Wednesday, December 09, 2009

Facebook Privacy:: Fact or theory?

Xmas comes early for privacy advocates?!

The Register reports

"Facebook has ordered its 350 million users to sort out their privacy settings right now, before it throws the switch on its revamped security system.

The social networker farmer in chief Mark Zuckerberg, told its users last week that, "We're adding something that many of you have asked for — the ability to control who sees each individual piece of content you create or upload." He also promised a simplified privacy page.

..In today's warning, coinciding with the actual launch of the tools, Facebook promised its new Publisher Privacy Control would allow users to set a privacy setting for each piece on content they create.

The firm is also removing its "regional networks", in favour of four basic control settings: friends, friends of friends, everyone and customised.

This will be allied with an "easy, intuitive and accessible" privacy settings page."

Well, hmm, let's see - but Blogzilla. looks like we may finally have to rewrite that FB paper!

Of course in other news today, Sophos, who discovered 2 years ago that most FB users would revel their most private details to cartoon frog, found that 2 years on, relicating the study in Australia, ... well, nothing had really changed.

"The survey found that 46% of users in a fictional 21 year old's age group accepted the offered friendship, while 41% of a fictional 56 year old's peers did.

On Facebook once someone has been accepted as your 'friend' they can see more information about you, but you can still choose to hide information from those friends or limit it to specific groups amongst your online friends....

"Both groups were very liberal with their email addresses and with their birthdays," said Sophos head of technology in Asia Pacific Paul Ducklin. "This is worrying because these details make an excellent starting point for scammers and social engineers.""

Ah well, you can't have everything!

Something Different for the Midweek: Google and Criminal Liability

Yesterday Pangloss was very happy to have a guest lecture for her Internet Law class given by Trevor Callaghan, Managing Product Counsel of Google UK. Trev gave a hilarious lecture on the law relating to search and copyright, which conbined legal insight, practical tips, and social responsibility with some Glasgow humour that would have put Armando Iannuci of The Thick Of It fame to shame (albeit with (slightly) less swearing). I enjoyed it, lots, and i think the students did too.

Anyway, this all reminded me that actually quite a few things are going on I should be talking about as well as (or perhaps even in combination with) the Digital Economy Bill. One of these, which has received suprisingly little press (even wonderful OUT-LAW hasn't mentioned it since February) , is that right now, four Google executives - including Privacy CEO Peter Fleischer- are on trial - yes, criminal trial - in Italy, in relation to a short phonecam video made by some school children of a bullying incident involving a child with learning disabilities, and then posted on Google Video.

In Italy, it appears that libel and , possibly, infringement of privacy laws, can be a matter of criminal as well as civil law. Google took down the video on notice within a day of receiving an official complaint from a consumer group, although the video had been online for about 2 months before that. Italian prosecutors investigated for two years but then decided to proceed.

For Pangloss this seems a not very difficult case that ought to be easily decided under the EC E-Commerce Directive safe harbours in Art 14 and 15, as often discused in this blog. If these aren't implemented into Italian law, then it would seem Italy must be in breach of EC law itself. Google was clearly a host here, and Art 14 provides that such sites are protected from criminal liability for the activity of users of the service, unless they receive actual notice, and fail to take down expediently. This is a case about criminal liability so there is no need even to move to the second branch of Art 14 (which is far more controversial) and discuss whether Google should have known - ie had constructive knowledge - of the activity or content. Injunctions would have been relevant, despite the safe harbours, but these are not the issue as Google already took down straightaway on notice.

So why on earth is this case coming to trial? Pangloss is perplexed. One possibility as noted above is that simply that Italy's domestic law is in breach of EC law (in which case Google should have a Francovich claim for damages against the Italian government, though that may not be much comfort to the men awaiting trial.) Another possibility, though rather an unlikely one, is that the Italian prosecutors have confused the activities of Google as a search engine, with Google as a host. The ECD does not give search engines , or hyperlinkers , a special immunity from liability as it does hosts and "mere conduits" : though a number of EC countries have in fact decidd to extend such an immunity, either under Art 12 or 14, or both. However in this case case it seems pretty clear Google was a host not a hyperlinker in terms of liability. So, what on earth quid iuris?

Another remote possibility is that the suggestion is that Google as a provider of free services does not gain the benefit of the Art 14 safe harbour. This uncertainty has been around for a long time, since only providers of "information society services"(ISSPs) get the benefit of Arts 12-15 and that definition is of an online service "normally provided for remuneration" (see recitals 17 and 18). Yet majority opinion has long felt that this particular point is no obstacle to the likes of Google (or Facebook, or Hotmail?) claiming safe harbours.

First, while renumeration might not come directly from users, it certainly does come in the form of the adverts Google place alongside its services. Second, search services are certainly something that would "normally" be paid for if they weren't, happily, often provided for free: they are of huge commercial value . Thirdly, it seems a strange policy in terms of public interest which would discriminate against services of great public value provided for free, in favour of those given purely for direct consideration.

There is no clear ECJ ruling on this yet but there is likely to be soon: in the upcoming Adwords conjoined referrals to the ECJ (Google France v Louis Vuitton, etc), the Advocate-General has already given a preliminary opinion in which he found:
"There is nothing in the wording of the definition of information society services to exclude its application to the provision of hyperlinks and search engines, that is to say, to Google’s search engine and AdWords. The element ‘normally provided for remuneration’ may raise some doubts as regards Google’s search engine, but, as has been pointed out, the search engine is provided free of charge in the expectation of remuneration under AdWords. (68) Since both services are also provided ‘at a distance, by electronic means and at the individual request of the recipient of services’, they fulfil all the requirements necessary to be regarded as information society services."(para 131)
And for what it is worth, a roughly similar finding was reached, albeit obiter and with an admission of some possibility of doubt , in the recent English libel case of Metropolitan v Designtechnica, where Eady J opined: "it would appear on balance that the provisions of the 2002 Regulations [defining an ISSP] are apt to cover those providing search engine services." (para 84)

So what does that leave? Well there is perhaps a clue in the New York Times account.

"Google and the prosecutors agree the video was uploaded Sept. 8 and removed Nov. 7, 2006. The prosecutors presented evidence showing that in early October, a month before the video’s removal, there were comments posted saying that it should be taken down. One of those messages read, “This is shameful! This should be taken down immediately.”

“It is reasonable to imagine that comments like this were followed by requests by these same people that the video be removed,” the prosecutors wrote in the document they presented to the judge."

So when are such shocked responses or "requests", "actual notice" as required by Art 14? Do comments on a video hosting site cut it, as opposed to an official request for takedown? To put it another way: does a hosting service have a duty to read comments about videos posted by, and probably of interest only to, their creators and viewers? Surely not.

Compare the situation to the original world Art 14 was designed to deal with, that of web 1.0. If Demon Internet hosted a basic site for (let's say) Anglers Magazine, and it contained a chatroom where libellous remarks were made about particular fly-fishers, would Demon be expected to monitor that chatroom for explicit or implied requests to take down those comments? Again, surely not. It would be up to the aggrieved angler to send his request for take down direct to Demon. The whole point of Art 14 was to reassure host providers they had no need to monitor the activities of those to whom they provided hosting services. Not only would this involve huge expenditure of effort and cost, but it might also be privacy invasive and chilling of free speech. Art 15 states this absolutely explicitly:

"Member States shall not impose a general obligation on providers, when providing the services covered by Articles 12, 13 and 14, to monitor the information which they transmit or store, nor a general obligation actively to seek facts or circumstances indicating illegal activity."

Still another way to put this is to ask , what are the minimum requirements for notice? This is a perennial problem. The US DMCA largely gets it right, with a statutory form which requires a complainant to give clear details including their own address and status as rightsholder, and provides sanctions for false accusations. The ECD, being a EC wide framework, is hopelessly vague. The UK's own regs help a little but not much - there is no DMCA type statutory notice but Reg 22 of our E Commerce Regulations does state that

"In determining whether a service provider has actual knowledge ... a court shall take into account all matters which appear to it in the particular circumstances to be relevant [including] whether a service provider has received a notice through a means of contact made available in accordance with regulation 6(1)(c)" - ie, their official contact email address .

This stuff should be simple law (compared at least to issues like eBay and Louis Vuitton, Google and AdWords) but even it is not. The ECD deperately needs revised to get a few simple things right and harmonised across Europe: what form should "actual notice" take; what does "expediently" mean; what is constructive notice; when, if ever, can an obligation to filter proactively be placed on ISSPs; what immunities should search engines (and hyperlinkers and aggregators) have. Pangloss loves this stuff but even she is tired of writing the same stuff over and over again. It is time to review the ECD.

PS and in the interest of public policy but with just a hint of minx-itude, I have helped draft a proposed amendment to the Digital Economy Bill for ORG which would aim to clarify some of these very matters, at least for the UK. See you in the House of Lords! :-)

Friday, December 04, 2009

Predictions 2010

The SCl Journal is as usual publishing pithy predictions for next year from the great, good and garrulous in IT Law (though they don't seem to have asked me this year - sob!

The best so far of course is from the wonderful Jeremy Phillips:

From Jeremy Phillips, IP Consultant, Olswang LLP

* 'Three strikes' proposals, even if enacted, will be shown to be feeble, cosmetic inconveniences. What's more, downloaders will assert they have a right to two free infringements.
* The Ministry responsible for IP/IT will change its name, its role and its Minister.
* The aggregated figure for victims of Data Protection Act data leak will exceed the population of the UK.
* The government will proclaim that innovation is ‘key’ to the country's well-being while further restricting its exploitation and taxing it to death.
* Some people will continue to believe in Santa Claus, a flat Earth and the Manchester Manifesto.

I particularly love the second point. One wonders if it's like the professor for DEfense against the dark Arts in each harry Potter novel - each government reshuffle, a new incumbent and name for the department required!

Less funy, but equally to point and often overlooked as we focus on three strikes, data breaches and e-commerce:

"From Jaron Lewis, Partner, Reynolds Porter Chamberlain LLP

2010 will be the year that our pre-internet libel laws are kicked into shape. Legislation is expected to prevent publishers being sued over archived web content. We will also see a consensus forming over the introduction of more streamlined - and cheaper - procedures for resolving libel disputes. Finally, our libel judges will continue to make clear that those providing the web infrastructure - such as ISPs and search engines - should not be liable for defamatory content, even when they are on notice of a complaint."

Having taught Internet libel law, substantive and jurisdictional for almost 20 years now, I really hope we are going to see real change here on the UK's antiquated libel magnet laws - Metropolitan v Google, which Pangloss really should have found time to blog properly, isalso an especially heartening and sensible decision. It is just a shame the current review of the single publication rule (still open till Dec 16th) is not looking at place as well as time.

Finally although not a prediction or even legal I must leave you with my favourite quote of the week for everyone out there who spends their life glued to a keyboard:

from Ben Goldacre on Twitter:"if anyone needs me i'm flying to america tonight so i can kill everyone involved in writing and marketing microsoft word."

Tuesday, December 01, 2009

The Death of Public Wi fi: Grauniad

I decided to write up a user friendly version of the wi fi story for the Grauniad, as you can see here. Many thanks to Francis Davey, inter alia counsel for, who pointed out the difficulties of the word "agreement" in terms of defining a subscriber and an ISP in the Digital Economy Bill.

Saturday, November 28, 2009

ZDNet, Wi Fi and the Digital Economy Bill

ZDNet is reporting , rather relevantly to Current Times, that a pub owner running an open wi fi hotspot has been "fined £8,000" for infringing downloads by its customers. The information was provided by the Cloud, who provided the hot spot capability (and who also, incidentally, do the same for McDonalds, my example for wi fi liability of a few days back on this blog.)

"Graham Cove told ZDNet UK on Friday he believes the case to be the first of its kind in the UK. However, he would not identify the pub concerned, because its owner — a pubco that is a client of The Cloud's — had not yet given their permission for the case to be publicised."

ZDNet asked me to comment on the story which I was happy to do, but unfortunately one major error has crept through the phone call process. EDIT - corrected! Thank you! Story also now specifies it was a civil case.

So what about the pub story? It sounds very odd. Basically, we need more details here. First it doesn't sound on first glance like a case where criminal copyright would be applicable. So that probably isn't a "fine", but damages . Even more likely is that the case settled rather than going to final judgment (in which case, wouldn't it be a novel enough decision to have an opinion, and be up on BAILII? I can't see it there). In that case the £8000 is just an estimate of damages both parties were willing to settle for, and, it should be stressed, not a legal precedent.

As for the crucial responsibility angle, one wonders if the issue was mainly one of proof. After all, if a publican was alleged to be regularly downloading without permission, and the defense was that wi fi users were using his IP address ("it wasnae me" as we say in Glasgow), and the wi fi was open, then there was no attributed log of downloads, and thus no proof of this beyond that mere assertion. In strict law, even in a civil case where the standard of proof was the balance of probabilities, the onus of proof should be on the plaintiffs ie the rightsholders. But in a settlement situation, I can conceivably see that the publican might decide to give up and settle without hard proof to back up his case, and cut his losses and the chance of losing the case and paying both side's costs.

The important point is if that if this is a settlement, that doesn't at alll translate into a theory of secondary liability for downloaders suing your open network, still less a legal precedent. If anyone has further details, I'd love to hear them.

I may as well now go on and quote the rest of myself :) (a bit odd I know)

"However, she said the measures that would be brought in under the Digital Economy Bill — measures that could include disconnection of the account holder — would not apply because the business could be classified as a public communications service provider, which would make it exempt. According to the terms of the bill, only "subscribers" can be targeted with sanctions**.

[** note for legally minded Pangloss readers: this is because the DigiEc Bill cl 16defines "subscribers" as excluding "communications providers", which can be traced back via the Communications Act 2003 to include providers of electronic communications services or networks. The pub hotspot would fall into that class, probably :-) ]

According to legal advice sent to The Cloud by the law firm Faegre & Benson on 17 August, "Wi-Fi hotspots in public and enterprise environments providing access to the internet to members of the public, free or paid, are public communications services".

A public communications service provider must, under the terms of the Data Retention Regulations that came into force in the UK in April of this year, retain records for 12 months on communications that have taken place over their network. This data includes user IDs, the times and dates of access, and the online destinations that were being accessed. The content of the communications cannot be retained without the user's permission, due to data-protection laws.

However, there is a get-out clause in the Data Retention Regulations, in that no public communications service provider has to keep such records unless they are notified by the government that they are required to do so.

According to Edwards, this is because "only the big six ISPs have the facilities to comply, and because the government agreed [in its legislation] to repay some of the costs [of retaining [[and accessing - Pangloss adds]] such records]". She noted that this clause might itself be non-compliant with the EU data-retention laws that were transposed into UK law in April.

Edwards pointed out that, even if the sanctions proposed in the Digital Economy Bill come into force, "no-one will know who [the downloader] was, because the IP address that will show up [upon investigation] will be of the hotspot". She added that the rights holder seeking infringers of their copyright would probably not know that the IP address in question was not that of a subscriber.

It would then be up to the hotspot operator to point out that they were not the end user downloading copyrighted material. "But when would they get to say that? Maybe straightaway, maybe not until after disconnection — it's not currently clear," Edwards said."

Downfall Meets Peer review

Thursday, November 26, 2009

OK I said I'd stop but..

.. then OUT-Law asked me to comment on the implications of the Digital Economy Bill, especially for organisations and businesses that provide wi fi networks; and this made me think a bit more about how unworkable this whole scheme is.

As I said to OUT-LAW, among the proposed new sections of the Bill is s 124A(1)(b) , which says that action can be taken not just against someone suspected of infringing copyright, but also against "a subscriber to an internet access service [who] has allowed another person to use the service, and that other person has infringed the owner’s copyright by means of the service". This might well be interpreted to mean that anyone who operated unsecured wi fi was "allowing" others to download using it; and be held responsible for it. BIS has indeed so indicated in previous press statements.

One solution to this , as I discussed with OUT-LAW would be an unfortunate one; to effectively prohibit unsecured wi fi networks. But actually, even locking down its network (wi fi or fixed) is not a solution for businesses and the like. A domestic user with a secure wi fi network knows the small number of people who might have infringed using that network, so perhaps responsibility is not so draconian an assumption. But what of corporate networks of thousands of employees, or "public" places like McDonalds Hamburgers , where thousands are currently attracted by the use of free wi fi? Giving a wi fi or network login and password (as McDonalds do, as required by their hotdpot provider, The Cloud) is still, it seems to me, "allowing" that person to access the network.

The network operator might well try to defend itself by proof it was not the person at fault; but the opportunity to put that case would not, in the current skeleton scheme, perhaps come until after disconnection - at which point there is an appeal to a tribunal and thence to the courts. This could take years - after which time evidence of IP addresses, logins, timestamps, and the like might be hard to reconstruct. There is an appeal of kinds available to a "named person" immediately after the "warnings" ; but the detail, grounds and scope of that appeal are vague in the extreme and it is clearly only a very interim process. It might, eg, prove to be an opportunity only to dispute the exact factual details of the IP address collected, or the timestamp.

So are businesses like McDonalds to be held responsible for the copyright infringements of all their customers? Are universities to be held liable for all their students? At the moment it looks like it. Even if the result was only temporary disconnection, this could have a crippling effect on many businesses.

BIS apparently suggest that " the problem be solved by Wi-Fi operators policing their networks. "Many premises that offer public Wi-Fi access already disallow access to unlawful file-sharing sites," said the BIS statement. "Software which limits or prevents access is freely available and easy to install and we would anticipate any responsible organisation offering Wi-Fi access would take action if it appears their connection is being misused." [from OUT-LAW]

Such software solutions do indeed exist, but anyone running a large, fast network will tell you they are far from a complete solution. McDonalds' free wi fi may be far to slow for practical downloading of MP3s (I haven't tried it, but I suspect so) but I bet IBM's or my own university's network isn't - because these networks get used by real employees for serious legitimate purposes. Even in cafes, it takes more to stop P2P than just blocking the URL of the Pirate Bay site. Universities have been trying to stamp out illegal P2P filesharing on their networks for years, if only because they overload the bandwidth(their Acceptable Use Policies nearly always make illegal dowloading a disciplinary offence), and have still generally failed. Blocking the P2P protocol entirely is also counter productive; as is now well known many legal products such as BBC iPLayer now use this protocol. Will I find one day I cannot show a BBC programme to my students because the university has had to block iPlayer?

The only apparent get out for businesses and public bodies may lie in the definitions section of the Digital Economy Bill (cl 16, amending the Communications Act 2003) which says that a "subscriber" (who receives warnings) does *not* include someone who received Internet access as a "communications provider" (CP) themselves. This is intended, I think to protect ISPs who themselves merely retail bandwidth wholesaled by larger ISPs , on the grounds they should be regarded as ISPs giving access to infringers, not infringers themselves. But can it apply further?

The definition of a CP already within the Communications Act 2003 is someone who provides (as per s 32 of that Act) either an "electronic communications network" or an "electronic communications service". Both definitions are quite complex, but without going into more detail. they seem intended to cover those who offer telecommunications services as their main or sole business - ISPs, phone companies, etc - not other kinds of businesses or premises which merely, as a "side order", offer a wi fi or fixed line network.

But even if the definition of a "communications provider" could be stretched to cover the likes of businesses likeMcDonalds, or universities, it would seem likely it could then also be stretched to cover any domestic consumer who offered his household or area wi fi access. This would contradict statements from BIS as above, which have seemed quite clearly to say that domestic wi fi is one of the targets of the legislation.

Also, to make a bad matter worse, if BIS did agree that a business (say) was to be regarded as a "communications provider" not a "subscriber", and thus be free of the risk of disconnection, it would also mean that business was to be subject to all the obligations placed on CPs by OFCOM under the Communications Act 2003; and even worse , if they qualified as a PUBLIC "electronic communications service" or "network" provider (see s 151 of the Comms Act 2003 - also somewhat controversial but very likely to apply at least to any open wi fi network), they would be caught under under the recent Data Retention Directive Regs , and required in principle to retain emails, traffic data and texts sent using their facilities, for later possible police access. I can't see this going down well with small businesses, or even small families.*

Can BIS simply stick in an exception, avoiding the whole CP farrago, that eg, "public and educational institutions providing not for profit wireless networks services to the public, or some section of the public" shall not be regarded as "allowing " access under s 124A(1)(b)? Well not without abandoning the whole point of the Bill. Because then, in essence, the Bill will only cover domestic users and domestic wi fi. Any infringing downloading at work, university, cafes, hotels etc will not be covered. Is there really much point in such legislation?

Alternately, BIS can stick to its guns and declare that businesses etc are covered by the Bill just as much as domestic subscribers , which will mean businesses, to defend themselves from disconnection, will have to (a) lock down all networks and (b) even then, spend their own money when they start to receive warnings, on internally allocating blame, by ascertaining who was using that login at that time etc etc : fiddly, expensive, fun in open plan offices with hot desking :-) and quite likely, sometimes simply impossible.

Tricky, isn't it? I welcome further responses from BIS.

*Reg 8 of the DRD Regs 2009 may be a get out for SMEs and individuals here - since it says these obligations only fall on PECS or PECN providers by notice : but (a) thus leaves room forlots of FUD and (b) the legality of thus rule in respect of the UK's obligations under the original Directive is more than dubious.

EDITED after comments : 27/11/09.

Tuesday, November 24, 2009

PS Digital Britain footnote

Time to leave this bone alone and do some proper work, but I can't resist noting the Digital Britain's team responses to criticisms, having been directed towards it by the Beeb. As it happens, despite the impression the BBC gives, these responses date from the summer so should hardly be regarded as the current BIS last word. But I can scarcely credit this:

3. You’re criminalising a generation of people
Getting Copying* copyrighted material without permission or payment is already unlawful (it is a civil offence). Recognising that fact and enforcing existing rights is not criminalisation.
What in hell is a civil offence? There are civil infringements and criminal offences. This is the whole point: they demand diferent processes, different standards of proof and lead to different acceptable sanctions. It is in the interests of the music industry to attempt to blur the line between civil and criminal in relation to copyright - domestic copying is purely a civil infringement whereas commercial distribution may also be criminal - but the distinction is one that one would hope civil servants at least would understand, particularly when it would have helped them resist the original accusation! As the Beeb might say, Dear oh dear oh dear!.

Monday, November 23, 2009

Mandy and Me: some thoughts on the Digital Economy Bill

So, once more unto the breach, dear friends, once more, where the breach is of copyright of course. First a brief summary of the terrain.

Clauses 4-17 of the Digital Economy Bill introduce an “initial obligations” regime for ISPs, whereby subscribers accused of filesharing by rightsholders will be sent warnings of alleged copyright infringements, or “strikes”, by their ISPs; and a “technical measures” phase, to be green-lit only after evidence has been amassed that warnings do not work (but see below), which will allow sufficiently warned offenders who still seem not to have seen the error of their ways to be disconnected from the Internet. Traffic slowing and banning of access to certain sites eg the Pirate Bay, may also become available measures.

The Bill also, almost as an after thought, adds a “Henry VIII” clause, which allows the relevant Secretary of State (currently Lord Mandelson of Mordor sorry BIS) to make new copyright law in any area of Parts 1 and 7 of the Copyright, Design and Patents Act 1988 (CDPA), by statutory instrument (SI) not primary legislation, if justified by speed of technological developments (even ones that haven’t happened yet – see proposed new s 302A of the CDPA.) So essentially, new and important copyright laws (not exclusively to do with filesharing – DRM, fair dealing and user rights might all be affected) are to be made under the public radar, and without proper Parliamentary scrutiny. anytime, anywhere (hereafter, the “Martini clause”).

There has been a great deal of coverage of these matters – see eg here and here – so I will only point out a few matters of detail which have struck me as particularly worrying, on top of my, er, well-ventilated previous concerns about the principle of a regime of “three strikes” at all. Most of the press attention has focused on the posited disconnection regime, since of course the sanction is so far reaching. But the warnings regime, which if the Bill passes is likely to be of more immediate concern, is also staggeringly poorly drafted, and this is where my focus will lie.

Accusations and evidence

In the outline scheme we have, warnings are to be sent to subscribers solely on the say so of rightsholders. All a rightsholder need do, as presently laid out, is provide an IP address and time stamp of an alleged infringer to an ISP, and say that “ it appears to [them that ] a subscriber .. has infringed the owner’s copyright”. There is no requirement this belief be objectively reasonable. Nor is there any apparent sanction for malicious, or even simply careless or reckless allegations. Recent experience with the RIAA and BPI has shown that allegations made after IP address tracking at P2P sites often turn out to be wrong and that collecting IP addresses from P2P honeypots is a non-trivial exercise ; so the issue of liability for erroneous accusations is an important one. Libel, malicious falsehood and data protection laws may offer remedies for the falsely accused; but there is no mention of such in the Bill itself (so far), nor of any reasonable duty of care. In other words, all the power is given to rightsholders, and none of the responsibility.

“Allowing infringement”

The Bill also makes it clear that an infringement may be notified by a rightsholder if the subscriber “allowed another person to use the service and that other person has infringed”. What does “allowed” mean here? It seems clear it is intended to cover the case where an Internet service is used to download by any member of the household other than the subscriber eg by partners, children, flatmates and lodgers – but what of casual visitors, friends of children? Should such persons be routinely policed by the subscriber fearful of liability, their rooms and computers searched, guests interrogated about their laptops and smartphones? What of Art 8 ECHR guarantees of privacy (which, let us remember, apply to children as well as adults, especially in their own bedrooms)? This is however only the start. What of the school or university or business which gives access to the Internet to hundreds or thousands of people? These warnings will come to roost at their doors, or rather their IP addresses. Will we then see IBM, Oxford University and Standard Life (just say) subsequently banned from the Internet? Is it really feasible to expect such organisations to stamp out downloading among all their employees or attendees (especially given most already do their best to try) or to spend the resources on internally trying to attribute the warnings to individual employees etc?

The end of unsecured wi fi?

A connected issue Pangloss has raised before relates to wi fi. At present it is a subscriber’s choice whether to secure their wireless network or not. Despite the public panic about paedophile use etc, many still think leaving wi fi unsecured is a public service (see on this Daithi McSithigh’s excellent piece). Yet one can easily see that leaving a network unsecured will count as “allowing” another’s infringement (and note the mandatory requirement to notify alleged infringers about how to protect their wi fi in proposed new s 124(5)(f)). What we see therefore is constructive prohibition of unsecured wi fi by the back door, for both consumers, corporations and the public sector (think of the impact on digital inclusion?); a decision of huge significance, which itself deserves a major public debate.


Appeals against allegations untested in court and based on evidence solely of one interested party, are vital. At the warnings stage, a single appeal is to be allowed, it seems, not to a full tribunal but merely to a “named person” who will be an arbiter of some type, independent of ISPs and rights holders, though not of OFCOM. Such an appeal is also vital to ensuring that this process meets the requirement of a “fair and impartial” hearing, under what was Amendment 138 to the now finalised Telecoms Package. But no grounds are named in the Bill for an appeal against an erroneous warning to be allowed (there are some in relation to the better drafted and seperate appeal against disconnection) , nor is it stated what disposal the “person” could make if an error was found to have been made. Strangely, there is not even any requirement for alleged infringers to be told of this right of appeal, even though they are required to be given an enormous number of other pieces of educational “information”. This is wholly unsatisfactory, especially in relation to Amendment 138.

Notification of warning

Finally on this part, note (see proposed s 124A (7)) that warnings are to be deemed “notified” if sent to “the electronic or postal address” held by the ISP. As someone who never uses or checks their nominal ISP-provided email address ( I guess) , I would strongly suggest this be altered to “and” rather than “or”. Of course this would cost substantially more to the rightsholders and ISPs, so possibly some midway solution should be found where an ISP is required to obtain a current used email address from its subscribers.

ISP liability?

ISPs hold an unfortunate piggy-in-the-middle position in all this, forced by the threat of a fine of up to £250,000 to co-operate with rightsholders, even though they gain nothing from the process but overheads and customer ill-will. I have said elsewhere that I do not think it is just or sensible to enrol ISPs as “copyright cops”, but if they are to be, they need strong protection from liability, ideally in the form of an indemnity from the rightsholders who actually plan to benefit from this whole stramash. ISPs face potential liability for sending out libellous allegations to subscribers, and again for disconnecting the wrong person on erroneous evidence, and in breach of contract, However currently all ISPs get by way of protection is the feather-light provision that an indemnity may – not must – be provided by the Code to be drafted (again, no further details now– see new s 124J(4)(b). If I were an ISP, I’d be going out now to price a shedload of legal liability insurance J - or to check out moving offshore.

The disconnection regime

Finally (gentle reader wipes brow), the present government has made a great deal of the assertion that the “disconnection” stage is a “nuclear deterrent” option – only to be implemented if all else has failed. One wonders why, three months before an election the current incumbents are likely to lose, it was not then simply left to the discretion of the next government whether to bring forward legislation, once the evidence was in. As it stands, the “disconnection” regime is supposed to be brought in, it has been widely reported, if a review by OFCOM shows (to some very vague timetable) that the “warnings and passing of ID details” approach is not working. However if you go and look, what s 124H(1)(b) actually says is that the Secretary of State may order that the “technical measures” stage may go ahead as appropriate in view of such a report OR “any other consideration”. In other words, you can forget evidence based policy making if times are tough, and donations from rightsholders are needed? Again Pangloss’s suggestion would be for that last sub-clause to go.

I could go on – for most of a PhD length thesis I suspect – but enough is enough. This legislation bears every hallmark of having been drafted in haste on the back of an envelope on a wet Tuesday. It’s so like The Thick Of It. Only without the jokes .

Ps if you are unhappy with any of the above, can I politely direct you towards ?

Friday, November 20, 2009


.. is my new middle name.

The Digital Economy Bill will be released at 7.30am tomorrow and will, it seems, include not only the anticipated disconnection provisions, but also a clause to allow the Secretary of State to basically change copyright law at will in order to stop filesharing, without primary legislation and without proper public debate and democratic oversight.

Why is this?

It's reflecting the fact that technology is changing very fast," said Timms. "The existing [method] is quite cumbersome. We might need something else in the future."

So clearly every time things happen fast and the law might struggle to keep up with them, in future, well we should just junk ordinary democratic safeguards before anyone notices, and bow instead to the partisan interests who pay lobbyists the most to shout the loudest? I expect to see similar legislation introduced shortly so that SIs can be whipped out and shoved through to deal with every fast moving situation from Afghanistan to floods in Essex, banker bonuses in December and tone deaf twins winning X-Factor. Hey, democratic debate is for wimps. SOOOO last millennium.

The best thing one could say about this legislation is that it is so outrageous, it is hard to believe it could seriously have been included in the Queen's Speech if the current sadpack on the way out thought there was a real chance of getting it through before the election.
I could say a great deal more about this but I won't : Instead I'll quote in full the funniest thing on the Internet today by novelist Nick Harkaway.

"News I Made Up Which Would Arguably Be Less Bad Than The Actual News. (2)

The Business Secretary, Lord Mandelson, today announced the creation of a new post to deal with the nuanced and difficult issue of copyright in the digital era. The Batshit Tsar will have a mandate to seek out anyone, anywhere who does anything using a computer and set them on fire.

Candidates for the post include Lord Duckhouse of Cobbham, Baroness Fishwicket (formerly BPI President Martin Cleep) and Brian Dubblehand-Pryce, Witchfinder General to the Court of James I & VIth, although there is some doubt over the availability of Mr Dubblehand-Pryce, as he is believed to have been dead for four hundred years.

Civil liberties campaigners have expressed alarm at the plan to make an offense of ‘downloading copyright material’. It is unclear how anyone will be able to use the internet ever again without committing a crime. A Department of Health spokesman said this would have the positive effect of getting people out in the open air.

“The Internet is a middle class, elitist phenomenon which is ruining our atomised society with a sense of community and cooperation,” he said. “This will put a stop to that, and to the development of the nascent public sphere which has given us so much trouble recently.”

The much-debated ‘three strikes’ policy will require a massive monitoring operation, trawling through the logs of anyone who uses a high-bandwidth connection to get large amounts of data to see if they are doing anything wrong. This sort of ‘fishing expedition’ is generally considered inadmissible in court, but since there will be no court for this sort of crime, the government is confident the issue will not arise.

“If we don’t do this,” the spokesman said, “we’ll almost certainly have an outbreak of witches by Christmas. There will be rains of frogs and giant panthers in Surrey, and even my tinfoil hat will not protect me from the brainwaves of Satan which are transmitted down the tubes of the Internet by demonic monkeys. The public has to be protected.”

Lorrie Fingerhubble, of the British Association of Giant Nocturnal Lizards, welcomed the news.

“I think this is absolutely splendid,” Ms Fingerhubble said enthusiastically from her secret undersea base in Regent’s Park. “It’s ideal for the government to be able to make arbitrary, draconian changes to the law which won’t work, will cost money, and will criminalise everyone. It’s a traditional approach to law in the UK: we make a rule no one can hope to obey and then prosecute people when we want to but not otherwise, creating a sense of lurking guilt and suspicion at all times!”

Asked whether the law might conceivably be misused to stifle democratic debate or to spy on people, the government spokesman said:


Thursday, November 19, 2009

here we go, here we go..

The Digital Economy Bill is nigh:

"Digital economy bill

Ensuring a world-class digital future following the Digital Britain White Paper , published on 16 June 2009, setting out the Government's ambition to secure the UK's position as one of the world's leading digital knowledge economies and take forward a new, more active industrial policy to maximise the benefits from the digital revolution by:

  • delivering a universally available broadband in the UK by 2012 through a public fund, including funds released from the digital television switchover help scheme;
  • giving the sectoral regulator, Ofcom, two new duties: first, to promote investment in infrastructure and content alongside its duties to promote competition; and second, to carry out a full assessment of the UK's communications infrastructure every two years; to ensure that the UK has a first class and resilient communications infrastructure;
  • establishing the necessary enabling powers for new commissioning bodies providing strong multi media news in the Nations, regionally and locally and update the Channel 4 Corporation's remit. This would help create the environment for continued investment in, and creation of, high quality and innovative content, including necessary changes in relation to public service broadcasting;
  • ensuring that all national broadcast radio stations are digital from the end of 2015, by making changes to the existing radio licensing regime to enable digital coverage to be extended, encourage investment by the commercial sector, alongside the BBC, in new digital content, and revise the existing regulatory and multiplex licences;
  • creating a robust legal and regulatory framework to combat illegal file sharing and other forms of online copyright infringement and give Ofcom a specific new responsibility to significantly reduce this practice, including two specific obligations on Internet Service Providers: the notification of unlawful activity and, for alleged serial-infringers, collation of data to allow rights holders to obtain court orders to force the release of personal details, enabling legal action to be taken against them;
  • implementing the recommendations of the Byron Review published in June 2008, to put age ratings of computer games on a statutory footing for ratings of 12 years and above. This will be achieved through the adoption of a new and strengthened system of classification for boxed video games with a strong UK based statutory layer of regulation, ensuring protection for children."
Well, hmm. .. see the emboldened section.. and no third obligation, to disconnect repeat offenders? I very much doubt it's been dropped - but it's interesting not to see it there..

Pangloss sees no full text of the Bill via Google - if it is out there, could somone point me at it?

Now we wait to see which happens first, the end if the world by Holywood apocalypse or the end of New Labour by election :-)

Wednesday, November 18, 2009

Privacy and Facebook, IGF style

My esteemed colleague Ian Brown of the OII has been off presenting our joint research on privacy and saocial networking sites at the IGF in Egypt (lucky dog!)

The updated powerpoint can be found here.

Monday, November 09, 2009

New DP blog

Another useful discovery - DP Thinker - Pangloss isn't sure to whom we owe the pleasure though. Of course it's clearly a matter of privacy :-) but anyone want to own up?

Tuesday, November 03, 2009

Lisbon Treaty We Salute You

I almost thought I would never live to see the day but yes the Lisbon Treaty has cleared its final hurdle and will become European law possibly in December 2009.

It's all rather a damp squib for a UK privacy lawyer though. (Even one who is healthily sceptical that the Tories can get us out of this one, even when they do get in.) Pangloss's main interest was in wondering if the EU Charter's explicit addition of a right to protection of personal data as well as the well known right to respect for private life (cf Art 8, ECHR) might make a difference and if so, in what way. However for we delicate flowers of the UK and Poland, there will be no change on the human rights front: see Art 1 -
In particular, and for the avoidance of doubt, nothing in Title IV of the Charter creates justiciable rights applicable to Poland or the United Kingdom except in so far as Poland or the United Kingdom has provided for such rights in its national law.
Pangloss is sadly no EU law nerd, and would welcome comment from any such out there as to whether this means we are in any way likely to receive less comprehensive privacy protection than the rest of the EU? Examples? This seems particularly relevant given the general feeling that the UK is implementing EC DP law at the minimum or below : see the EU's continuing efforts to persuade the UK to buck up over Phorm, not to mention long-simmering confusion or dismay over (a) Durant v FSA and (b) relatedly, our lack of sync with the Art 29 WP as to when and if to treat IP addresses as personal data.

It also of course means the UK remains unbound, at least in theory, by Article 36 of the Charter of Rights on Access to services of general economic interest. So no danger of the UK fast following in the footsteps of Finland and declaring access to broadband a human right? Surprising, that :-)

However before we Anglo-Saxons despair, we should remember the guidance from the ECJ in Promusicae which indicated that whether signatories or not and whether (as seemed uncertain at the time) the Lisbon Treaty ever became binding, the principles of the Charter of Rights are still likely to be regarded as part of EC law in the guise of underlying "general principles of Community law".

Thursday, October 29, 2009

TalkTalk vs Mandy??

Two days ago Pangloss, commenting on Mandelson's newly elaborated plans to introduce a UK "3 Strikes", added;
Interesting thought from Twitter: "if my business was cut off for allegedly downloading illegally I'd be looking for someone to sue". Will any legislation have an immunity in it for ISPs a la the US DMCA? If not, start lobbying NOW, ISPs.."

This thought (which turns out to have originated from the helpful @futureidentity, aka Robin Wliton) seems to have occurred fairly swiftly to others too... According to the Grauniad, today:

TalkTalk, the second largest internet service provider in the UK, has threatened to launch legal action if business secretary Peter Mandelson follows through with his plan to cut off persistent illegal filesharers' internet connections.

Carphone Warehouse-owned TalkTalk, which has more than 4 million ISP customers and owns the Tiscali and AOL brands, claimed the government's plan was based on filesharers being "guilty until proven innocent" and constituted an infringement of human rights.

"The approach is based on the principle of 'guilty until proven innocent' and substitutes proper judicial process for a kangaroo court," said Andrew Heaney, the executive director of strategy and regulation at TalkTalk. "We know this approach will lead to wrongful accusations."

While the liberal blogosphere has on the whole greeted this news with unrestrained enthusiasm (Twitter is full of it), Pangloss is a litle sceptical as to whether it is any more than self-seeking good-PR sabre-rattling.

Firstly, what exactly is TalkTalk's title to sue here? Surely not anything mentioned in the interview above. The breach of human rights, if any, will surely be of the subscribers, not the ISP. Any wrongful accusations without due process will similarly be directed at users, not the conduit.

TalkTalk's (or any other ISP's) real worries seem obvious :

(a) the threat of being sued by aggrieved users for everything from breach of confidence, to acessory to false accusation, to co-publisher of a libel, as well as of course for breach of the actual contract for Internet services; and

(b) the costs of being involved in Mandy's Great Scheme, both in terms of actual money and loss of customer goodwill. The Guardian also usefully reports today that according to BT and Carphone Warehouse (ie TalkTalk) , Mandy's scheme might costs £420m pa, to be shared evenly between rightsholders and ISPs (and, incidentally, to solve an estimated loss to the music industry of half that - c £200m pa.)

These figures make it clear the latter is the real issue, not human rights, nor liability to customers. In fact, most ISPs will have extensive exclusion from liability clauses in their subscriber contracts already - although these may well be subject to challenge under the Unfair Terms Regulations and /or UCTA and thus unenforceable.

So what would be the ISP's actual grounds for an action? No one has a right in this country simply to dispute a statute because they don't like it. Victims of a human rights violation - an unlawful act under s 7 of the HRA 98 - may indeed question the validity of a statute in any domestic proceedings, though under HRA 98, no UK court has the right to strike down legislation, merely to make a declaration of incompatibility, leaving it to the governement then to sort out what the hell to do.

Is TalkTalk itself a victim of any ECHR or HRA human rights violation? I don't see how. (Indeed it was once controversial if a juristic person could suffer a human rights violation - though this now seems to be accepted in some cases.) What they might argue is the rather muzzy domestic law tort that the government has interfered with their business contracts. This would be controversial (doesn't a government have the right to do exactly that? case law mainly concerns dirty practice by commercial competitors) and would attract considerably less public sympathy of course.

Another more plausible line of attack would be that any legislation was in breach of EC law forbidding ISPs from being required to generally monitor the public under art 15 of the E-Commerce Directive - although this has not stopped the French passing HADOPI - twice :-)

Pangloss is glad to see ISPs like TalkTalk, whom she has always regarded as being stuck between a rock and a hard place in this matter, coming out firmly against Mandelson's proposals and even gladder to see them endorse her own arguments that 3 strikes is likely to be in breach of ECHR guarantees of due process and privacy. But frankly - sue Mandelson? Oh come on, as someone else might say...

Wednesday, October 28, 2009

Google Street View

Just discovered this wonderful Pixar-esque video of how Google Street View protects privacy. If only life was really like this!!

Mandelson ploughs on

Pangloss feels compelled to report on yesterday's doings at the C&binet meeting (stupid name..)

The Beeb reports Mandelson as follows:


I have no expectation of mass suspensions. People will receive two notifications and if it reaches the point [of cutting them off] they will have the opportunity to appeal," he told the audience at the C&binet Forum, a talking shop set up by government to debate the issues facing the creative industries.

The pay-off for tough penalties against persistent file-sharers would be a more relaxed copyright regime, Mr Mandelson said.

The details of it would need to be hammered out at European level but it would take account of the use of copyright material "at home and between friends", he said."

So to state the bleeding-edge obvious:

- 3 strikes will be rubber stamped quickly by Parliament (it'll need to to avoid the end of the Labour regime); getting changes through the EC on fair use/fair dealing will take 2-6 years - if it happens at all. Some trade off.
- Still no detail on whether disconnection will require judicial oversight let alone a court order. Silence plus the enforced clamp down in the European Parliament on Amendment 138 would rather indicate not. It will be administarative fiat to cut off, with the onus placed on consumers, probably without legal aid, to appeal to the courts. This is so not natural justice.

As`Jim Killock of ORG noted:

"Even MI5 disagree with Mr Mandelson - they are convinced we will see a rise of a 'Dark Net' of infringers. Nobody at C&binet from an online music service, as opposed to an old media company, thought that peer-to-peer [file-sharing] was a threat to their businesses."

Same old same old..

Interesting thought from Twitter: "if my business was cut off for allegedly downloading illegally I'd be looking for someone to sue". Will any legislation have an immunity in it for ISPs a la the US DMCA? If not, start lobbying NOW, ISPs..

Pangloss has a lodger who for all she knows downloads night and day on the house wi fi. Will it become my responsibility to interrogate her and if necessary demand access to her computer? Hello DDR..

Death and Facebook

Ok back to business as usual..

Pangloss is always pleased to see things she's been lecturing about for a year turn into reality, and here comes one again. Facebook have decided to formalise the procedures they already, to some extent had, for "memorialising" the profiles of users who have become deceased. The Grauniad reports:

"When someone leaves us, they don't leave our memories or our social network. To reflect that reality, we created the idea of 'memorialised' profiles as a place where people can save and share their memories of those who've passed," explained Max Kelly, Facebook head of security, on the company's blog.

But what does it mean, that an account gets "memorialised"? The contact information and status updates are removed, and the profile is set private. No one can log into it any more. Only Facebook friends can locate the profile via search and leave posts on the wall for remembrance."

Although neither the Guardian nor Facebook mention it, it seems likely this too is a response to the recent demand by the Canadian Privacy Commissioner that FB put their house in order. But is this really the best option, or the only alternative (as it has been presented) to deletion by default?

As Pangloss has suggested before, is it not really up to the user themselves if they wish to see their site "memorialised", or if they feel this might be mawkish and upsetting? Would it not be better and indeed simpler for FB to provide a preference switch for the user to say in advance what they want, rather than relying on the impetus of the family to make a choice on death? And what if the user leaves a wish in their will which conflicts with what the family say to FB - will anyone have an interest to intervene?

Another problem, which the Guardian has also spotted, is that FB has simultaneously rolled out a "Reconnect" feature which encourages users to get back in touch with friends they've lost touch with. From FB's company blog, one user comment exposes the problem:

"hey i don't know if you read all of these, but facebook has suggested that i "reconnect" with two friends in the last two days, both of whom died over 18 months ago. please, please, please stop this as it is disturbing and creepy."
Er, yes. Oops?

Pangloss wonders bye the bye if is coincidental these changes have been made fairly shortly after the Jewish New Year and the Day of Atonement (Yom Kippur) when one remembers the dead and gone .. a connection recently made by Jewish Week who interviewed Pangloss a month back on this exact matter. The idea floated there that eulogy posts on FB memorialised profiles are a sort of collective post death mourning in these godless times, is an interesting and slightly scarey one. How long before FB goes 3D and starts offering an optional virtual funeral with avatars of deceased and friends? (And what adverts would they sell alongside??)

Pangloss herself is laid up right now with a bad back, by the way, and definitely feels after all this like she has one foot in the web 2.0 grave..

Monday, October 26, 2009

A sad but True Tale of Non-Honest Non-Chartered Accountants

This is a bit of a departure from normal practice. But what after all is the point of running something as self indulgent a waste of time as a blog if you can't use it (a) to vent a bit and (b) to provide public service information? :)

Pangloss is not unbusy - perhaps a mere gnat by comparison to the Masters of the Universe of Olswangs and Clifford Chance and perhaps even Queen Mary, but, even so, kinda busy you know. So for a number of years her practice has been to pay someone to prepare her self assessment tax return in January. Many moons ago, she noticed a quiet but well appointed outfit called Gillespies Accountants conveniently situated on Edinburgh's Lothian Road which boldly advertised flat rate self assessment. Inside was an aged retainer who revealed to Pangloss (who actually had a first career as a tax editor but it was mainly about CTT which had more or less been abolished so no bloody use) the glories of capital allowances, taking off money for the home office, and generally managing to secure far more in tax savings than he cost. Pangloss was entranced and became a regular. The procedure was simple: dump an envelope of receipts and invoices on his desk, come back in a couple days, and write a cheque to the IR , left to be sent who knows where, and a cheque to Gillespies. Short, swift and satisfying.

Several years later, Pangloss re arrives in Auld Reekie and around the post festive time, searches out her benefactor. Alas, he has gone to the great accounting firm in the sky. But lo, Gillespies still exists, albeit in far less convenenient premises in the middle of the giant hole in the road formerly known as Haymarket. Miracle! she breathes, and hastens thereto (performing several illegal left turns). The place is a post festive Marie Celeste, inhabited by one young and extremely distracted looking accountant called Campbell Walker who is a bit like the manic depresive insane patient David Tennant played in his very first role in Taking Over The Asylum. But ne'er mind, looks aren't everything right? And they'rer still (fairly) cheap.

So receipts are unbundled all over the desk and Pangloss flees merrily unburdened before her car is towed away, and then comes back again, braving icy weather, bagpipers and lost haunted buses, to sign the forms, and sign a cheque to HMRC and Gillespies and escape again. Phew.

Now imagine her surprise when some eight months later (because the post is decrepit and at least one letter had clearly never made it to her new temporary address with its communal postie area) she discovers that (a) her tax was never paid and (b) the HMRC are now charging a hefty surcharge for late payment with threats of sending the boys round. Imagine her surprise at having thought professional accountants she had paid to do this might have managed to send off a cheque in time. Imagine her not surprise at discovering Gillespies have nonethless long banked the cheque she wrote them. Imagine her not surprise redoubled at discovering that no cheque had indeed been processed by HMRC at the right time. Imagine also her consternation at not having kept her old cheque book because come on guys, cheque factories are closing down all over Britain they're so twentieth century and Pangloss looks everything up on RBS's very efficient online direct banking these days.

And imagine further her surprise on ringing Gillespies, and after ooh, only a two week wait on an urgent enquiry, being directed to the Eminence Grise Senior Partner (think Wolfram and Hart here) receiving not an apology, not an explanation, and certainly not an offer to pay the surcharge, but instead a denial of all knowledge of any cheque, or having lost one , or having not asked for one when one was needed, and a thinly disguised accusation (by someone who's very clearly seen too many cop shows) of it all being NOT ONLY some kind of elaborate fraud to gain a princely sum of about £200, BUT ALSO, ABSOLUTELY, HER OWN FAULT for being one of the people who dared to get their self assessment done - for money - at the last minute.

Pangloss was so perplexed she almost didn't manage to point out that THIS WAS HOW GILLESPIES M ADE MOST THEIR MONEY.

And so to the Web. Strangely Gillespies have no website so Pangloss cannot name and shame the Senior Partner she spoke to. Let's call him CrackerPot. Nor, it turns out, are they chartered accountants. or members of ICAS. Which means they have no regulator to report them to. Unlike lawyers, you can call youself "accountant" it seems and not be part of any professional body. In fact, they are in fact as duely accredited as any other self respecting homeopath, clairvoyant or witch doctor.

Pangloss feels very stupid. But if I didn't know this stuff, how in **'s name is an ordinary member of the public meant to? And is it not some kind of major failing in the 8 million, 342,000 consumer protection laws we have now that calling yourself "Accountants" involves no professional regulation of any kind?

Would anyone out there like to do some pro bono work in professional negliegence for grateful academic? :-) Alternately just pass this on, and if you live in or nearabouts Edinburgh please do NOT risk the attitude I befell - choose life, don't choose Gillespies. Please pass on!

Friday, October 23, 2009

Oh dear

Via b2fxxx. comes the news that the Council has indeed shoved through the deeply unsatisfactory compromise version of Amendment 138 to the Telecoms Package over the , well not quite dead but fatally wounded body of the European Parliament. Sez Ray:

"La Quadrature du Net are unhappy with the revised version of amendment 138 to the telecoms package agreed by the Council and representatives of the EU parliament.
"Yesterday, representatives of the European Parliament, an institution that ordinarily prides itself for protecting human rights at home and abroad, decided to surrender to the pressure exerted by Member States. The Parliament gave up on amendment 138, a provision adopted on two occasions by an 88% majority of the plenary assembly, and which aims at protecting citizens' freedom in the online world. Instead of ensuring that no restriction to Internet access would be imposed without the prior ruling of a judge, amendment 138 will instead be replaced by a weak provision1, that does not carry any new important safeguard for citizen's freedoms.
The European Parliament, who regularly boasts itself about its credentials in the field of human rights, has endorsed the false idea that it had no power in protecting their constituents' rights under current rules. This decision was taken consciously by rapporteur Catherine Trautmann, in order not to risk a confrontation with the Council of EU and to quickly finish with the Telecoms Package. She, along with the rest of the Parliament delegation deliberately ignored existing texts and case law pointing to the fact that it had the competence to adopt the core principles of amendment 1382. They didn't even try to reword the original amendment in order to preserve its initial objective."

Thanks Ray for the update. This is depressing but largely expected. Sigh.

The new text reads as follows, according to La Quadrature:

"3a. Measures taken by Member States regarding end-users' access to or use of services and applications through electronic communications networks shall respect the fundamental rights and freedoms of natural persons, as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms and general principles of Community law.

Any such measures liable to restrict those fundamental rights or freedoms may only be taken in exceptional circumstances and imposed if they are necessary, appopriate and proportionate within a democratic society, and shall be subject to adequate procedural safeguards in conformity with the European Convention for the Protection of Human Rights and Fundamental Freedoms and with general principles of Community law, including effective judicial protection and due process. In particular, any measures may only be adopted as a result of a prior, fair and impartial procedure ensuring inter alia that the principle of presumption of innocence and the right to be heard of the person or persons concerned be fully respected. Furthermore, the right to an effective and timely judicial review shall be guaranteed.

This shall not affect the competence of a Member State, in conformity with its own constitutional order and with fundamental rights, to establish a requirement of a judicial decision authorising the measures to be taken."

This is at least slightly better than one earlier version of the compromise amendment Pangloss saw (which may explain the cave) . But the sting in the tail is the last para. Clearly by implication for some member states , of a certain constitutional tradition (which, one wonders? could it include France? and perhaps the UK?), a "proper" judicial decision will not be necessary before disconnection, no matter how much flannel is in the previous para.

"Effective judicial review" at end para 2 also makes it clear that any right to a prior court order before disconnection has vanished, leaving only post factum appeal (which in light of consumer ignorance, and inertia, and the costs of proving someone messed up on IP identification is an almost meaningless remedy for the masses).

Oddly the Register today merely reports that the Telecoms package has to be settled before end year or fall entirely, which left six weeks to negotiate, and suggests

"The Council and Parliament are [still] in disagreement over a clause in a Commission-proposed reform package for telecoms regulation which would stop internet users being cut off for alleged file-sharing without a court's authority."

Can someone confirm the Quadrature de Net version of events?

EDIT: the all-knowing Monica Horten also seems to report confusion as to whether this text has actually been accepted.

EDIT 2: Surely there is a Downfall mashup out there about amendment 138 by now? This has to be the last days in the bunker..

Friday, October 09, 2009

New UK Internet Libel case coming?

Thanks for the heads up from @loveandgarbage (c/o Twitter) for the following news from David Osler, author of Dave's Part, who is facing libel action from Tower Hamlets Tory activist Johanna Kaschke, following a post on this blog in 2007. She is also (says Dave) suing two other Labour Party members, Alex Hilton and John Gray, over related issues.

"The uncontested facts here are that Ms Kaschke, as a student and member of the centre-left SPD in her native Germany in the 1970s, helped to organised a benefit concert for Rote Hilfe, an organisation officially designated left-extremist, designed to raise funds for the legal fees of Baader-Meinhof Gang suspects; that she was herself subsequently arrested on suspicion of terrorism; and that she spent several months on remand, after which she was released and compensated for unfair imprisonment.

It is further uncontested that Ms Kaschke nominated herself as Labour candidate for Bethnal Green & Bow in 2007; that she received just one vote; that shortly thereafter she defected to George Galloway's Respect party; shortly after that, she joined an as-yet-unspecified Communist Party; and that shortly after that, she became a Conservative. She was, in other words, a member of four political parties in 12 months.

Interestingly, the jury will be asked to rule on whether or not it is libellous to call somebody 'one cherry short of a Schwarzwalderkirschtorte'. Not my words, but those of a reader, left in the comments box. If I lose on that point, the consequences for internet freedom of speech are clearly considerable."
Remarkable, and not just for the linguistics (German cookery experts are invited to elucidate me on the exact translation).

Sites such as the BBC , Yahoo! etc have of course long worried about the liability implications of comment sections on "live" blogs whether moderated or unmoderated. It seems well settled that a host site owner can be liable for publishing the defamatory remarks of commenters. It is equally well settled however that under both Defamation Act 1996 s 1 and the EC E-Commerce Directive Arts 14 and 5, defences are open to hosts in respect of content posted by another.

The interesting point here is I think about the quality of the quoted comment. The English courts have so far, rather admirably, taken a fairly robust attitude towards too quickly attributing the quality of libel to remarks made in the typical hasty cut and thrusts of Internet babble. Most notably in Sheffield Wednesday v Hargreaves [2007] EWHC 2375: particularly
  1. It seems to me that some of the postings which concern the Claimants border on the trivial, and I do not think that it would be right to make an order for the disclosure of the identities of users who have posted messages which are barely defamatory or little more than abusive or likely to be understood as jokes. That, it seems to me, would be disproportionate and unjustifiably intrusive. The postings which in my judgment fall into this category are those numbered 4 ("xdanielx"), which is only capable of being argued to be defamatory by devising a frankly implausible meaning, 7 ("Foot04"), which is barely if at all defamatory of the Second Claimant, 8 ("southy") and 14 ("cbrbob"), both which in my view are plainly intended as jokes and would have been unlikely to be taken seriously, let alone understood in the senses for which Mr Eardley argued, and 10 and 11 ("paulrs") which I regard as no more than saloon-bar moanings about the way in which the club is managed, rather than a serious indictment of grave mismanagement. In my view the same is true of 6 ("Auckland Owl") and 12 ("danksy"), which add to the mix a smidgeon of personal abuse of a kind which I would have thought most unlikely to be taken seriously. I take a similar view of the posting numbered 2 ("DJ Mortimer"), which is no more than mildly abusive and is fairly plainly comment.
  2. The postings which I regard as more serious are those which may reasonably be understood to allege greed, selfishness, untrustworthiness and dishonest behaviour on the part of the Claimants. In the case of those postings, the Claimants' entitlement to take action to protect their right to reputation outweighs, in my judgment, the right of the authors to maintain their anonymity and their right to express themselves freely,
Thuis was of course however an action for discloure of the identity of the commenters by Norwhich Pharmacal orders , not an actual action on liability.

But see also Smith v ADFN , misreported as Adven in Edwards and Waelde 3rd ed, oh dear.

Here Eady J took possibly the firmest imaginable stance in discouraging libel actions re mere "vulgar abuse " (eg a description of plaintiff in comments as "a destructuive twerp")

  1. The question on which I need to focus next is whether there has been persistence with regard to claims that can properly be characterised as "totally without merit". If so, I could come to the corresponding conclusion that his present application to lift the stays would to that extent also be totally without merit. I have rehearsed above a number of examples where claims have been made in respect of postings which are so obviously, in their context, either mere vulgar abuse or fair comment (sometimes both). There are also examples of a converse and corresponding interest in the subject-matter, for various reasons, such as to give rise to occasions of qualified privilege.
  1. I referred to common themes in the postings, such as that of "bullying" other users and making "threatening demands" for money. That is classic fair comment territory and, in the light of the modern authorities, it is inconceivable that a jury would find any of those who expressed such a view "malicious" – let alone all of them. Opinions may be expressed in exaggerated and strident terms; the only requirement is that they be honestly held. It is fanciful to suppose that any of these people did not believe what they were saying. Even if they reached their conclusions in haste, or on incomplete information, or irrationally, the defence would still avail them. It would be wasteful to let proceedings go forward merely on the footing of a series of formulaic assertions to the effect that the individual concerned did not honestly believe what he was saying. There is accordingly no realistic prospect of any such claims achieving the only legitimate goal of vindicating reputation.
  2. I would not suggest for a moment that blogging cannot ever form the basis of a legitimate libel claim. I am focusing only on these particular circumstances. It does seem to me appropriate to characterise these claims as totally without merit. I will therefore make an extended civil restraint order, which means that Mr Smith cannot launch any further libel proceedings arising out of the Langbar matter based upon bulletin board blogs without obtaining my written permission."

These remarks are technically obiter in relation to Osler's case as the issue in Smith was the maintenance of injunctions rather than a finding of libel. However in relation to the comment post in particular, in short, I do not think Mr Osler has much to worry about :-)

What Twitter is For # 102

Via Matthias Klang:

Phishing Continues to Soar

Via OUT-Law and Future Identity

"The number of phishing attacks on online banking systems has risen by 26% in the first half of this year. Phishing is the technique that was used to uncover the tens of thousands of Hotmail, Google Mail and Yahoo! Mail passwords revealed this week.

Phishing is the practice of creating fake versions of websites and asking users to enter their login details. Those details are then stored so that they can be used on the real sites.

It was revealed last week that more than 10,000 users of Microsoft's Hotmail service had had their details harvested by phishing attacks. They were then published online. It emerged this week that a similar problem had emerged in relation to the details of users of other web mail services such as Google Mail and Yahoo! Mail."

Pangloss has long predicted that rises in phishing will inexorably lead to banks becoming more and more reluctant to pick up the can , and instead imposing fault based filters on recompense. Should regulation in this area more effective than the current Banking Code not be part of the general reconsideration right now of the duties as well as profits of banks? Hmm. It will be interetsing also to see what constraints the new Payments Directive imposes. AS Future Identity points out, banks gain at least as much from a working and trustworthy online banking system as they lose, given the rundown in high street banking services.

Sunday, September 27, 2009

Oh Lily, Don't be Silly

(via Boing Boing) This open letter to Lily Allen, set to the tune if one of her own songs is rather endearing. I don't agree with this all-out anti all music IP stance, but I can imagine this being fun to kick start a debate with my students in a few weeks time, as it's surprisingly well argued..

ps I like Lily Allen's work too and own actual copies of both her CDs to date..

Thursday, September 24, 2009

.. and the unbearable addictiveness of data

This piece from the Guardian about information overload addiction is so relevant to I suspect 105% of my audience I'm just going to quote most of it (originality is so last millennium):

"...In case you got sidetracked and didn't get a chance to read the rest, here are the cold, hard facts:

• A study found that once workers were interrupted by an email it took on average 24 minutes to return to the suspended task.

• 2,300 employees judged nearly one third of the emails they receive to be unnecessary, but spend two hours a day processing them.

• Research reported that the IQ scores of people distracted by email and phone calls fell from their normal level by an average of 10 points – twice the decline recorded for those smoking marijuana.

To be honest I had to go and sit in a dark corner without the ring of a phone in earshot or flash of a computer screen in sight in order to concentrate for long enough to bring you this blogpost, and even then it was tough. How we get anything done is a miracle.

But before your attention wanders elsewhere, please confess the tendencies you have noticed in yourself that may be symptoms of this very modern malady. Perhaps you are raising a BlackBerry orphan, or can't remember the last time you finished reading a novel."

Right I'm of to re-check Facebook, Blogger, Twitter, Out-Law and LiveJournal :-)

The Unbearable Cynicism of Being

One strange side effect of Law and the Internet 3rd edn coming out has been that the geeks have noticed a law book has an XKCD cartoon on the cover. I was pretty pleased when a friend of that persuasion passed me a link to where someone had kindly started a thread called "Probably the best front cover for a law book you wil ever see.. xkcd!"

I was less pleased though when reading down I found a bunch of people had independently assumed we had stolen the cover, ie used it without permission from Randall Munroe, the creator of XKCD. It seemed the joy of imagining a law book containing chapters on copyright on the Internet had pointedly ripped off an actual IP creator, outweighed the inherent utter unlikeliness of such a tactic. The fact that I'd written here in easily Googleable form about how delighted I was that we'd been given permission also didn't stop some doubters (though to be fair, a minority).

So when I posted to say that yes, actually we had permssion, and Randall had given us it for free, what a sweetheart! I thought everyone would be relieved. No, that merely provoked A`N Other geek, no doubt pissed off a losing sight of an easy target, to post under my own name, ("theRealLilian Edwards") saying I'd lied about this in public. Meanwhile someone else posted, after I had made my correction, asserting that the legality was still in doubt. (EDIT: now amended, ta.)

It's this sort of thing writ large that gives geekdom and the blogosphere the bad reputation it has with people as diverse as the Daily Mail and my mum. I know on the scale of things this hardly compares to being pursued by dubious paparazzi making up lies about one's love life, but it left a bad taste in my mouth. I am, as I usually say, at least part-geek myself, and this cover was in a way my gift to myself and the geek community. It has thrilled me to use it. I was hurt people could think we could be so stupid and malevolent as to use it without consent.

Andres Guadamuz spoke eloquently about technophobia at GikII Amsterdam , one of his prevailing themes. The usual reasons that get cited as to why people react to a technological society badly are a combination of ignorance, fear of change and media manipulation. To these I would add that geek culture - and much of web 2.0 culture - is a product to a large extent of the Asperger's spectrum and leans towards the tactless, rude and pointlessly combative. This is fun when you're in your teens and twenties, less later on when life is already too full of the stresses of work, mortgages and parking fines to want to get a blast out of a right-on hardcore flame war in your leisure time. Politeness and forethought become the new anti-authoritarianism.

Matthias Klang says on Twitter he's writing a chapter on web 2.0 and integrity. I'm beginning to be tempted to write something on web 2.0 and social dysfunction myself..

Tuesday, September 22, 2009

Google 1: Luxury Brands 0!

Pangloss is pretty bushed after the excellent SCL Policy Forum (thanks to co-chairs Chris Reed, Judith Rauhofer, and gracious hosts Herbert Smith) but just has to bring this breaking news; the Advocate General's opinion has come out (via Joris Hoboken), in the hotly awaited ECJ reference in Luxury Brands plc (OK, see real parties below) vs Google, on whether Google is liable for trademark infringement as a result of its keyword based "AdWords" service. The meat of the opinion is that Google is not liable for selling keywords to advertisers which correspond to trade marks owned by others, since the use of the TM, such as it is, is restricted to the relationship between Google and the advertiser, and is not aimed "outwards" at the user, thus not causing customer confusion.

TM lawyers will have plenty to say on that part but for Pangloss, the real excitement is what this says about search engines as immune or liable intermediaries under the EC Electronic Commerce Directive. The AG opinion (available in full now, since I started writing!) is not binding on the court but often predicts the likely result :

Advocate General’s Opinion in Joined Cases C-236/08, C-237/08 and C-238/08
Google France & Google Inc. v Louis Vuitton Malletier, Google France v Viaticum & Luteciel and Google France v CNRRH, Pierre-Alexis Thonet, Bruno Raboin & Tiger, franchisée Unicis

"..Mr. Poiares Maduro also rejects the notion that Google's actual or potential contribution to a trade mark infringement by a third party should constitute an infringement in itself. He opines that instead of being able to prevent, through trade mark protection, any possible use – including many lawful and even desirable uses –, trade mark owners would have to point to specific instances giving rise to Google’s liability in the context of illegal damage to their trade marks. [bold added]

In this context, the Advocate General finds that both Google's search engine and AdWords constitute information society services. He adds that service providers seeking to benefit from a liability exemption under the E-Commerce Directive should remain neutral as regards the information they carry or host.[bold added]

However, whilst the search engine is a neutral information vehicle applying objective criteria in order to generate the most relevant sites to the keywords entered, that is not the case with Adwords where Google has a direct pecuniary interest in internet users clicking on the ads' links.

Accordingly, the liability exemption for hosts provided for in the E-Commerce Directive should not apply to the content featured in AdWords."

Pangloss Sez: Wow that is interesting. So, it seems we have a clear and defiant rejection of the content industry-lead idea that IP holders can command online intermediaries - or just search engines? - to undertake prior blanket filtering to prevent alleged infringement of their rights. The context of AdWords is very different from that of Viacom v YouTube (for example) of course, but does this point to how we may see an upcoming ECJ reference panning out on liability of web 2.0 sites, like eBay, and in particular, whether they can be compelled by the likes of LVM to proactively filter out content, rather than run, as now, on a post factum notice and take down paradigm? See discusion of conflicting cases in US, Continental Europe and recently England on this controversial point, here.

On the other hand we also have a clear steer from the AG that where ISSPs like Google make money out of their "neutral" activities in hosting or linking to content by monetising them via connected advertising, they remain ISSPs but nonetheless become fair game for liability, and are no longer "neutral intermediaries". Would this mean that YouTube, who perhaps occasionally host IP infringing user generated content :-) and monetise this hosting via ads, could be commandedby a court to filter proactively, as opposed to simply wait for NTD; while, par contraire, eBay, who also sometimes host infringing content, but make their money from unconnected user commissions, not ads, would not be so susceptible and could continue to depend on expedient NTD to retain immunity?

Oh this is going to be fun :-)