A UK-based cyberlaw blog by Lilian Edwards. Specialising in online privacy and security law, cybercrime, online intermediary law (including eBay and Google law), e-commerce, digital property, filesharing and whatever captures my eye:-) Based at The Law School of Strathclyde University . From January 2011, I will be Professor of E-Governance at Strathclyde University, and my email address will be lilian.edwards@strath.ac.uk .
Saturday, November 28, 2009
ZDNet, Wi Fi and the Digital Economy Bill
"Graham Cove told ZDNet UK on Friday he believes the case to be the first of its kind in the UK. However, he would not identify the pub concerned, because its owner — a pubco that is a client of The Cloud's — had not yet given their permission for the case to be publicised."
ZDNet asked me to comment on the story which I was happy to do, but unfortunately one major error has crept through the phone call process. EDIT - corrected! Thank you! Story also now specifies it was a civil case.
So what about the pub story? It sounds very odd. Basically, we need more details here. First it doesn't sound on first glance like a case where criminal copyright would be applicable. So that probably isn't a "fine", but damages . Even more likely is that the case settled rather than going to final judgment (in which case, wouldn't it be a novel enough decision to have an opinion, and be up on BAILII? I can't see it there). In that case the £8000 is just an estimate of damages both parties were willing to settle for, and, it should be stressed, not a legal precedent.
As for the crucial responsibility angle, one wonders if the issue was mainly one of proof. After all, if a publican was alleged to be regularly downloading without permission, and the defense was that wi fi users were using his IP address ("it wasnae me" as we say in Glasgow), and the wi fi was open, then there was no attributed log of downloads, and thus no proof of this beyond that mere assertion. In strict law, even in a civil case where the standard of proof was the balance of probabilities, the onus of proof should be on the plaintiffs ie the rightsholders. But in a settlement situation, I can conceivably see that the publican might decide to give up and settle without hard proof to back up his case, and cut his losses and the chance of losing the case and paying both side's costs.
The important point is if that if this is a settlement, that doesn't at alll translate into a theory of secondary liability for downloaders suing your open network, still less a legal precedent. If anyone has further details, I'd love to hear them.
I may as well now go on and quote the rest of myself :) (a bit odd I know)
"However, she said the measures that would be brought in under the Digital Economy Bill — measures that could include disconnection of the account holder — would not apply because the business could be classified as a public communications service provider, which would make it exempt. According to the terms of the bill, only "subscribers" can be targeted with sanctions**.
[** note for legally minded Pangloss readers: this is because the DigiEc Bill cl 16defines "subscribers" as excluding "communications providers", which can be traced back via the Communications Act 2003 to include providers of electronic communications services or networks. The pub hotspot would fall into that class, probably :-) ]
According to legal advice sent to The Cloud by the law firm Faegre & Benson on 17 August, "Wi-Fi hotspots in public and enterprise environments providing access to the internet to members of the public, free or paid, are public communications services".
A public communications service provider must, under the terms of the Data Retention Regulations that came into force in the UK in April of this year, retain records for 12 months on communications that have taken place over their network. This data includes user IDs, the times and dates of access, and the online destinations that were being accessed. The content of the communications cannot be retained without the user's permission, due to data-protection laws.
However, there is a get-out clause in the Data Retention Regulations, in that no public communications service provider has to keep such records unless they are notified by the government that they are required to do so.
According to Edwards, this is because "only the big six ISPs have the facilities to comply, and because the government agreed [in its legislation] to repay some of the costs [of retaining [[and accessing - Pangloss adds]] such records]". She noted that this clause might itself be non-compliant with the EU data-retention laws that were transposed into UK law in April.
Edwards pointed out that, even if the sanctions proposed in the Digital Economy Bill come into force, "no-one will know who [the downloader] was, because the IP address that will show up [upon investigation] will be of the hotspot". She added that the rights holder seeking infringers of their copyright would probably not know that the IP address in question was not that of a subscriber.
It would then be up to the hotspot operator to point out that they were not the end user downloading copyrighted material. "But when would they get to say that? Maybe straightaway, maybe not until after disconnection — it's not currently clear," Edwards said."
Thursday, November 26, 2009
OK I said I'd stop but..
As I said to OUT-LAW, among the proposed new sections of the Bill is s 124A(1)(b) , which says that action can be taken not just against someone suspected of infringing copyright, but also against "a subscriber to an internet access service [who] has allowed another person to use the service, and that other person has infringed the owner’s copyright by means of the service". This might well be interpreted to mean that anyone who operated unsecured wi fi was "allowing" others to download using it; and be held responsible for it. BIS has indeed so indicated in previous press statements.
One solution to this , as I discussed with OUT-LAW would be an unfortunate one; to effectively prohibit unsecured wi fi networks. But actually, even locking down its network (wi fi or fixed) is not a solution for businesses and the like. A domestic user with a secure wi fi network knows the small number of people who might have infringed using that network, so perhaps responsibility is not so draconian an assumption. But what of corporate networks of thousands of employees, or "public" places like McDonalds Hamburgers , where thousands are currently attracted by the use of free wi fi? Giving a wi fi or network login and password (as McDonalds do, as required by their hotdpot provider, The Cloud) is still, it seems to me, "allowing" that person to access the network.
The network operator might well try to defend itself by proof it was not the person at fault; but the opportunity to put that case would not, in the current skeleton scheme, perhaps come until after disconnection - at which point there is an appeal to a tribunal and thence to the courts. This could take years - after which time evidence of IP addresses, logins, timestamps, and the like might be hard to reconstruct. There is an appeal of kinds available to a "named person" immediately after the "warnings" ; but the detail, grounds and scope of that appeal are vague in the extreme and it is clearly only a very interim process. It might, eg, prove to be an opportunity only to dispute the exact factual details of the IP address collected, or the timestamp.
So are businesses like McDonalds to be held responsible for the copyright infringements of all their customers? Are universities to be held liable for all their students? At the moment it looks like it. Even if the result was only temporary disconnection, this could have a crippling effect on many businesses.
BIS apparently suggest that " the problem be solved by Wi-Fi operators policing their networks. "Many premises that offer public Wi-Fi access already disallow access to unlawful file-sharing sites," said the BIS statement. "Software which limits or prevents access is freely available and easy to install and we would anticipate any responsible organisation offering Wi-Fi access would take action if it appears their connection is being misused." [from OUT-LAW]
Such software solutions do indeed exist, but anyone running a large, fast network will tell you they are far from a complete solution. McDonalds' free wi fi may be far to slow for practical downloading of MP3s (I haven't tried it, but I suspect so) but I bet IBM's or my own university's network isn't - because these networks get used by real employees for serious legitimate purposes. Even in cafes, it takes more to stop P2P than just blocking the URL of the Pirate Bay site. Universities have been trying to stamp out illegal P2P filesharing on their networks for years, if only because they overload the bandwidth(their Acceptable Use Policies nearly always make illegal dowloading a disciplinary offence), and have still generally failed. Blocking the P2P protocol entirely is also counter productive; as is now well known many legal products such as BBC iPLayer now use this protocol. Will I find one day I cannot show a BBC programme to my students because the university has had to block iPlayer?
The only apparent get out for businesses and public bodies may lie in the definitions section of the Digital Economy Bill (cl 16, amending the Communications Act 2003) which says that a "subscriber" (who receives warnings) does *not* include someone who received Internet access as a "communications provider" (CP) themselves. This is intended, I think to protect ISPs who themselves merely retail bandwidth wholesaled by larger ISPs , on the grounds they should be regarded as ISPs giving access to infringers, not infringers themselves. But can it apply further?
The definition of a CP already within the Communications Act 2003 is someone who provides (as per s 32 of that Act) either an "electronic communications network" or an "electronic communications service". Both definitions are quite complex, but without going into more detail. they seem intended to cover those who offer telecommunications services as their main or sole business - ISPs, phone companies, etc - not other kinds of businesses or premises which merely, as a "side order", offer a wi fi or fixed line network.
But even if the definition of a "communications provider" could be stretched to cover the likes of businesses likeMcDonalds, or universities, it would seem likely it could then also be stretched to cover any domestic consumer who offered his household or area wi fi access. This would contradict statements from BIS as above, which have seemed quite clearly to say that domestic wi fi is one of the targets of the legislation.
Also, to make a bad matter worse, if BIS did agree that a business (say) was to be regarded as a "communications provider" not a "subscriber", and thus be free of the risk of disconnection, it would also mean that business was to be subject to all the obligations placed on CPs by OFCOM under the Communications Act 2003; and even worse , if they qualified as a PUBLIC "electronic communications service" or "network" provider (see s 151 of the Comms Act 2003 - also somewhat controversial but very likely to apply at least to any open wi fi network), they would be caught under under the recent Data Retention Directive Regs , and required in principle to retain emails, traffic data and texts sent using their facilities, for later possible police access. I can't see this going down well with small businesses, or even small families.*
Can BIS simply stick in an exception, avoiding the whole CP farrago, that eg, "public and educational institutions providing not for profit wireless networks services to the public, or some section of the public" shall not be regarded as "allowing " access under s 124A(1)(b)? Well not without abandoning the whole point of the Bill. Because then, in essence, the Bill will only cover domestic users and domestic wi fi. Any infringing downloading at work, university, cafes, hotels etc will not be covered. Is there really much point in such legislation?
Alternately, BIS can stick to its guns and declare that businesses etc are covered by the Bill just as much as domestic subscribers , which will mean businesses, to defend themselves from disconnection, will have to (a) lock down all networks and (b) even then, spend their own money when they start to receive warnings, on internally allocating blame, by ascertaining who was using that login at that time etc etc : fiddly, expensive, fun in open plan offices with hot desking :-) and quite likely, sometimes simply impossible.
Tricky, isn't it? I welcome further responses from BIS.
*Reg 8 of the DRD Regs 2009 may be a get out for SMEs and individuals here - since it says these obligations only fall on PECS or PECN providers by notice : but (a) thus leaves room forlots of FUD and (b) the legality of thus rule in respect of the UK's obligations under the original Directive is more than dubious.
EDITED after comments : 27/11/09.
Tuesday, November 24, 2009
PS Digital Britain footnote
3. You’re criminalising a generation of peopleGetting Copying* copyrighted material without permission or payment is already unlawful (it is a civil offence). Recognising that fact and enforcing existing rights is not criminalisation.
Monday, November 23, 2009
Mandy and Me: some thoughts on the Digital Economy Bill
Clauses 4-17 of the Digital Economy Bill introduce an “initial obligations” regime for ISPs, whereby subscribers accused of filesharing by rightsholders will be sent warnings of alleged copyright infringements, or “strikes”, by their ISPs; and a “technical measures” phase, to be green-lit only after evidence has been amassed that warnings do not work (but see below), which will allow sufficiently warned offenders who still seem not to have seen the error of their ways to be disconnected from the Internet. Traffic slowing and banning of access to certain sites eg the Pirate Bay, may also become available measures.
The Bill also, almost as an after thought, adds a “Henry VIII” clause, which allows the relevant Secretary of State (currently Lord Mandelson of
There has been a great deal of coverage of these matters – see eg here and here – so I will only point out a few matters of detail which have struck me as particularly worrying, on top of my, er, well-ventilated previous concerns about the principle of a regime of “three strikes” at all. Most of the press attention has focused on the posited disconnection regime, since of course the sanction is so far reaching. But the warnings regime, which if the Bill passes is likely to be of more immediate concern, is also staggeringly poorly drafted, and this is where my focus will lie.
Accusations and evidence
In the outline scheme we have, warnings are to be sent to subscribers solely on the say so of rightsholders. All a rightsholder need do, as presently laid out, is provide an IP address and time stamp of an alleged infringer to an ISP, and say that “ it appears to [them that ] a subscriber .. has infringed the owner’s copyright”. There is no requirement this belief be objectively reasonable. Nor is there any apparent sanction for malicious, or even simply careless or reckless allegations. Recent experience with the RIAA and BPI has shown that allegations made after IP address tracking at P2P sites often turn out to be wrong and that collecting IP addresses from P2P honeypots is a non-trivial exercise ; so the issue of liability for erroneous accusations is an important one. Libel, malicious falsehood and data protection laws may offer remedies for the falsely accused; but there is no mention of such in the Bill itself (so far), nor of any reasonable duty of care. In other words, all the power is given to rightsholders, and none of the responsibility.
“Allowing infringement”
The Bill also makes it clear that an infringement may be notified by a rightsholder if the subscriber “allowed another person to use the service and that other person has infringed”. What does “allowed” mean here? It seems clear it is intended to cover the case where an Internet service is used to download by any member of the household other than the subscriber eg by partners, children, flatmates and lodgers – but what of casual visitors, friends of children? Should such persons be routinely policed by the subscriber fearful of liability, their rooms and computers searched, guests interrogated about their laptops and smartphones? What of Art 8 ECHR guarantees of privacy (which, let us remember, apply to children as well as adults, especially in their own bedrooms)? This is however only the start. What of the school or university or business which gives access to the Internet to hundreds or thousands of people? These warnings will come to roost at their doors, or rather their IP addresses. Will we then see IBM, Oxford University and Standard Life (just say) subsequently banned from the Internet? Is it really feasible to expect such organisations to stamp out downloading among all their employees or attendees (especially given most already do their best to try) or to spend the resources on internally trying to attribute the warnings to individual employees etc?
The end of unsecured wi fi?
A connected issue Pangloss has raised before relates to wi fi. At present it is a subscriber’s choice whether to secure their wireless network or not. Despite the public panic about paedophile use etc, many still think leaving wi fi unsecured is a public service (see on this Daithi McSithigh’s excellent piece). Yet one can easily see that leaving a network unsecured will count as “allowing” another’s infringement (and note the mandatory requirement to notify alleged infringers about how to protect their wi fi in proposed new s 124(5)(f)). What we see therefore is constructive prohibition of unsecured wi fi by the back door, for both consumers, corporations and the public sector (think of the impact on digital inclusion?); a decision of huge significance, which itself deserves a major public debate.
Appeals
Appeals against allegations untested in court and based on evidence solely of one interested party, are vital. At the warnings stage, a single appeal is to be allowed, it seems, not to a full tribunal but merely to a “named person” who will be an arbiter of some type, independent of ISPs and rights holders, though not of OFCOM. Such an appeal is also vital to ensuring that this process meets the requirement of a “fair and impartial” hearing, under what was Amendment 138 to the now finalised Telecoms Package. But no grounds are named in the Bill for an appeal against an erroneous warning to be allowed (there are some in relation to the better drafted and seperate appeal against disconnection) , nor is it stated what disposal the “person” could make if an error was found to have been made. Strangely, there is not even any requirement for alleged infringers to be told of this right of appeal, even though they are required to be given an enormous number of other pieces of educational “information”. This is wholly unsatisfactory, especially in relation to Amendment 138.
Notification of warning
Finally on this part, note (see proposed s 124A (7)) that warnings are to be deemed “notified” if sent to “the electronic or postal address” held by the ISP. As someone who never uses or checks their nominal ISP-provided email address (mailto:something@virgin.net I guess) , I would strongly suggest this be altered to “and” rather than “or”. Of course this would cost substantially more to the rightsholders and ISPs, so possibly some midway solution should be found where an ISP is required to obtain a current used email address from its subscribers.
ISP liability?
ISPs hold an unfortunate piggy-in-the-middle position in all this, forced by the threat of a fine of up to £250,000 to co-operate with rightsholders, even though they gain nothing from the process but overheads and customer ill-will. I have said elsewhere that I do not think it is just or sensible to enrol ISPs as “copyright cops”, but if they are to be, they need strong protection from liability, ideally in the form of an indemnity from the rightsholders who actually plan to benefit from this whole stramash. ISPs face potential liability for sending out libellous allegations to subscribers, and again for disconnecting the wrong person on erroneous evidence, and in breach of contract, However currently all ISPs get by way of protection is the feather-light provision that an indemnity may – not must – be provided by the Code to be drafted (again, no further details now– see new s 124J(4)(b). If I were an ISP, I’d be going out now to price a shedload of legal liability insurance J - or to check out moving offshore.
The disconnection regime
Finally (gentle reader wipes brow), the present government has made a great deal of the assertion that the “disconnection” stage is a “nuclear deterrent” option – only to be implemented if all else has failed. One wonders why, three months before an election the current incumbents are likely to lose, it was not then simply left to the discretion of the next government whether to bring forward legislation, once the evidence was in. As it stands, the “disconnection” regime is supposed to be brought in, it has been widely reported, if a review by OFCOM shows (to some very vague timetable) that the “warnings and passing of ID details” approach is not working. However if you go and look, what s 124H(1)(b) actually says is that the Secretary of State may order that the “technical measures” stage may go ahead as appropriate in view of such a report OR “any other consideration”. In other words, you can forget evidence based policy making if times are tough, and donations from rightsholders are needed? Again Pangloss’s suggestion would be for that last sub-clause to go.
I could go on – for most of a PhD length thesis I suspect – but enough is enough. This legislation bears every hallmark of having been drafted in haste on the back of an envelope on a wet Tuesday. It’s so like The Thick Of It. Only without the jokes .
Ps if you are unhappy with any of the above, can I politely direct you towards http://petitions.number10.gov.uk/dontdisconnectus/ ?
Friday, November 20, 2009
Incredulity
The Digital Economy Bill will be released at 7.30am tomorrow and will, it seems, include not only the anticipated disconnection provisions, but also a clause to allow the Secretary of State to basically change copyright law at will in order to stop filesharing, without primary legislation and without proper public debate and democratic oversight.
Why is this?
It's reflecting the fact that technology is changing very fast," said Timms. "The existing [method] is quite cumbersome. We might need something else in the future."
So clearly every time things happen fast and the law might struggle to keep up with them, in future, well we should just junk ordinary democratic safeguards before anyone notices, and bow instead to the partisan interests who pay lobbyists the most to shout the loudest? I expect to see similar legislation introduced shortly so that SIs can be whipped out and shoved through to deal with every fast moving situation from Afghanistan to floods in Essex, banker bonuses in December and tone deaf twins winning X-Factor. Hey, democratic debate is for wimps. SOOOO last millennium.
The best thing one could say about this legislation is that it is so outrageous, it is hard to believe it could seriously have been included in the Queen's Speech if the current sadpack on the way out thought there was a real chance of getting it through before the election.
I could say a great deal more about this but I won't : Instead I'll quote in full the funniest thing on the Internet today by novelist Nick Harkaway.
"News I Made Up Which Would Arguably Be Less Bad Than The Actual News. (2)
The Business Secretary, Lord Mandelson, today announced the creation of a new post to deal with the nuanced and difficult issue of copyright in the digital era. The Batshit Tsar will have a mandate to seek out anyone, anywhere who does anything using a computer and set them on fire.
Candidates for the post include Lord Duckhouse of Cobbham, Baroness Fishwicket (formerly BPI President Martin Cleep) and Brian Dubblehand-Pryce, Witchfinder General to the Court of James I & VIth, although there is some doubt over the availability of Mr Dubblehand-Pryce, as he is believed to have been dead for four hundred years.
Civil liberties campaigners have expressed alarm at the plan to make an offense of ‘downloading copyright material’. It is unclear how anyone will be able to use the internet ever again without committing a crime. A Department of Health spokesman said this would have the positive effect of getting people out in the open air.
“The Internet is a middle class, elitist phenomenon which is ruining our atomised society with a sense of community and cooperation,” he said. “This will put a stop to that, and to the development of the nascent public sphere which has given us so much trouble recently.”
The much-debated ‘three strikes’ policy will require a massive monitoring operation, trawling through the logs of anyone who uses a high-bandwidth connection to get large amounts of data to see if they are doing anything wrong. This sort of ‘fishing expedition’ is generally considered inadmissible in court, but since there will be no court for this sort of crime, the government is confident the issue will not arise.
“If we don’t do this,” the spokesman said, “we’ll almost certainly have an outbreak of witches by Christmas. There will be rains of frogs and giant panthers in Surrey, and even my tinfoil hat will not protect me from the brainwaves of Satan which are transmitted down the tubes of the Internet by demonic monkeys. The public has to be protected.”
Lorrie Fingerhubble, of the British Association of Giant Nocturnal Lizards, welcomed the news.
“I think this is absolutely splendid,” Ms Fingerhubble said enthusiastically from her secret undersea base in Regent’s Park. “It’s ideal for the government to be able to make arbitrary, draconian changes to the law which won’t work, will cost money, and will criminalise everyone. It’s a traditional approach to law in the UK: we make a rule no one can hope to obey and then prosecute people when we want to but not otherwise, creating a sense of lurking guilt and suspicion at all times!”
Asked whether the law might conceivably be misused to stifle democratic debate or to spy on people, the government spokesman said:
“Antelopes.”
Thursday, November 19, 2009
here we go, here we go..
"Digital economy bill
Ensuring a world-class digital future following the Digital Britain White Paper , published on 16 June 2009, setting out the Government's ambition to secure the UK's position as one of the world's leading digital knowledge economies and take forward a new, more active industrial policy to maximise the benefits from the digital revolution by:
- delivering a universally available broadband in the UK by 2012 through a public fund, including funds released from the digital television switchover help scheme;
- giving the sectoral regulator, Ofcom, two new duties: first, to promote investment in infrastructure and content alongside its duties to promote competition; and second, to carry out a full assessment of the UK's communications infrastructure every two years; to ensure that the UK has a first class and resilient communications infrastructure;
- establishing the necessary enabling powers for new commissioning bodies providing strong multi media news in the Nations, regionally and locally and update the Channel 4 Corporation's remit. This would help create the environment for continued investment in, and creation of, high quality and innovative content, including necessary changes in relation to public service broadcasting;
- ensuring that all national broadcast radio stations are digital from the end of 2015, by making changes to the existing radio licensing regime to enable digital coverage to be extended, encourage investment by the commercial sector, alongside the BBC, in new digital content, and revise the existing regulatory and multiplex licences;
- creating a robust legal and regulatory framework to combat illegal file sharing and other forms of online copyright infringement and give Ofcom a specific new responsibility to significantly reduce this practice, including two specific obligations on Internet Service Providers: the notification of unlawful activity and, for alleged serial-infringers, collation of data to allow rights holders to obtain court orders to force the release of personal details, enabling legal action to be taken against them;
- implementing the recommendations of the Byron Review published in June 2008, to put age ratings of computer games on a statutory footing for ratings of 12 years and above. This will be achieved through the adoption of a new and strengthened system of classification for boxed video games with a strong UK based statutory layer of regulation, ensuring protection for children."
Pangloss sees no full text of the Bill via Google - if it is out there, could somone point me at it?
Now we wait to see which happens first, the end if the world by Holywood apocalypse or the end of New Labour by election :-)
Wednesday, November 18, 2009
Privacy and Facebook, IGF style
The updated powerpoint can be found here.
Monday, November 09, 2009
New DP blog
Tuesday, November 03, 2009
Lisbon Treaty We Salute You
It's all rather a damp squib for a UK privacy lawyer though. (Even one who is healthily sceptical that the Tories can get us out of this one, even when they do get in.) Pangloss's main interest was in wondering if the EU Charter's explicit addition of a right to protection of personal data as well as the well known right to respect for private life (cf Art 8, ECHR) might make a difference and if so, in what way. However for we delicate flowers of the UK and Poland, there will be no change on the human rights front: see Art 1 -
In particular, and for the avoidance of doubt, nothing in Title IV of the Charter creates justiciable rights applicable to Poland or the United Kingdom except in so far as Poland or the United Kingdom has provided for such rights in its national law.Pangloss is sadly no EU law nerd, and would welcome comment from any such out there as to whether this means we are in any way likely to receive less comprehensive privacy protection than the rest of the EU? Examples? This seems particularly relevant given the general feeling that the UK is implementing EC DP law at the minimum or below : see the EU's continuing efforts to persuade the UK to buck up over Phorm, not to mention long-simmering confusion or dismay over (a) Durant v FSA and (b) relatedly, our lack of sync with the Art 29 WP as to when and if to treat IP addresses as personal data.
It also of course means the UK remains unbound, at least in theory, by Article 36 of the Charter of Rights on Access to services of general economic interest. So no danger of the UK fast following in the footsteps of Finland and declaring access to broadband a human right? Surprising, that :-)
However before we Anglo-Saxons despair, we should remember the guidance from the ECJ in Promusicae which indicated that whether signatories or not and whether (as seemed uncertain at the time) the Lisbon Treaty ever became binding, the principles of the Charter of Rights are still likely to be regarded as part of EC law in the guise of underlying "general principles of Community law".