Thursday, July 28, 2011

Newzbin 2: Landmark or Laughing Stock?

In answer to my own not so jocular question in the title, the answer is, I truely don't know..

So the long awaited decision in Newzbin 2 aka Twentieth Century Fox et al v BT [2011] EWHC 1981 (Ch) is out. Pangloss has not had time to read the details yet of this lengthy judgment (she is longing to, but has been doing boring stuff designing relaunched websites all day) but to some extent the big question is what the practical impact of the decision will be now, more than the implications for future legal interpretations.

Newsbin was (or is) a website which described itself as a "Usenet search site": while not a clasic P2P torrent site, or indeed a host of infringing content, it enabled extremely easy access to infringing copies of major movies. In the first Newzbin case, [2010] EWHC 608 (Ch), in March 2010, Kitchin J found that Newzbin knew the vast majority of the files so indexed were commercial products protected by, and infringing, copyright. As a result he held that Newzbin infringed the copyright of the complaining rightsholder film studios plaintiffs. It had not only authorised and procured infringement under the CDPA , which was perhaps the most likely counts of infringement, but it was also held to be a primary infringer in that it had communicated the the copyright works to the public without permission.

Newzbin 1 was a big win for rightsholders - or should have been. In fact of course what happened was the site moved offshore (apparently) , kept the same URL and fanbase (and subscription revenue stream) but went effectively outwith the jurisdiction.

Undaunted, the plaintiffs took approach 2: asking BT, the largest UK ISP and telco, to block access to Newzbin to its subscribers wherever it was physically located. The means of so doing was s 97A of the CDPA which existed long before the Digital Economy Act but whose scope has been in doubt.

Although the plaintiffs made it clear that if successful they would move on to suing other ISPs similarly, BT had the big advantage as a first test case in that it is the owner of what is commonly (and wrongly - cue annoyed email from Clive Feather) known as Cleanfeed. This is the blocking technology which is used by ISPs alerted by the Internet Watch Foundation to voluntarily block images of child sexual abuse . Cleanfeed is a reasonably effective form of blocking for child pornography because it can focus on one file or even one image: it does not block entire domains or entire keywords, as some blocking tools do, which might include substantial innocent material.

To cut to the chase, after much legal discussion of HRA, the E-Commerce Directive (I salivate as I write) , Promusicae, and the Digital Economy Act (be still my beating heart) and even in a deft flourish the new L'Oreal vs eBay ECJ case , Mr Justice Arnold agreed to make an order to block. The draft order sought is drafted in the following terms:

  1. "1. The Respondent shall adopt the following technology directed to the website known as Newzbin or Newzbin2 currently accessible at www.newzbin.com and its domains and sub domains. The technology to be adopted is:
(i) IP address blocking in respect of each and every IP address from which the said website operates or is available and which is notified in writing to the Respondent by the Applicants or their agents.
(ii) DPI based blocking utilising at least summary analysis in respect of each and every URL available at the said website and its domains and sub domains and which is notified in writing to the Respondent by the Applicants or their agents.
2.. For the avoidance of doubt paragraph 1(i) and (ii) is complied with if the Respondent uses the system known as Cleanfeed and does not require the Respondent to adopt DPI based blocking utilising detailed analysis.
3. Liberty to the parties to apply on notice in the event of any material change of circumstances (including, for the avoidance of doubt, in respect of the costs, consequences for the parties, and effectiveness of the implementation of the above measures as time progresses)." *

There are a number of points to be made here. First, this was an extremely clever test case to pick to establish the legality of blocking orders via s 97A. It is a bit like shooting fish in a barrel : first, a prior UK court had established Newzbin was overwhelmingly devoted to infringing and enabling infringement of copyright, and for obvious commercial gain (it was a premium subscription site.) Compare if an order to block a torrent P2P site had been sought: where content accessed may be infringing, or may be public domain, and where "knowledge" is much harder to pin down; and where revenue streams and thus again, illicuit intent may not be so obvious. Similar problems would arise with a host site like YouTube where there is at least as much UGC as infringing pirate content. Note also that Newzbin had already been found not just to be authorising infringement but actually primary infringers themselves.

Then, secondly, add in the fact that BT already had a tried and tested and relatively non-overblocking tool like Cleanfeed on their hands - and the outcome was something of a foregone conclusion. The judgment also notes carefully that this is not another SABAM (para 177) - where the ECJ (or at least so far , the AG) seems to have balked at the width and unimplementability of what was asked and refused to make a blocking order to stop access by ISP customers to P2P traffic. The order sought here is quite focused and, specifically, does not require what is conventionally thought of as DPI - monitoring and analysis of all subscriber traffic.

But, two important questions. First, is this, it as is often the way, a Pyrrhic victory for the plaintiffs? ie will it work? Second, what is the fallout of this decision? in other words, what are the bad consequences that may flow from what many - not even all working for the content industry - may regard as an obvious and sensible decision given the particular facts of the case?

On the first point, Twitter is full of the usual technorati shaking their heads in amazement at the gullibility of the English courts, thinking they can control the Internet in their quant Canute like ways. It is absolutely clear that this blocking cannot be effective against any moderately technically competent Internet user. Richard Clayton, a reliably sensible source, opines that
BT users will still of course be able to access Newzbin (though perhaps not by using https), but depending on the exact mechanisms which BT roll out it may be a little less convenient. The simplest method (but not the cheapest) will be to purchase a VPN service — which will tunnel traffic via a remote site (and access from there won’t be blocked). Doubtless some enterprising vendors will be looking to bundle a VPN with a Newzbin subscription and an account on a Usenet server.
The court was not, actually, unaware of this, in abstract if not in detail. Mr J Arnold explicitly accepted Malcolm Hutty's (also reliably sensible) evidence for BT that "the level of technical expertise required to circumvent" this kind of blocking was little more than was needed to use Newzbin and Usenet in the first place (para 193).

However he then still made the order. Why? Well, first it would require users to make some extra effort (however little) and some wouldn't (para 194). Second, users were having to pay to use Newzbin and probably needed a paid Usenet sub service too, and if they were going to have to fiddle around with VPNs as well, they might just give up and use legal services instead (para 196)

It is this final conclusion that is the one that makes me incredulous about this decision. Even leaving aside the Internet contrarianism factor (blocking a site is the surest way to make everyone go find it and use it) would an easier step for the hardened infringer not be to revert to free methods of obtaining the same content? Enough of them exist for me not to need to list them I am sure, nor are all illegal. It is already trite knowledge that more young people are streaming content than downloading it - as easy, less risk. In other words the conclusion of efficacy of blocking seems to have been based on effective diversion to other, mainly illicit, channels. In which case one wonders if the game is really worth the candle given the downsides of blocking - which takes us to point 2.

Here it is first worth noting that the court explicitly acknowledge that efficacy is not actually what they are about. In para 98, the final word is

Finally I agree with counsel for Studios that the order would be justified even if it only prevented access to Newzbin2 to a minority of users." [itals added]

Such a declaration of symbolic justice at all costs must surely be accompanied by some comprehension of the balance of gains and losses. It helps to ask how often will court blocking orders be made post Newzbin 2? Paradoxically , after two years of test case jousting, not many. The clue here is in para 189 where Arnold J warns helpfully that

Furthermore, although I cannot prejudge later arguments in this case, it is not inevitable that future applicants will recover all their costs even if successful: compare the practice in respect of Norwich Pharmacal orders, as to which see Totalise plc v Motley Fool Ltd [2001] EWCA Civ 1897, [2002] 1 WLR 1233. For these reasons, even if the present application is successful, I think it is clear that rightholders will not undertake future applications lightly." [itals added]

In other words, most applicants would get their costs back; just no guarantee of it. Under the English system of winner takes all, that means ISPs which opposed s 97A orders would fear to end up on the losing side with all the costs of both sides - a crippling financial burden to take on for love of freedom of speech or even just the good PR. Most would not. (Francis Davey has been making this point ever since s 18 of the DEA was conceived.) In Totalise itself, the courts agreed (eventually) that an ISP which insisted on a court order before agreeing to identify one of its subscribers in breach of its own privacy policy, did not necessarily have to pay all the costs of the plaintiff as well as its own as long as it was , basically, behaving reasonably. But this is an exception to the norm of English costs allocation, in a rather odd kind of court order, and there is no guarantee such a rule will be evolved in s 97A proceedings. ADDED: The two cases are rather different: ISPs are essentially bound by their own promises of confidenrtiality to their customers not to disclose their identitywithout court mandate; but no such restraint, one would think, pertains in relation to a website (like Newzbin) which has no contractual relationship with that ISP. Francis Davey, in correspondence, however adds that he expects an ISP might always feel it has to defend to get right the precise wording of the order - since all ISPs will have different technical capacities. On the other hand, it will take a while, absent legislation,before any ISP would know its potential costs liability - which might point towards not seeking to defend a court application, or even more likely, agreeing a voluntary protocol with no court involvement at all. This has the side benefit that no court order (even an undefended one) means no posibility of contempt of court for not meeting its requirements.

Assuming it is likely that the winner takes all costs rules persists, even while things shake dow, then, what the courts will have put in place then is what Ed Vaizey already said he wants: a system of extralegal "voluntary" blocking by ISPs of content which is alleged to be substantially copyright infringing, without all that boring and expensive checking of evidence. This will not be court based transparent justice; it will be private censorship by those industries with the most to gain from this, and without consideration of the public domain or the public interest, or the interests of those introducing new innovative products whose interaction with classic IP will be untested. Fun times.

But we need to do something to help the content industries; we've been told often enough. Are there alternatives to blocking that will on the one hand be circumvented by those who know, and on the other hand, create a structure for uncontrolled private censorship? Well, the usual litany - the same answer I give when people ask if there is an alternative to graduated response for maintaining the creative sector. Real, convenient, comprehensive legal alternatives that sell content and match the ease and the flexibility of the illicit model: legal P2P, levies, innovative bundles solutions. Everything Ian Hargreaves asked for in fact. But we've been here before. It's so much easier to stick yet another patch on a sinking ship than build a new one.

Finally and optimistically, it is worth pointing out that the website blocking provisions of the Digital Economy Act were introduced because the rightsholders claimed they were uncertain as to the workability of s 97A to defend their interests. Now we have a s 97A precedent in their favour, there should be no reason either to implement s 17, nor to go ahead with Vaizey's half-privatised alternative.

Secondly, if we are to have UK web censorship should we not have even-handed censorship? It is passingly strange that we now have an effective court ordered means to block sites which help infringe copyright, but nothing equivalent to block sites which host hate speech or jihad speech, or which host malware sites or phishing sites, or where libellous comments are posted. Even the IWF scheme to block child pornograophy is voluntary not court mandated. Shouldn't we be having a debate about even-handed censorship? What makes copyright so special here? Or would that remind us that we never had that debate about copyright to start with?

* EDIT: Further discussion seems to reveal the parties will be back in court in October to agree the final version of the order. This may not be the same as the draft above. Until then no blocking will be put in place. Further also to this BBC news story there appears to be a misapprehension: the court order will only apply to BT not the other ISPs - the fact they decided not to intervene is irrelevant. Also a High Ct decision will not act as binding precedent to other High Court applications. However unless other ISPs have substantially different arguments than BT (eg more technological or legal difficulties in blocking) they might choose not to defend court orders aimed at them, or to defend (as suggested above) only to argue the precise wording of the blocking order. However a court order is NOT the same as passing statute like the DEA; it is effective against the parties only not the world.

*EDIT added 3.08.11 : and today as Pangloss predicted, implementing web blocking via the DEA ss 17/18 is quietly dropped as, so we hear, "unworkable". One wonders how they knew the result of
Newzbin 2 before it came out? :)

EDIT 3: added 29.07.13 - note that Sky apparently gave in shortly after this and agreed to block Newzbin  without opposing the court order received even though there technical filtering capacity is very diferent to BTs - see http://www.zdnet.com/sky-blocks-newzbin2-following-court-order-4010025026/ , also http://www.sroc.eu/2011/12/sky-blocks-newzbin-important-legal-and.html where James Firth notes : "Newzbin will — and there's strong evidence they have done already, several times — change their IP address," Firth wrote. "It is well known that IP addresses have all but run out. Nearly all IP addresses allocated are recycled — they've been in use before. Pity the website owner who picks up Newzbin's old IP address."

Friday, July 08, 2011

The Idiot's Guide to Why Voicemail Hacking is a Crime

Not what I should be doing right now, but in the wake of the amazing News of the World revelations, there does seem to be some public interest in a quick note on why there is (some) controversy around whether hacking mesages in someone's voicemail is a crime.

Most of the longer version of this can be found in an excellent memo by Chris Pounder of Amberhawk from October 2010 and those of you with more legal background are therefore directed there.

RIPA

The first relevant provision is RIPA (the Regulation of Investigatory Powers Act 2000) which provides that interception of communications without consent of both ends of the communication , or some other provision like a police warrant is criminal in principle. The complications arise from s 2(2) which provides that:

“....a person intercepts a communication in the course of its transmission by
means of a telecommunication system if, and only if ... (he makes) ...some or all of the
contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication”. [my itals]

Section 2(4) states that an “interception of a communication” has also to be “in the course of its transmission” by any public or private telecommunications system. [my itals]

The argument that seems to have been been made to the DPP, Keir Starmer, on October 2010, by QC David Perry, is that voicemail has already been transmitted and is thus therefore no longer "in the course of its transmission." Therefore a RIPA s 1 interception offence would not stand up. The DPP stressed in a letter to the Guardian in March 2011 that this interpretation was (a) specific to the cases of Goodman and Mulcaire (yes the same Goodman who's just been re-arrested and inded went to jail) and (b) not conclusive as a court would have to rule on it.

We do not know the exact terms of the advice from counsel as (according to advice given to the HC on November 2009) it was delivered in oral form only. There are two possible interpretations of even what we know. One is that messages left on voicemail are "in transmission" till read. Another is that even when they are stored on the voicemail server unread, they have completed transmission, and thus accessing them would not be "interception".

Very few people I think would view the latter interpretation as plausible, but the former seem to have carried weight with the prosecution authorities. In the case of Milly Dowler, if (as seems likely) voicemails were hacked after she was already deceased, there may have been messages unread and so a prosecution would be appropriate on RIPA without worrying about the advice from counsel. In many other cases eg involving celebrities though, hacking may have been of already-listened- to voicemails. What is the law there?

When does a message to voicemail cease to be "in the course of transmission"? Chris Pounder pointed out in April 2011 that we also have to look at s 2(7) of RIPA which says

" (7)For the purposes of this section the times while a communication is being transmitted by means of a telecommunication system shall be taken to include any time when the system by means of which the communication is being, or has been, transmitted is used for storing it in a manner that enables the intended recipient to collect it or otherwise to have access to it."

A common sense interpretation of this, it seems to me (and to Chris Pounder ) would be that messages stored on voicemail are deemed to remain "in the course of transmission" and hence capable of generating a criminal offence, when hacked - because it is being stored on the system for later access (which might include re-listening to already played messages).

This rather thoroughly seems to contradict the well known interpretation offered during the debates in the HL over RIPA from L Bassam, that the analogy of transmission of a voice message or email was to a letter being delievered to a house. There, transmission ended when the letter hit the doormat.

There remains a little wiggle room in that at the dates some of the older hacking incidents may have occurred, the voice messages might plausibly have been physically stored on local answerphones, not, as is common with mobiles and mobile voicemail, on remote voicemail servers. This leaves a flicker of concern that the messages might not be "stored" on "the [same] system by means of which the communication is being, or has been, transmitted"

Against this quibble would be that a purposive interpretation of the law should not distinguish for no reason between (say) fixed phones with physical answerphones, and mobile phones with remotely stored voicemail. OTOH, criminal laws are always to be interpreted restrictively on the grounds that no one should find themselves accused of breaking a criminal law they were not deemed to know.

A person who is guilty of an offence under subsection (1) or (2) shall be liable on conviction on indictment, to imprisonment for a term not exceeding two years or to unlimited fine.

CMA

One of the strangest parts of this controversy though has been the relative absence of commentary - from the DPP or otherwise - that even if the most restrictive interpretation above of RIPA was adopted - computer hacking under the Computer Misuse Act, s 1 , could easily provide an alternative offence. (Nick Davies of the Guardian does mention it however in the same Memo to HC as quoted above from Amberhawk. )

CMA s 1 says that

"(1)A person is guilty of an offence if—

(a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer [or to enable any such access to be secured] ;

(b)the access he intends to secure [or to enable to be secured] is unauthorised; and

(c)he knows at the time when he causes the computer to perform the function that that is the case." [my italics]

Max sentence is 12 months jail but the aggregated version (eg unauthorised access plus raud under s 2) can now go up to 5 years jail. (s55 of the DPA (misuse of personal data, which would also apply)was also amended recently to allow for a jail sentence (following the HMRC scandals) - but Parliament has yet to bring this into force.)

Putting in a guessed-at PIN to access voicemail maps well to "causes a computer to perform any function". CMA makes no requirement that reasonable security is overcome, or anything of that kind. Nor does the material hacked have to be deleted or sold or anything of that kind, merely accessed.

But is an answerphone or a voicemail server or a mobile phone, a "computer"? The word was deliberately left undefined in the 1990 Act so it did not become outdated as technology progressed. (This has proved wise.) However the CPS guidance quotes "DPP v McKeown, DPP v Jones ([1997] 2Cr App R, 155, HL at page 163) [where] Lord Hoffman defined a computer as "a device for storing, processing and retrieving information". " This seems easily wide enough to include any or all of a mobile, a smartphone, an answerphone or a voicemail server.

The advice given the DPP may have taken into account other worries about prosecuting either the RIPA or CMA offences. It woukd be very good to know exactly what, if any. In the meantime however there seems no good reason why criminal prosecutions cannot be immediately brought against those factually proven to have taken part in voicemail hacking.

Corporate criminal liability

A final point is who would be liable for such a criminal offence. Just the reporter who put in the PIN, or, say, the proprietor of the newspaper in question, which benefited? This is an issue of corporate criminal liability where the relevant law in England & Wales is from Tesco v Nattrass [1972] AC 153 . The widely quoted test from that by L Reid is the "directing mind test" as follows:
The person who acts is not speaking or acting for the company. He is acting as the company and his mind which directs his acts is the mind of the company. If it is a guilty mind then that guilt is the guilt of the company.
This is regarded as, sometimes unfortunately (it has been amended for corporate manslaughter) , pretty restrictive, and likely to apply only to the most senior directors or managers. ?? as to say, the liability of Wade or Murdoch for NI.

Deleting the evidence

Finally if the rumours circulating that millions of emails have been deleted by NI to foil a criminal investigation are true, there would be an alternative of prosecuting attempt to pervert the course of justice - which as a common law offence has an unlimited sentence in Scotland and I think in England too. So burning the evidence is not a get out of jail free card :)