virginia for sentencing on the federal charges.

Posted under Privacy

Social networking Web site operators Xanga.com, Inc. and its principals, Marc Ginsburg and John Hiler, will pay a $1 million civil penalty for allegedly violating the Children’s Online Privacy Protection Act (COPPA) and its implementing Rule, under the terms of a settlement with the Federal Trade Commission announced this week.

According to the FTC, Xanga.com collected, used, and disclosed personal information from children under the age of 13 without first notifying parents and obtaining their consent. The penalty is the largest ever assessed by the FTC for a COPPA violation, and is more than twice the next largest penalty.

The complaint charges that the defendants had actual knowledge they were collecting and disclosing personal information from children. The Xanga site stated that children under 13 could not join, but then allowed visitors to create Xanga accounts even if they provided a birth date indicating they were under 13. Further, they failed to notify the children’s parents of their information practices or provide the parents with access to and control over their children’s information. The defendants created 1.7 million Xanga accounts over the past five years for users who submitted age information indicating they were under 13.

“Protecting kids’ privacy online is a top priority for America’s parents, and for the FTC,” said FTC Chairman Deborah Platt Majoras. “COPPA requires all commercial Web sites, including operators of social networking sites like Xanga, to give parents notice and obtain their consent before collecting personal information from kids they know are under 13. A million-dollar penalty should make that obligation crystal clear.”

Xanga.com - Xanga.com is one of the most popular social networking sites on the Internet. After setting up a personal profile, users can post information about themselves for other users to read and respond to. On Xanga.com, users can create their own pages or Web logs (blogs) that contain profile information, online journals, text, hypertext images, as well as links to audio, video, and other files or sites. Information on the Xanga site is available to the general public through the use of global search engines such as Google and Yahoo.

Incorporated in 1999 and based in New York City, privately held Xanga.com, Inc. was founded by Ginsburg and Hiler. In 2005, Xanga had about 25 million registered accounts.

The Commission’s Complaint - According to the Commission’s complaint, the defendants violated COPPA, the COPPA Rule, and the FTC Act by collecting personal information from children with actual knowledge that they were under the age of 13, failing to post on their site sufficient notice of their information practices regarding children, failing to notify parents directly about their information practices regarding children, and failing to obtain verifiable parental consent before collecting, using, or disclosing children’s personal information. The complaint also alleges the defendants failed to provide parents with reasonable access to and control over their children’s information on the Xanga.com site.

The Consent Order- The consent order is designed to prohibit Xanga, Ginsburg, and Hiler from violating COPPA and the COPPA Rule in the future. Accordingly, it contains strong conduct provisions that will be monitored by the FTC. The order specifically prohibits the defendants from violating any provision of the Rule and requires them to delete all personal information collected and maintained by the site in violation of the Rule. The defendants further must distribute the order and the FTC’s How to Comply with the Children’s Online Privacy Protection Rule to certain company personnel. The order also contains standard compliance, reporting, and record keeping provisions to help ensure the defendants abide by its terms.

To provide resources to parents and their children about the risks associated with social networking sites, the order additionally requires the defendants to provide links on certain of their sites to FTC consumer education materials for the next five years. First, the defendants must include a link to the Children’s Privacy section of the Commission’s ftc.gov site on any site they operate that is subject to COPPA. Second, the defendants must include links to the Commission’s recently published safety tips for social networking on any of their social networking sites.

The order requires the defendants to pay a civil penalty of $1 million for violating the COPPA Rule, as detailed above.

The Commission vote approving the complaint and consent decree and order was 5-0. They were filed by the Department of Justice on the FTC’s behalf on September 7, 2006, in the U.S. District Court for the Southern District of New York.

Posted under Privacy

A new report from the AARP Public Policy Institute (PPI) states that from January of 2005 through May of 2006, 89.8 million Americans were potentially exposed to identity theft as a result of security breaches involving sensitive personal information. As security breaches at high profile institutions have made the public aware of the seriousness of this problem and more concerned about the safety of their personal information, PPI has analyzed the kinds of institutions most often experienced by security breaches and also the most common ways used to gain sensitive personal information.

The report, “Into the Breach: Security Breaches and Identity Theft,” closely examined 244 publicly disclosed security breaches that took place from January 1, 2005 through May 26, 2006. It found that educational institutions were more than twice as likely to report a breach as healthcare organizations, financial services companies, corporations, and government agencies.

The report found that 40 percent of the publicly disclosed security breach incidents were caused by hackers or insider access specifically targeting sensitive personal information. Breaches caused by hackers or insider access put the personal information of 50 million individuals (making up 56 percent of all breach victims) at risk of identity theft.

“Security breaches have become all too common in our daily lives,” said Dalmer Hoskins, AARP Managing Director of Public Policy. “And while safeguards are constantly being improved to protect personal information, it is also incumbent upon all institutions that experience a security breach to immediately alert those individuals in danger of identity theft so that they can take measures to further reduce that risk.”

While companies across the country look for ways to protect private information from outside hackers, the report shows that much of the threat comes from within the walls of the institutions themselves. The report notes that of all the ways used to improperly gain or display personal information, 30% are the result of breaches from the inside.

Posted under Privacy

An operation that placed spyware on consumers’ computers in violation of federal laws will give up more than $2 million to settle Federal Trade Commission charges.

Under a stipulated final judgment and order, the defendants are permanently prohibited from interfering with a consumer’s computer use, including but not limited to distributing software code that tracks consumers’ Internet activity or collects other personal information, changes their preferred homepage or other browser settings, inserts new advertising toolbars or other frames onto their browsers, installs dialer programs, inserts advertising hyperlinks into third-party Web pages, or installs other advertising software code, file, or content on consumers’ computers.

The defendants also are permanently prohibited from making misleading representations regarding the performance, benefits, features, cost, or nature or effect of any type of software code, file, or content, including misrepresenting that the code is an Internet browser upgrade or other computer security software, music, song, lyric, or cell phone ring tone.

The order names Enternet Media Inc., Conspy & Co. Inc., Lida Rohbani, Nima Hakimi, and Baback (Babak) Hakimi, all based in California, whose software codes were “Search Miracle,” “Miracle Search,” “EM Toolbar,” “EliteBar,” and “Elite Toolbar.”

According to the FTC’s complaint, the Web sites of the defendants and their affiliates caused “installation boxes” to pop up on consumers’ computer screens. In one variation of the scheme, the boxes offered a variety of “freeware,” including music files, cell phone ring tones, photographs, wallpaper, and song lyrics. In another, the boxes warned that consumers’ Internet browsers were defective, and offered free browser upgrades or security patches. Consumers who downloaded the supposed freeware or security upgrades did not receive what they were promised; instead, their computers were infected with spyware that interferes with the functioning of the computer and is difficult for consumers to uninstall or remove.

The agency’s complaint also alleges that the defendants’ software code tracks consumers’ Internet activity, changes their home page settings, inserts new toolbars onto their browsers, inserts a large side “frame” or “window” onto browser windows that in turn displays ads, and displays pop-up ads, even when consumers’ Internet browsers are not activated.

At the FTC’s request, a federal judge froze the operation’s assets last fall and ordered it shut down. The settlement requires the defendants to give up $2.045 million of their ill-gotten gains and includes a suspended judgment of $8.5 million for alleged violations of the FTC Act. The Commission vote to approve the settlement was 5-0.

Posted under Privacy

The debut of the first-ever U.S.-based Victim Identification Lab, created by the National Center for Missing & Exploited Children (NCMEC), has already generated more than 560 leads in the effort to identify child victims of pornography. Launched in Dallas, Texas at the Crimes Against Children Conference August 21-25, the Victim Identification Lab allowed select conference attendees, representatives from law-enforcement and prosecutors from around the world, to contribute to the efforts of NCMEC to identify child victims seen in sexually abusive images.

During the week, 540 registered users visited the lab 778 times, viewed “sanitized” images and posted information that generated over 560 leads. As a result, jurisdictions have been identified for five children and in one case, the identity of a previously unknown child victim was determined.

“The collaborative effort of law enforcement and prosecutors involved in the Victim Identification Lab has proven that by working together we can identify clues needed to find these children and stop future exploitation and abuse,” said Ernie Allen, president and CEO of NCMEC. “This was the first step in an ongoing aggressive initiative that taps national and international resources to identify and rescue child victims.”

Partnering with the Office of Juvenile Justice and Delinquency Prevention’s (OJJDP) Internet Crimes Against Children (ICAC) Task Forces, NCMEC’s Child Victim Identification Program (CVIP), which serves as the national clearinghouse for child pornography cases and the main point of contact to international agencies for victim identification, worked in cooperation with the Federal Bureau of Investigation, U.S. Immigration and Customs Enforcement, and U.S. Postal Inspection Service to bring the Lab to the conference and staff over 42 hours of operation.

Participants included law-enforcement officials and prosecutors from 48 states and 11 countries. Participants viewed 50 files with the graphic material removed, both photographs and videos, showing background identifiers, audio clues, children’s faces and suspects’ faces. The Lab featured 30 individual workstations, donated by the ICAC Task Forces, with real-time message posting of comments and suggestions that could be viewed by everyone in the Lab.

U.S. Attorney General Alberto R. Gonzales and Assistant Attorney General Regina B. Schofield toured the lab and received a demonstration of its capabilities on opening day. Project Safe Childhood, a U.S. Department of Justice initiative aimed at preventing the online exploitation and abuse of children, was announced by Attorney General Gonzales in May.

All information submitted by Lab users will be compiled and analyzed by NCMEC. The information will then be distributed to the appropriate law-enforcement agency for investigation.

Posted under Privacy, Safety

AT&T Inc. today said that unauthorized persons illegally hacked into a computer system and accessed personal data, including credit card information, from several thousand customers who purchased DSL equipment through the company’s online Web store.

The unauthorized electronic access took place over the weekend, was discovered within hours and the online store was shut down immediately. AT&T also quickly notified the major credit card companies whose customer accounts were involved. The company is now working with law enforcement.

Customer notifications are ongoing by email, phone and letter to fewer than 19,000 customers. In addition to notifying those customers who were affected, the company will pay for credit monitoring services to assist in protecting the customers involved.

“We recognize that there is an active market for illegally obtained personal information. We are committed to both protecting our customers’ privacy and to weeding out and punishing the violators,” said Priscilla Hill-Ardoin, chief privacy officer for AT&T. “We deeply regret this incident and we intend to pay for credit monitoring services for customers whose accounts have been impacted. We will work closely with law enforcement to bring these data thieves to account.”

Customers who have been affected have been provided with a toll-free number to call for more information.

Posted under Privacy