Wednesday, November 02, 2005

Th First World Trade War

(via Lenz Blog) Last March, the WTO's Appellate Body confirmed the ruling against the United States in the case of cotton subsidies (DSB 267). This case was brought by Brazil against the United States arguing that the cotton industry in that country is obtaining subsidies from the government that are contrary to trade rules included in the Subsidies and Countervailing Measures (SCM) Agreement, calculated at around $140.000 USD per farmer. The argument by Brazil and other developing countries is that the subsidies make it impossible for their agriculture industries to compete in the global market, as the subsidies bring prizes down. On the other hand, the other greatest subsidiser (the EU) supported the United States in this.

The U.S. lost the case, the subsidies were deemed to be in violation of international trade rules, and was therefore asked to stop the subsidies and bring their legislation in compliance. So far the compliance has not been forthcoming.

This is just the latest case in a series of rulings that have gone against the U.S. in international trade issues in which they are not implementing the ruling, such as the Canadian lumber case. This has prompted questions about the validity of the international trade mechanism, and allows other countries to ask the question of why they should comply. This is dangerous territory at a time that American copyright industry is trying to get China to comply with its TRIPS commitments and stop piracy.

This could open the door for a global trade war, with countries reverting to the protectionist principles before the WTO. Most importantly for the U.S. is the threat by Brazil that they might as well allow the massive copying of American movies and music, and to allow the production of patented pharmaceuticals.

Friday, October 28, 2005

Publication on web in Scotland is not "public" enough!

The latest Brodies Solicitors free technology law supplement helpfully tells me of an intersting recent Scottish Fredom of Information decision.

In Decision 001/2005, Mr l and the Lothian & Borders Safety Camera Partnership (17 May 2005)
Mr L requested sight of the calibration certificate for equipment used in an alleged speeding offence.The Partnership argued that the information was already "otherwise accessible" under s 25 of the FOI (SC) Act by virtue of it being on the Partnership’s website. As it turned out, the particular calibration
certificate was not actually on their website at the time of the request. However, the Commissioner provided his view , making reference to the fact that most deprived households were without internet access according to the Social Justice Annual Report 2003:
“In my view therefore it is not yet possible to say that information which is solely provided on a website is reasonably accessible to people in Scotland”

This must be an expensive blow for public authorities. The commissioner stated that “where [the authority] receives a request for the information to be made
available in another format, e.g. in paper form posted to a home address, then it should do so unless there are overriding technical or cost implications.”

Other recent decisions mainly question the relationship between release of information under FOI and the protection of personal data under data protection law. This is shaping up to be a very controversial area.

Thursday, October 27, 2005

Secure feed ISPs

Interestingly since writing the last post, I've noticed that Edinburgh University - who act as my ISP and that of many 1000s of staff and students have begun compulsorily scanning the accounts of users, by administrative unit, for security breaches and vulnerabilities. And yes, you can opt out - but then the unit opting out according to the security policy must " ensure that they have sufficient resources to quickly identify compromised or mal-configured systems when the need [arises]" . This is pretty much the model I was beginning to outline below.

Liability of ISPs for malware?

Bruce Schneier has reiterated his long held belief that ISPs should be held liable for their part in spreading viruses and malware.

The Register quote him as saying: “It’s about externalities – like a chemical company polluting a river – they don’t live downstream and they don’t care what happens. You need regulation to make it bad business for them not to care. You need to raise the cost of doing it wrong.” Schneier said there was a parallel with the success of the environmental movement – protests and court cases made it too expensive to keep polluting and made it better business to be greener.

The analogy is appealing, but wrong. ISPs are not the polluters but the water-ways, or perhaps, their curators. The real polluters are the virus writers and bot creators - who are in most jurisdictions already criminally , and probably, civilly liable - just impossible to find.

Schneier goes on to say that ISPs should offer consumers “clean pipe” services: “Corporate ISPs do it, why don’t they offer it to my Mum? We’d all be safer and it’s in our interests to pay."

Here Schneier gets nearer to the real way forward. What Schneier, being a brilliant security expert, not a lawyer or economist, is getting wrong, is not the desirable end - ISPs helping clean up the Internet "environment" - but how to achieve it. You don't need public regulation of ISPs on the polluters model - which is unfair given the ubiquity malware is nsimply ot their fault - when it's easier to get profits to act as an incentive instead. US companies, correctly, saw cleaning up pollution as a profit loser until it was made too expensive to ignore on a PR level, but security can be turned into a money maker easy.

My Mum, much like Schneier's I suspect, has no idea how to set up a firewall or a virus checker, or come to that, her email account. But she's not that short of a bob. If she was offered, instead of the almost useless "BT Privacy", "BT Security" for an extra £12 a month, say, where BT undertook to manage the security of her machine, monitoring, reporting, isolating and cleaning it out if it was infected or zombified, etc etc, she'd take it tomorrow. ISPs should be offering security cleanfeeds instead of content ones. When there's a decent , competitive market of those, we won't NEED enviromental Internet laws - which will in any case be expensive and almost impossible to enforce universally, due to safe havens and lack of global harmonisation of criminal and public law (as Schneier himself acknowledges).

Someone pointed out to me that this isn't a solution, because those who don't buy in to a secure feed still remain vectors for infection. This is true: but it's possible we can deal with that by making the opters-out personally strictly liable for the security of their own machines (they are likely to be either the techy or the bolshy), rather than imposing inequitable liabilities on ISPs wholesale. Such an onus would be likely to drive all but those who really can look after their own machines - sysops, geeks, Linux lovers :-) - into the arms of a safefeed ISP. Another alternative for such would be to offer insurance to cover claims against them by affected consumers or networks.

Another commentor pointed out that a security service almost exactly as described above already exists - and lo! it costs £12 per month!. Truth is stranger than fiction.

The UK answer thus far is not more law but public education in the shape of the new National Hi Tech Crime Unit GetSafe camapign. We shall report on its success but remain cynical ..

Monday, October 24, 2005

Honey, I Trademarked the Blog

The Markenblog blog reports that on October 21, 2005 the term law blog was registered by the owner of the popular German blog "law blog". The registration does not, actually, expressly cover blogs, but legal services in class 42, and services including the presentation of creative works in class 41. The German registration should not affect the general use of the generic or descriptive term by others.
says the German American Law Journal.

Words fail me really. I'm not a trademark lawyer but has "blog" not become a generic word? Does adding "law" really suffice to distinguish it as a badge of origin of particular services? Anyone out there want to comment?

Creative Commons: threat or menace?-)

Some random quotes from an online discusion on LIve JOurnal after a Friday night pub discussion on whether open source, creative commons and the rest of the anti copyright movements are new religions or merely fora for the development of useful tools:

"Creative Commons and Open Source are religions. Not as bad as some of the others, but nonetheless they are somebody else's vision of utopia that we're all supposed to participate in." Voidampersand.

"The sub-sect that drives me up the wall in the Wikipedians - and I speak as an avid user and browser of Wikipedia. Yes, it's an impressive achievement, but you can only tout it as an improvement over traditional encyclopeadias by rather radically redefining 'improved'. Which some of its most zealous advocates are happy to do... (Isn't it brilliant! Our users can democratically determine the value of pi by continuous re-editing!)"

"I'm tolerant and indeed supportive of OSS between consenting adults; it'd be hypocritical of me not to, as I use enough of the stuff at home - but I'm opposed to fundamentalism about it too. I don't like people saying I shouldn't have the right to protect intellectual property and make a living from it; it should be my choice".

On open source: "it's plainly a way for young white introvert males to "stick it to the man" -- in this instance, their employers"

Friday, October 21, 2005

Once More With Lawyers

Fox have closed down a planned fan performance of the well known Buffy musical Once More With Feeling at a fan convention, on copyright grounds, despite la Joss himself saying he was happy for it to go ahead. Illustrating yet again that the interests of the artists/creators themselves and those they assign rights to tend to be very, very different.

Should a fan musical really need copyright permision? It's well known that UK and US don't go for a "private non commercial copying" exemption as Continental countries like France and Germany do, and even if they did, a public performance would never , I expect, be seen as private copying. But as Kim Weatherall comments, there's no way this performance could do anything other than encourage people to buy profit-making official Buffy CDs, DVDs and other merchandise. There's no travelling official Buffy musical whose revenues can be cut into by fan knock offs (more's the shame!) Fox is simply cutting off its nose to spite its own fans here.

Some commentators have compared this unfavourably to the permissive attitude towards Rocky Horror Show peformances which take place all over the world with massive fan , er, interpretation of the plot and cast. But the point there is that every such performance also involves a public showing of the movie, so will usually involves a revenue stream, as almost all professional cinemas will abide by normal license agreements.

Thursday, October 20, 2005

Oxford Internet Institute UK Survey

The Oxford Internet Institute survey of UK Internet usage landed on my desk (yes! hard copy! how quaint!) this morning. It is a thing of wonder. Every totally obvious statement you ever wanted to include in an article but couldn't be bothered to find statistical backing for is included. Yes, 74% of UK citizens have now bought something on line. Yes, 61% of UK people now have Internet access at home. Yes, broadband uptake is higher in wealthy homes than poorer ones (no, you don't say.) People think the Internet is bad for privacy? Tick! ( 49% think the use of computers in the UK is a threat to personal privacy. 45% are concerned about access to their personal data.) Worried about spam? Tick! (60%. Though only 35% have done anything about it.) Concerned about viruses? Tick! (82%! And 65% have done something about it! (or so they say :-)

Thre are some pleasant (and less pleasant) surprises though. 72% of those asked said the Internet had made their life better. Only 23% agreed strongly that they were concerned about immoral content on the Internet, while 15% strongly disagreed (given the social difficulty of disagreeing with such a question for many parents, the "strongly"s striks me as the only section of the respondents who matter). An amazing 18% claim they post pictures on the Web and 14% keep a website , though only 5% blog (but still!). But only 17% of Britons object to ID cards and around 5% of users have given up on the Internet entirely between 2003 and 2005 for whatever reason (mainly lack of interst - only 11% cited bad experiences and 17% privacy worries.

And only 2% agree strongly that email takes up too much of their time while 65% disagree or strongly disagree. They sure as hell didn't interview me for this survey:-)

Wednesday, October 19, 2005

It's a hacker's life being a security pro

Hands up if you've never worried that a website that looks oh so real might just be a phishing site? We've all by now unfortunately seen enough sites that look as real as apple pie, but something - the URL usually - tells us that actually, it's a vehicle for fraud. If you work in professional computer security, this paranoia must be all the more overwhelming, and you have the tools to hand to test out your theories. It got to a certain Daniel Cuthbert, a security pro, who even lectured part time in security to members of the police's own Computer Crime Unit. Cuthbert, a well meaning citizen, went to a site to donate £30 to the Tsunami relief appeal. After making a donation but not getting any official thank-you or confirmation page, Cuthbert tested the security of the page, using tricks like putting in ../../../ to move up three directories. In fact, the site was genuine, and Cuthbert's access atempts (which failed) were recorded, Cuthbert was arrested, and successfully prosecuted for attempted unauthorised access under s 1 of the Computer Misuse Act. Last week, he was fined £400, paid £600 in costs and lost his job as a result.

Remarkably few convictions have been made under the CMA s 1 and this should not hve been one. As the defense opined, it was tantamount to turning the s 1 offence into a strict liability offense. "Unauthorised access" simplex is the least serious charge in the CMA, but it cannot be regarded as an "administrative" crime, one like wrongful parking, which in the interests of the smooth running of society should be enforceable even when the party intended to do no wrong - it can earn a term of imprisonment and quite clearly demands mens rea. Section 1 of the CMA states that

1.—(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.

Arguably, Mr Cuthbert was not trying to "secure access" as his purpose but merely as his literal means to that purpose. His true intent was merely to test whether the site was actually what it claimed to be. On the Internet, this is very dificult to establish without attempting access unless the site has a digital certificate or a SET/SSL interface. This defence could have been backed up by analysis of the statute as a whole (and its peliminary debates) which clearly assume that the access that is sought to be obtained is so sought in pursuit of some criminal or at least amoral purpose.

If we are talking only of the preservation of privacy of personal data, not about criminal activity, as we really were here, then the data protection laws should suffice without needing to go to the hacking laws. This was a case for the Information Commisioner not the police. Given the longstanding and honorable tradition of benign hacking to probe security holes (which following Cuthbert, must clearly fall within the s 1 offence) there is room for a public interest/research exemption here to clarify matters, as there is indeed in relation to the arguably much less acceptable act of possession of child pornography (see the Protection of Children Act 1978 1(4)(a) and equivalent provisions for Scotland in the Criminal Justice Act 1988 and Civic Govt )(Sc) Act 1982.) As matters stand, security professionals will be unable in any circumstances to test the validity and security of a site unless they know for sure they have authorisation fom the true owner of the site.

Friday, September 23, 2005

Suing Google Print

Also from the Beeb, but all over the Web, Google is being sued by an alliance of book publishers, the Author's Guild, over its Google Print scheme. Basically Google Print involves scanning 1000s of books, found in certain university libraries, and when you do a search, GP will deliver you a small section of the text relevant to your search, usually less than a page. In some, but not all, cases, the copyright holders have agreed this can be done, and in some, but not all, cases, the work will be in the public domain. The real controversy arises over whether GP has the right to deliver even snippets of the works in copyright without right holder permission. GP do not seek rightholdr permission in advance, but they DO give rightholders the option to "opt out" of being included in GP.

On Cyberprof, several US law profs argued persuasively that Google had "fair use" on their side; in Europe where fair use/dealing exemptions are very tight under the Copyright Directives, this seems highly unlikely. To be non technical, the policy question is really whether you think what Google is doing is more like making an entire copy of an MP3 without permission of the owner (clearly illegal) or more like looking up an index or digest to find extended references to useful texts (clearly legal.)

I was slightly amazed (and pleased) the first time I looked to find the whole of my own chapter on legal regulation of CCTV in the UK was available (from a book published by Asser Press) . Today, that chapter is no longer there, and two other book chapters of mine (with Kluwer) deliver only 2-3 page snippets. This seems either to be down to a damage mitigation stategy by Google to placate the publishers, or a closing of ranks by the publishers against Google, since one assumes Asser had already given permission to reproduction of the whole book in question, before the GP issue hit the fan.

My own feeling is that, as with the P2P wars, after a certain amount of legal skirmishing, eventually we will see this kind of global library full-text look-up-and-download being accepted by the rightsholders, but only when some mechanism is in place to get a royalty back to the publishers, by some kind of levy or license fee eventually charged against consumers. Cf the transition from illegal Napster to legal Napster, where you buy £10 a month to stream as much music as you like, and the record companies involved in contracts with Napster get their share. One of the arguments being thrown around in favour of Google is that GP is helping raise interest in out of print and back-list books which make little or no money for publishers, so why are the publishers suing?. But publishers must surely be waking up to the fact that that back list can become valuable very easily in a world of universal digital download of text. Google have tried it on, methinks, trying to get to offer this service without paying anything for it.

Lessig argues that as Google already makes copies of every text it spiders in order to deliver search results, finding GP illegal is the same as finding Google the search engine illegal for breach of copyright, and common sense revolts at this idea. But this is not necessarily true, as most jurisdictions now have exemptions allowing for the making of transient rather than permanent copies for "technical reasons". Search engines may reply on thse rather than "fair use" to protest their legality. The question is if such exemptions, mainly tailored to legalise caching, are phrased widely enough to cover what search engines do, and how transient Google's spider copies are. Copies are retained for days, sometimes weeks in Google's cache - can these really be regarded as transient?

In any case, in the UK, The Copyright and Related Rights Regulations 2003 implement the "temporary acts of reproduction" exception provided for in Article 5(1) of the Copyright Directive by inserting a new Section 28A into the 1988 Act, as follows:
"Copyright in a literary work, other than a computer program or a database, or in a dramatic, musical or artistic work, the typographical arrangement of a published edition, a sound recording or a film, is not infringed by the making of a temporary copy which is transient or incidental, which is an integral and essential part of a technological process and the sole purpose of which is to enable -
(a) a transmission of the work in a network between third parties by an intermediary; or
(b) a lawful use of the work;
and which has no independent economic significance.".

Google search engine would fail to get the benefit of this under (a) for sure. And the "economic significance" is also arguable - Google don't get paid for GP, but they do make money out of adverts on the main search site, depending how many people click through on advert links placed next to searches. But (b) is the heart of the argument in Google Print.So it may all, in fact, come back to fair use/fair dealing. We in Europe may need to revisit these exemptions yet again.

Blog censorship handbook

Interesting BBC article on how bloggers should deal with state censorship, and tips on how to maintain anonymity. One interesting point is that although it is some states such as China and Singapore which are seen as providing rules repressive of freedom of expression, it is private actors - often Anerican based - who are helping them enforce the rules. See "In June, Microsoft's MSN Spaces site in China started to block blog entries which used words such as "freedom", "democracy" and "demonstration". Microsoft said the company abided by the laws, regulations and norms of each country in which it operates."

The point is a difficult one in terms of policy. Microsoft (and Yahoo! who a few weeks back revealed the identity of a blogger to Chinese authorities, probably exposing him to criminal penalties) are criticised for supporting censorship contrary to Western norms which they benefit from in their own home countries. But such companies can also argue that to maintain a base in these countries they have to work by local laws, and that withdrawing would merely reduce the positive importation of e-commerce prosperity and the overall impact of the Net on these countries. It is a case perhaps of medicine today, to have jam tomorrow.

Wednesday, September 21, 2005

Purpose of the blog

This blog is directed towards the students in the LLM in Information Technology and the Law (both on campus and distance learning). It is not obligatory work, and it does not constitute assessment in class. The opinions expressed here are not necessarily those of the AHRC Centre.

Welcome to all our new students!

Tuesday, September 13, 2005