Wednesday, December 06, 2006

Curtains for DRM?

As I'm spending the evening wading through a PhD thesis on the dreadful wrongs of DRM, it seems mildly amusing to note in passing that where the shock troops of Creative Commons have failed, the market might just decide that DRM isn't a selling point anyway. The article makes the concise point (from the Wall St JOurnal) that pirate files get out via P2P or burned CDs anyway; so DRM doesn't stop illegal piracy, it just makes buying legal downloads more awkward - thereby alienating exactly the customers you most want to pander to.

Back to the battlefield..

More on Gower : ISP copyright cops are coming?

On the briefest of further scans, one item of particular interest to anyone who has been following the rather covert debate about how far ISPs can or should be enrolled to assist the state (or the BPI, etc) in cutting down on on line piracy.


Recommendation 39: Observe the industry agreement of protocols for sharing data between ISPs and rightsholders to remove and disbar users engaged in ‘piracy’. If this has not proved operationally successful by the end of 2007, Government should consider whether to legislate.

This is about whether ISPs should have to hand over logs of material downloaded automatially , or perhaps on request, to rightsholder groups so they can spot possible pirates. Should the user have a right to privacy or at least such a right prior to obtaining a court order or perhaps showing reasonable suspicion? Currently some ISPs are known to reveal anonymised logs of especially heavy downloades or uploaders, leaving it to the rightsholder then to come back and ask for disclosure on grounds permitted by the Data Protection Act. Some ISPs will only give away *any* details after court order, arguing that they may breach data protection rules otherwise and owe their clients confidentiality both by law and by contract. Others may feel that the public are entitled to presumption of innocence til proven guilty. Still others feel that they are merely ISPs , not mandated to act as judge and policemen in such cases where rightsholders might well ask for particular identified downloaders to be summarily disconnected.

Gower however signals a definite governmental backing both of voluntary disclosure by ISPs and of "notice and disconnection" (discussed before on this blog.)

ISPs "should assist rights holders by providing a procedure through which automatic action in courts will be avoided and would allow greater scrutiny on the actions of users. BCP [a model best common practice document] is an ideal way to proceed if an agreement can be brokered between the ISPs and the copyright owners and would respect safe harbour provisions for ISPs which were set up in good faith. If there is a failure to agree, the Government should look towards establishing an appropriate statutory protocol."

So there you go.

Incidentally I've changed my mind. The press may seize on 10 year sentences for downloaders, and Lessig and Cliff Richard may be (differently( excited about no term extensions; but my bet for Most Controversial Recomendation (possibly tieing with the already mentioned limited new introduction of private copying rights) is this one:

Recommendation 11: Propose that Directive 2001/29/EC be amended to allow for an
exception for creative, transformative or derivative works, within the parameters of the
Berne Three-Step Test.


Alrighty!! Who's going to be the first to create a sampled rap praising the Gower Report? maybe they can finance the implementation with the royalties from a few Snoopy Dog or Doggy Snop , records..

Ho hum! The view after Vista

David Utter, who left a nice comment re my rebutal of his article over at SecurityProNews, has also turned out some interesting security news items of his own, including evidence that although the majority of current malicious code may be defeated by the new security controls of Vista it can fairly swiftly be adapted to infect it by skilled operators. Indeed, three of the current top ten major viruses can already evade Vista's improved security.

Ah well! It's almost Xmas!!

Gower Report

No time right now but this is the summary of the recommendations for making copyright work in the digital age:

To ensure the correct balance in IP rights the review recommends:

ensuring the IP system only proscribes genuinely illegitimate activity. The Review recommends introducing a strictly limited 'private copying' exception to enable consumers to format-shift content they purchase for personal use. For example to legally transfer music from CD to their MP3 player;


enabling access to content for libraries and education establishments - to ensure that the UK's cultural heritage can be adequately stored for preservation and accessed for learning. The Review recommends clarifying exceptions to copyright to make them fit for the digital age;

and
recommending that the European Commission does not change the status quo and retains the 50 year term of copyright protection for sound recordings and related performers' rights.


On the other hand a stiff approach to IP crime, including sentences up to 10 years for music & film piracy.

Something for everyone then. In principle it mostly looks like damn sensible stuff. Lessig has already pulled out the most rallying-cry quote:

"Policy makers should adopt the principle that the term and scope of protection for IP rights should not be altered retrospectively."

Let the battle commence!

Tuesday, December 05, 2006

Ps - late egoboo:)

I was in New Scientist a few weeks back , rather curtailedly extolling my theories-in-progress of how a security commons might be created to reduce the insecurity currently caused by zombified home computers. As many of you know, zombies or "bot networks", computers emslaved by viruses unknown to their owners, are the leading cause of everything from spam, phishing and spyware to keylogging, ID theft, click-fraud and probably, dandruff. In particular almost all denial of service attacks are now carried out as distributed attacks via enslaved bot networks. By a"security commons", I meant joint action and joint responsibility by all p[artioes involved in a safer Internet: users, software writers, hosts and ISPs.

Illness intervened in my reporting (cof, cof) but here is the link for you my loyal readers :) Unfortunately New Scientist printed only the smallest part of what I told them over the phone (sigh) so it looked like I was suggesting that ISPs ONLY should be liable where a denial of service attack is carried out. Whereas in fact I continue to advocate that ISPs should take a positive role in (a) identifying zombified machines, not necessarily by deep packet inspection, as NS reported, but possibly only by external changes in patterns of traffic or congestion analysis (b) making available secured ISP services to consumers as well as businesses - as some companies like Nildram do already, thus protecting customers who don't know a firewall from a firelighter; and (c) where necessary, isolating identified zombies until they can be cleaned out.

ISPs would not necessarily be "held legally liable" if they failed to provide these services; they could be provided as competitive market price services, with users held liable if they did not avail themselves of them. Other methods such as compulsory "home computer user insurance" (like motor insurance) could be employed to reach the same reult.

Rather gratifyingly, there has already been a hostile response (always nice to know someone's listening.) David Utter suggests that if I had my way, ISPs might be held liable for hosting sites like Slashdot, which post links which often bring down sites by their sheer popularity. I was not in any way suggesting simple vicarious liability for ISPs hosting sites responsible for DOS attacks - for a start, the EU E Commerce Directive would currently probably forbid that. I have my own concerns about how the CMA amendments in the Police and Justice Act deal with inadvertent "slashdots" - given the late amendment to s 3 to allow recklessness as sufficient for "intention to impair the operation of a computer", it seems quite possible that innocent slashdotting is now prosecutable as denial of service in the UK. (Of course from a sysop point of view, whether a server goes down because of malice or carelessness is irrelevant - so maybe this was deliberate?) But it won't be the ISP that carries the can, even if this is true.

More interesting points are raised by a George Scriban on a blog called Global Nerdy

"Surely the ISPs of the world aren't the most responsible party in a DDoS attack? What of the companies who provide vulnerable operating systems? The customers who misuse, misconfigure, or undermaintain those systems, making them ideal zombie targets? ISVs whose software defects render systems vulnerable? And, of course, we have the criminals conspiring to commit these crimes themselves. There's enough blame to go around that it seems strange to focus the blunt instrument of government regulation on ISPs in particular."

But the whole point is that we're looking at here isn't moral retribution - ie, allocation of blame. What's the good of tinkering with the criminal law to punish DoSers when they're usually tidily hidden away in Moldova, Estonia or similar hi tech law enforcement havens? Or untraceable , because they've worked through a network of a million bots, enslaved via a Trojan virus sent by a third party? Or have their assets stashed in still another country?

Better to try to actually secure the Internet so it doesn't fall over, taking our hospitals and air traffic controllers with it - and worry about wreaking punishment on the guilty afterwards. The people the police forces (or civil courts, or insurance companies) of the US, EU and the rest of the developed world can usually get to are the users - you and me- and the ISPs. Regulation that would persuade the Microsofts of this world to produce less buggy software would also be good. Creating a safe Internet has to be done , right now, either by building it differently from scratch - which may have catastrophic effects for generativity, innovation and privacy and will take decades - or by regulating those three sets of people. Forget the Russian mafiosi, for every one you catch you will tie up the UK's entire National Hi Tech Crime Unit-as-was for months if not years . We need to move from blame to gain.

Oh, the anti-ci-pation..

Just a heads up that Tomorrow is Gower Day.

"The Report of the Gowers Review of Intellectual Property is due be published on Wednesday,6 December.
It will be available on the Treasury website from 08.00:
http://www.hm-treasury.gov.uk/independent_reviews/gowers_review_intellectual_property/gowersreview_index.cfm
We expect the Chancellor to refer to it during his pre-budget statement to the House of Commons, starting at 12.15."

Will private copying and sharing of mix tapes be legalised? Will term in sound recordings be left as it is? will Cliff Richard turn green and burst out of his leather trousers? only the Shadow knows!!

GikII ppts etc

I'm gratified to discover (though someone could have TOLD me, heh, Andres!!) that the powerpoints from the (she says nonchalantly) successful cutting edge blue skies cyberlaw workshop, GikII, are now available.

Talks are also underway towards turning GikII into a book on Geek Law and finding a home for GikII 2: This Time It's Personal. If you too want to be absorbed into the Geek Collective, contact Pangloss at the editorial address.

Monday, November 20, 2006

Petition

From the excellent ORG people, go and sign here.

I am however quite tickled by this one.

Saturday, November 18, 2006

Here we go, here we go, here we go..

After months of anticipation, it's happening: Universal is suing MySpace, one of the leading "social networking" sites, for copyright infringement - or as the Beeb puts it:

"Universal's lawsuit, lodged in a US district court, claims that MySpace "encourages, facilitates and participates in the unauthorised reproduction, adaptation, distribution and public performance". "

Interesting that Universal's suit, as here quoted, does not mention the weasel word "inducement", as their attack must surely be based on MGM v Grokster and its new test for third party copyright infringement. My Space obviously know this since they reply:

""We provide users with tools to share their own work - we do not induce, encourage, or condone copyright violation in any way."

So draw up your seats, guys and gals, and watch the Titans fight.

In European law, MS might well claim that it had a good defense under the safe harbour of the E-Commerce Directive, as hosts under Art 14, so long as they removed copyright videos expeditiously on notice and take down (which, as a rule, such sites do).

In US law, however, it's much less clear and will depend how far the court wants to stretch the Grokster dictum. Two principles are going to come into full opposition for the first time: the Grokster dicta on inducement and third party liability for copyright, and the 'safe harbor' provisions of the US Digital Millennium Copyright Act, which are similar to Art 14 of the ECD, and which have been regarded in the past as adequately protecting the likes of YouTube and My Space from suits arising from copyright content posted by third parties. Napster, in the first of the major P2P cases way back when, attempted to plead the DMCA hosting safe harbor, but had it rejected on the grounds , in essence, that they were not a hands-off third party "host", since they were knowingly exerting control over the music files they indexed. My Space may be a much more difficult case for rejection, since they resemble a conventional host providing physical storage for files provided without their knowledge by a third party, just as with a hosting ISP, far more closely than Napster did.

The even bigger issue here may be : if MySpace goes down, what happens to the other blogging and user-content based sites like Bebo, FaceBook , Live Journal etc all of which depend to a lesser or larger extent on users sharing "cool" copyright material as well as self generated material? In particular, it will have huge implications for You Tube, where a copyright battle has been anticipated ever since Google bought it and made sure $200m of the price was put away as a "copyright warchest". Google are currently trying to head off the You Tube battle by negotiating with major publishers for permission to stream their works. For smaller or more "open source" sites like LiveJournal which run to cover costs and not to make money via ads, such a licensing arrangement would probably be uneconomic; which might lead to the folding of all but the most commercial and media-controlled blog/networking/web 2.0 user-content sites - a disastrous outcome.

One key point in YT's favour differentiating it from MYSpace et al is that YT streams its video, and does not host it, hence does not readily provide a free source of permament downloads: and has also, interestingly, made extensive efforts to suppress code provided by third parties to turn YT's stream into downloadable content. YT , unlike Napster and Grokster/KaZaa, has also gone out of its way to make clear it is not condoning copyright infringement as part of "sticking it to the man", hence resisting an obvious claim of inducement. Furthermore YT only allows very short videoes to be streamed, not entire TV programmes or albums as the P2P networks do - however it is also well known that some TV shows, eg, are in fact put up on YT in short chunks.

At root, there is a real problem here that may not be superable in the current legal structure. When Grokster was brought down, it was clear the court felt that its business model was mainly built on flagrantly delivering copyright content without rightsholder permission; even though it was shown Grokster was shown to be also used to deliver content like free software and out of copyright archive material, these were a relatively insignificant part of its payload (or business model).

With the web 2.0 sites, there is a spectrum. You Tube originally built its name on user generated and owned content : videos of cute cats on iPOds and art school degree exam animations. Yet now it clearly carries some, but perhaps not a majority , of "mainstream" media content used without permission of rightsholders among its millions of videos delivered today. Similarly My Space built its brand as the home for new and unsigned bands delivering their own copyright content; but now has a mixed business model. Universal claim "Our music and videos play a key role in building the communities that have created hundreds of millions of dollars of value for the owners of MySpace. " and they may not be exaggerating (well, not too much.)

Kill the baby of copyright infringement and you throw out the bathwater of the most popular medium for encouraging self created and owned creativity we have ever seen; MySpace has 90 million users alone and then look at all the other blogs, the Flickrs (and perhaps the eBays, where a similar problem prevails - among a million legitimate listings there will be a thousand for copyright infringing material). Notice and take down is one answer but it already exists in both the US and EU as a legal right and it is not satisfying the rightsholders, who want pre emptive blocking by the social sharing sites. Filtering for copyright material may be a better answer (as the Australian settlement compells KaZaa to do) but My Space were already developing tools to do this and yet it has not stopped this suit. What a US court could do is retreat from the "inducement" theory of Grokster and return to the "substantially non infringing uses" test of Sony: certainly My Space should attempt to push it that way.

Let's hope for all us blogger's sakes that an answer can be found that suits all parties. Simple defiance of the rightsholders by the anti-copyright crowd will not hold back the sea forever.

Tuesday, November 14, 2006

Where I've Been and Hello I'm Back

For everyone who's written in the last three months to ask where I've gone: the answer was in order:

- recovering from GikII - which was generally judged a huge succes (ahem) and which I now need to think about in terms of what we do next: a mailing list, a book on geek law and a second workshop all seem likely.
- moving job
- moving house
- moving cats (ah if only I had time to do an IPKat like cartoon here of a sad fat tabby hiding doggedly under the bath...)
and then, just when you thought it was safe to go back into the blogging water..
- Blogger sundered me from my very own Pangloss, gave it briefly to Technollama and then refused to give me it back AT ALL. I think I broke Blogger :(

But here I am restored!! (On the third try ..) And overwhelmed with London events, not quite all of which I am or have spoken at..

  • I spoke spoke on spam at the very intriguing SCL Workshop on Regulation (patiently organised by my mate Andy Charlesworth of Bristol);

  • attended the DTI/KTN workshop on locational data service providers - which was fascinating.

  • and spoke on legal and policy aspects of denial of service at the DDOS/DTI Workshop , ably assisted by Chris Marsden of RAND. This gig was beautifully timed: 5 days after the Police and Justice Act 2006 , which amends the Computer Misuse Act 1990 to cover DDOS, had just seen Royal Assent (Thanks to Malcolm Hutty from LINX for this intelligence - altho it's not yet up as a finalised Act on the Web - watch this space).

    A proper post to come on the amendments, which combined with the appeal decision in Lennon, appear to me to make it potentially possible to prosecute everything from supplying adware, to spamming, now as violations of s 3, punishable by up to 10 years in jail. Is this a sneaky one by the Information Commissioner to avoid the need to put up the penalties for breaches of the Data Protection Act? Perhaps we shall see.

  • I also made it rather late and worse for wear :) to the ORG Release the Music extravaganza, with Jonathan Zittrain, someone from Blur (the drummer, I'm told) and my Soton colleague Caroline Wilson.

  • I am also now happy and proud to be part of the ORG Advisory Board - and I'm thinking of going to the mass geek Christmas party (although unlike some I don't expect to find John Barrowman there.)

No rest for the wicked huh?

All this and Law 2.1 rrrepeater to come :)

Thursday, November 09, 2006

Hurrahh!!!

For everyone who's written to ask where I've gone: the answer was in order

- moving job
- moving house
- moving cats (ah if only I had time to do an IPKat like cartoon here of a sad fat tabby hiding doggedly under the bath...)

and then, just when you thought it was safe to go back into the blogging water..

- Blogger sundered me from my very own Pangloss, gave it briefly to Technollama and then refused to give me it back AT ALL. I think I broke Blogger :(

But here I am restored!! And overwhelmed with london evenst, not quite all of which I am speaking at.. Too late to tell you to look out for me speaking on spam at the very intriguing SCL Workshop on Regulation (patiently by my mate Andy Charlesworth of Bristol); too late to find me at DTI/KTN worhshop on locational data service providers - which was fascinating.

But you can still look for me at the Police and Justice Act 2006 have just seen Royal Assent (Thanks to Malcolm Hutty from LINX for this intelligence - altho it's not yet up as a finalised Act on the Web - watch this space); and at the ORG Release the Music extravaganza that night, hopefully bopping the night away at the DJ set with Jonathan Zittrain, someone from Blur and my Soton colleague Caroline Wilson. (Come and watch the geeks at play!) Then it's the Tripartite Response To Terror day, and the ORG Advisory Board which I am now proud to grace.

No rest for the wicked huh?

All this and Law 2.0 to come :)

Monday, July 31, 2006

GikII programme

The programme for GikII is now finalised. However if you're interested in attending, a very limited number of places are available for a nominal £25 to cover costs. feel free to pass this on. I'm really looking forward to it :-)

Friday, July 28, 2006

Perceptive Peers Go Pervasive, Persuasively

The House of Lords debates pervasive computing. As IdentityBlog comments. an unelected second House may seem like an anchronism, but the standard of debate is invariably higgher, especially on specialised technical topics, than in the Commons. Note the concern not just for privacy generally, but also for whether the Data Protection Act applies, for patient rights, and for environmental damage.

Thursday, July 27, 2006

MySpace Caves

From Boing Boing

Billy Bragg's highly publicized campaign against MySpace's crummy, grabby terms of service has been successful. MySpace has revised its terms so that musicians who upload to the site retain control of their works, and MySpace/NewsCorp/Fox can't sell those songs without contracting with the musicians.

Bragg now declares:

"Now that the popularity of downloading has made physical manufacturing and distribution no longer necessary, the next generation of artists will not need to surrender all of their rights in order to get their music into the marketplace. It is therefore crucial that they understand, from the moment that they first post music on the internet, the importance of retaining their long term right to exploit the material that they create. This is doubly important on a networking site where many of the songs posted will be by unsigned artists. Ownership of the rights to such material is somewhat ambiguous. Thats why I hope that the groundbreaking decision of MySpace to come down on the side of the artists rights will be followed throughout the industry.
I also welcome the new wording of the terms and conditions in which MySpace clarify exactly why they require specific rights and how they intend to use them. Again, I hope more sites follow the lead of MySpace in ensuring the use of clear and transparent language in contracts. The last thing any of us wants to see is a situation in which everyone posting a song on the site has to have a lawyer sitting next to them. "

Interesting. MySpace is of course very vulnerable to anti-PR stirred up by a well known musician since its USP is that every wannabee band in the world as their home page there. I wonder if YouTube will follow suit? YT's conditions have been criticised for potentially grabbing rights to all amateur videos posted there. (Google Videos' are similarly ambiguous.)

Thursday, July 20, 2006

More Fun with Ted and Alice but not the BPI

Not a great week for ISPs what with the BPI/Tiscali spat and this.

Also from OUT-Law :

"A music industry coalition has proposed that ISPs and others should pay a licence fee to compensate rights-holders for unlawful file-sharing by their customers. One critic called the plans, which would change copyright laws, "ill-conceived and grasping."

The group met in London yesterday. It did not represent the entire UK industry – notably, the BPI was not in attendance. But nearly 1,000 independent record companies and 50,000 songwriters, composers and music publishers were represented.

.. the groups represented yesterday do not want to target the individuals who infringe copyright in this way. Instead, they want to target the intermediaries. According to a joint statement issued after yesterday's meeting, ISPs, mobile companies and device manufacturers "profit extensively and reap wider value from the unauthorised distribution of music whilst being protected from liability by a series of legal immunities and safe harbours." There were no ISPs in attendance at the meeting."

So, the return of the ISPs' "dirty little secret", the idea that ISPs profit indirectly from downloading and therefore condone it (even though most broadband contracts are now flat rate rather than per MB). Somehow I can't see this one catching on with the UK Govt right now though. If ISPs got taxed for profiting from downloading and uploading, why they might stop co-operating with the IWF (and the police) in stopping access to child porn. Which voters like a lot less than they do the odd downloader.

My I'm cynical tonight.

Less obviously, ISPs already do quite often disconnect or at least cap the accounts of conspicuous bandwidth hogs. This doesn't give royalties back to the musicians but it does more quietly contribute to the control of filesharing in the UK, probably to quite a large extent.

I KNow What You Did Last summer

.. well actually your credit card does. And your bank.

OUT-Law report that:

"New powers to allow banks and building societies to remove the credit cards of customers cautioned for or convicted of buying indecent images of children online were agreed in Parliament on Tuesday.

The Data Protection (Processing of sensitive personal data) Order of 2006 amends the Data Protection Act of 1998 to allow card issuers to process sensitive personal data provided to them by law enforcement authorities so that they can withdraw the card used to commit the offence.

The order results from collaboration between the Department for Constitutional Affairs, the Association for Payment Clearing Services (APACS), the Child Exploitation and Online Protection Centre (CEOP), law enforcement agencies, children's charities and the Home Office."

The OUT_LAW team have already objected to this rule, and you can see why. The breach of privacy might be justified if it achieved anything, but withdrawing one credit card? I can sign up for 4 tomorrow using the junk mail and email offers I get everyday - and get more Air MIles while I'm at it :-)

So if you're in a conspiracy mood,what are we being softened up for here? When will we see credit card details of those who pay for other, less heinous things, passed on to the issuers? On line gambling anyone? Or payments to AllofMP3.com??

And when will these factors be taken into acount in credit scoring for getting MORE credit cards?

So there you have it: this is either a very silly law, or a very clever one..

Uber-Code

From the Cyberprof mailing list : Microsoft's academic outreach officer has anounced that Microsft are adopting "Windows principles" for the future:

"Microsoft's new, voluntary "Windows principles."

The principles were announced today in a speech in DC by Brad Smith (Microsoft's general counsel). It is worth noting that they will apply to development of Windows Vista, and will continue to apply after major parts of the antitrust consent decree expire in November 2007.

The principles are divided into the following three general categories:

· Choice for Computer Manufacturers and Customers. Microsoft is committed to designing Windows and licensing it on contractual terms so as to make it easy to install non-Microsoft® programs and to configure Windows-based PCs to use non-Microsoft programs instead of or in addition to Windows features.

· Opportunity for Developers. Microsoft is committed to designing and licensing Windows (and all the parts of the Windows platform) on terms that create and preserve opportunities for applications developers and Web site creators to build innovative products on the Windows platform — including products that directly compete with Microsoft's own products

. Interoperability for Users. Microsoft is committed to meeting customer interoperability needs and will do so in ways that enable customers to control their data and exchange information securely and reliably across diverse computer systems and applications.

I encourage you, if you are so inclined, to write about, blog about, or otherwise distribute your thoughts on the speech and the principles. Please feel free to contact me with questions or comments."

Whatever you think of both M$ and the above, (and cynically, the obvious thing to think is that M$ has just been smacked with a wacking great fine by the EU for failing to do some of or all of the above) this is an interesting deveopment.

Ever since Lessig kicked it all off, academics have talked about using some kind of set of principles to govern the creation of code by non-legislative coders. This is the first example I've seen of something more detailed than "Do no evil". Any other suggestions?

Tuesday, July 18, 2006

YouTube Goes Down the Tube (Not?)

As most the blogverse has noted, a certain Mr Tur, owner of Los Angeles News Service, is suing YouTube, the free and very popular video hosting site, for hosting a video he claims infringes his copyright.

While YouTube is perhaps best known for hosting user's own home vids (like the famous cat and Apple Powerbook video) it is also well known to host copyright material that fans or critics choose to upload - eg you can find the concluding segments of both the recent Dr Who and Green Wing series there. You can also find a middle ground of fan/user "mash ups" - songvids and the like - eg a very amusing parody of the end of that self same Dr Who series.

But YouTube is a host, not a P2P intermediary and so, oddly, it has the law on its side. The Digital Millennium Copyright Act provides that hosts who have no knowledge of hosting copyright infringing materail are immune from liability for it, as long as they respond to notices for take-down delivered in the style approved by the DMCA. (Furthermore, and even better, YouTube are protected from an action by a disgruntled user if they do so take down in good faith.) Nor is this just a USA oddity - the EC E Commerce Directive has a very similar regime for hosts in Art 14 of that instrument. (It's that provision that allows eBay in Europe, as previously discussed here, to get away with hosting trademark infringing goods so long as it removes them on notice, and expediently.)

These laws were drafted in the late 90s, before the P2P revolution but after the beginning of the dot.com boom, to protect ISPs , so as to encourage ISPs to collaborate with both the music industry and other such industry bodies in taking down pirate material on an NTD basis. Before they were introduced, following the late unlamented Prodigy case, ISPs were scared that if they touched illegal content, even to monitor or it or remove it, they immediately became liable for that content themselves.

But the amusing thing, now, in 2006, is that YouTube in many ways looks way more like (non legal) Napster than AOL or CompuServe. It's used extensively by a very large number of users to download pirate copies (c 100 million videos served per week, according to Technollama, of which a large number must be infringing), It's a free service, which makes its money on ads. And it has that cool , anti-the-man chic about it.

But because YouTube only hosts material provided by third parties, and doesn't put up its own materials (as MP3.com did), it's protected by the DMCA and ECD safe harbors. (Unless a US or European court can be convinced that it had "constructive" notice of illegality - ie it should have known what was going on or as the DMCA and ECD put it, was "aware of facts or circumstances from which infringing activity is apparent" - which is not altogether impossible but perhaps unlikely.) While the Napsters of this world fell foul of secondary copyright infringement, because their central database pointed at illegal copies hosted by other users. They didn't get the benefit of the DMCA because they weren't seen as a host who could respond to NTD notices and were aware of infringing activity. This seems, in retrospect, mildly curious.

As for a Grokster analysis - as Technollama also points out, it's hard to argue that YouTube "induced" copyright infringement. Their site unlike Grokster's is free of anti-copyright rhetoric and their ToS are impeccable (not that that helped Grokster!) - plus YouTube can calmly say the site was mainly set up to allow users to host their own amateur copyright material, and , I think, prove it.

So this one looks like a no-brainer.

So what if YouTube was serving, not videos, but pithy quips from popular novels, and acute chapters of contemporary academic works? Would the scenario be the same? What, in other words, if it was Google Library slightly differently conceived? Is this a way forward?

EDIT: Chris Marsden helpfully points out that You Tube merely streams video, and does not enable actual download - this of course makes it look far less like Napster/Grokster etc.

Thursday, July 13, 2006

Google regulation in Germany?

One idea that's been discussed and repelled here before is that search engines are important actors in cyberspace and that Google has in some markets a dominant position - does this mean therefore that it should have legal duties to the public eg, not to censor, or to list all sites, or to ue a certain algorithm for listing?

A German search engine conference has some interesting recent comments.(via The Register)

"German experts at a Berlin seminar this week argued that search engines need to be more regulated. They want companies such as Google, Microsoft, and Yahoo! to exercise editorial control over their search results and filter out sites with x-rated content or that glorify aggression.
"Mechanisms have to be developed to deal with illegal content and to protect children online," Marcel Machill, a lecturer in journalism at Germany's Leipzig and Dortmund universities, told the Search Engine Workshop run by the Friedrich Ebert Foundation this week."

Google and other search engines can however argue that they offer a safe search option voluntarily - though of course this can be turned off by the user. And it is well known that Google already do block listings which violate local law in (at least) China, France and Germany. But another speaker argued that a "voluntary obligation" is nothing more than a "weak regulation without any sanctions".

More interestingly perhaps though -

"Machill is also clearly troubled by the strong market position of some of the search engines. Google already accounts for 90 per cent of German web searches. In the classic media sector this kind of concentration would be absurd, he says.
"It is important not to let this power develop unnoticed." Machill hopes that Germany will establish a public corporation to build its own search engine with "editorial responsibility" to compete with Google."

Building a national search engine will be a preferable response to regulation of the private sector for many economists and regulators. But national attempts to build search engines (a French effort was documented here a while back) seem inevitably to lag behind market driven efforts Vive la capitalisme!

Tuesday, July 11, 2006

The ISP Strikes Back

Further to this post, one of the ISPs involved, Tiscali has now refused to comply with what Cory Doctorow has neatly christened notice-and-disconnection.

This is very interesting too. As Cory points out, when the device used by the rightsholder organisations like the BPI was notice-and-takedown, the economics were in favour of going along with it; it is cheaper and easier to take down content, than to get involved in possible legal proceedings. But it costs far far more to connect a paying customer up to the Internet; so the economics work the other way, for holding fast. This happens also to favour what might be seen as the civil society position, ie, that those accused of copyright violation deserve trial by due process before being presumed guilty on the BPI's say-so, and thrown off the Net. But digital rights are probably not the major motivation driving Tiscali's stance.

Nonethless this is a cheering development.

NIcely put summary from Tiscali's letter: "It is not for Tiscali, as an ISP, nor the BPI, as a trade association, to effectively act as a regulator or law enforcement agency and deny individuals theright to defend themselves against the allegations made against them."

Security 101

It really isn't very hard to get people to give up their mother's maiden name..

The New Statesman, on Living in the Silicon Cul de Sac

I love it:the New Statesman on why the UK Digerati are never going to be as sexy as their US counterparts (and look, ma, ORG has Americans in it too! shoot at will! hi , Jordan :-)

"[Cory} Doctorow leaves in his wake a newly formed UK advocacy team, the Open Rights Group. But there is one lingering question: why does Britain need "outreach" from North America when it comes to campaigning for digital rights? After all, it was a British man who invented the worldwide web. Why, when the US gets Silicon Valley with all its alt:latte cool and laptop-toting liberalism, are we stuck with the Silicon Corridor, nestled in the UK's debt heartland, Reading?

.. We British don't like to brag about it, but this country is still a home for some of the world's best open-source coders - Ben Laurie, who coded the security software that deals with most credit card transactions online, and Alan Cox, until recently second lieutenant in coding and maintaining a core part of the open-source operating system Linux, among others. So it seems silly that we should need help from the US to keep the digital future fair.

The truth is, it's the politics that keeps digital-rights campaigning so unsexy on this side of the Atlantic. In America, lawyers such as Lawrence Lessig can swan in and out of the Supreme Court at leisure, filing suits against the state for offences to free speech with the help of the good old US constitution. In Britain, we have to rely on legislation from Brussels. There have been significant victories on digital-rights issues in Europe, most notably the European Parliament's decision to reject the idea of extending patent law to cover software code and business models. But the lack of understanding about Europe's political processes and values makes campaigning on digital rights that much harder. "

Leaving aside the small matter that the European Convention on Human Rights is NOT legislation from Brussels, actually I think the problem is that we Brits just can't make grand statements with a straight face the way the Americans can. We haven't got the evangelical upbringing, the oral rhetoric of US culture. We're far less likely to be found saying things like "Digital rights are essential if we are to avoid being the DRM-ed slaves of the next Microserf generation" and more "That last episode of Dr Who last night was good wasn't it? Now, how about a cuppa, and er, about this ID cards business.."

(via Ben Lauries's blog)

Don't shoot the messenger, use him to send a message back?

Fascianting stuff about the role of ISPs in the fight against file sharing, via ars technica:

"Stepping up its campaign against illicit file-swappers, the British Phonographic Industry (BPI) has moved from targeting individual users to putting pressure on their ISPs. The BPI has just announced that 59 accounts suspected of large-scale piracy have been reported to two ISPs, which are expected to deal with the issue. 17 requests went to Tiscali, while another 42 were sent to Cable & Wireless.

The ISPs offer no guarantee that anything will be done, but the BPI wants to move faster against suspected file-swappers than is possible in the court system. They also want to paint the ISPs as complicit with the swapping through their own inaction. As they put it, "While the BPI retains the right to pursue cases against individual uploaders, the move against ISPs who have so far failed to take effective steps to stop illegal filesharing marks a significant development in the BPI campaign—allowing the record industry to deal with a greater volume of cases more quickly and efficiently." "

Oh how interesting. What's the legal position if the ISP doesn't do anything? or to put it another way, is there more than an arguable ethical duty on the ISP to investigate and taken its own action against the alleged filesharers?

Well, if the ISP gets told often enough that it has filesharers on its network (with dates and filenames and megs uploaded etc etc), and doesn't take steps to remove them, could it have constructive knowledge of illegal activity, and could it thus lose the benefit of the general ISP immunity defnce under the E-Commerce Directive Regulations? This is much the same kind of argument I toyed with making against eBay some while back.

Of course, before an ISP could even be potentially liable in civil damages, if not in criminal law, theer would have to be liablity under copyright law. Could an ISP that gets told off often enough for harbouring fileshareres be "authorising" or "inducing" copyright violation, as was successfully argued against KaZaa and Grokster in Australia and the US?

Far fetched perhaps.. but an interesting thought..

And of course, in the real world, it's a lot easier to scare ISPs with far fetched theories of legal liability than it is to convince a court of it :-)

Friday, July 07, 2006

ORG comes to town

panGloss has been cordially invited to join ORG, the new UK based Open Rights Group. ORG are hoping to host a social event at GikII, to encourage recruitment of, and communication between, members outside the London metropolis. (And so say all of us.)

Support the Open Rights Group

ORG write:

"Recent successes for ORG include:-
  • Submitting written and oral evidence to the All Party ParliamentaryGroup public inquiry into DRM, much of which made it into the finalreport.-
  • Submitting written evidence to the Gowers Review of Intellectual Property-
  • Raising awareness of the problems with DRM in the media, with several articles picking up on ORG's position

In our immediate future will be a campaign on the public domain, which will lobby against the music industry's request for an extension of copyright term on phonographic recording.

Please do spread the word if you can, and help us reach our target of1000 members!"

It's good to see an organisation which realises that even in the transnational world of cyberspace and digital rights, national legal and cultural divisions make local organisation and input vital. The recent Net Neutrality debaters eg have, slightly annoyingly, entirely ignored the fact that in the EU the problem is a non starter. EDRI is a briliant example of an umbrella digital rights organisation which comprehends that different cultures have different responses to the the new information sociaty. Is ORG yet part of EDRI? I must find out!

.. aaand it's g'buy to Google Checkout!

Further to my post on Google Checkout, Boing-Boing usefully reports that :

"A week after it was released, eBay has added Google Checkout to its list of online payment methods not permitted on eBay. A Google spokesperson says: "Google Checkout is not a beta product. Google has a long history in billing and payments for AdWords for premium services, such as Google Video". "

Oh what fun. This is what happens when money goes from being a coin of the realm to a proprietary product of course. What next? Will Google-friendly companies stop taking PayPal? Who will Amazon ally with? What does competition law say about all this, not to mention EU electronic money issuing rules? Do we need "clearing bank" rules for electronic wallet isuers? Don't miss next week's exciting episode!

Thursday, July 06, 2006

Mobile Security :-)

Finally what the world needs - the phone that won't let you drink and dial your exes.

A Korean manufacturer has developed a phone that includes a breathalyser. It can be programmed so when you blood alcohol exceeds a safe level, certain numbers cannnot be phoned.

And the IT law element? Well, a commentator on Bruce Schneier's blog asks if you could combine the measurements taken by the phone with geospatial data to pin an unwilling motorist down for drunken driving. Maybe unlikely in the States - but in London with our comprehensive Congestion Charging surveillance system?? I wonder if the readings are date and time stamped? and if/how they're stored?

Maybe we should all start getting into the habit of removing stored data from our phones... just like people clear their cookies and their history lists!

Friday, June 30, 2006

G'Buy to PayPal?

The Google empire have gone into the on-line payments business.

"Search giant Google has launched an online payments system which aims to compete with auction giant eBay. Dubbed Google Checkout, the system is designed to boost Google's main source of revenue - selling advertising. The service offers some free order processing to Google's millions of advertisers, but will initially be available only to stores in the US.
EBay unit Paypal is the market leader in online payments. EBay stock slipped ahead of Checkout's launch. "

Interestingly, the Beeb report downplays the idea that GBuy (as it is apparenly mostly already known) is intended to rival or destroy Paypal. Correspondents on Boing-Boing, NY Times and ZNet see it rather differently. "Google is charging merchants 20 cents plus 2 percent of the purchase price to process card transactions, less than most businesses pay for credit card processing. Banking industry executives say that credit card processors typically pay MasterCard and Visa a fee of 30 cents and 1.95 percent for every purchase, so Google will be subsidizing many transactions".

This could be good competition for PayPal - a good thing surely - and even the end of credit card domination of on-line payments - an interesting thing. Will Google, like PayPal, seek to be accredited in Europe as an Electronic Money Issuer, hence getting preferential treatment under the EMI Directive? It's only currently available in the US but one would think its case is even weaker than PP's (perhaps surprisingly successful) aplication - according to the Beeb again -

"The Google service will simply act as a transferring house, whereas Paypal has the facility for users to set up their own accounts to pay into - as well as offering credit card payments. "

To be an EMI requires stored value in essence - so it looks unlikely Google Checkout can qualify.

What does Google get out of it? More advertising is the main noted benefit; plus it supports their business opposition to Yahoo! and eBay/Paypal's recent tie up; but the NY Times also observes:

"Google may get several additional benefits from the checkout service. It will encourage more users to register and give it personal data, allowing Google to display advertising based on specific attributes of the viewer. More broadly, the data the company gets from transactions could help it improve the way it chooses which advertising to show to which users".

So we have interesting privacy implications too. Good thing Google does no evil, huh?

ps from John Battelle's SearchBlog, June 29 2006 -
The Oxford English Dictionary--last bastion of standardized English--includes "Google" as verb in the latest draft for its next edition. The pending definition, noted by Resource Shelf: intr. To use the Google search engine to find information on the Internet. trans. To search for information about (a person or thing) using the Google search engine.

WEIS and blog

The Security Lab people at Cambridge - including the esteemed Ross Anderson - have their own blog: full of interesting stories about computer security, including related legal issues.

I'm just back from WEIS, the Workshop on Economic Issues in Security run by that self same man : and boy, my mind is blown. I have things I now desperately want to write/research about selling zero day exploits, cyber insurance, and privacy seals , value of (actually less than zero) ; but I'm currently just too ill ! as I also came back with a bug and a high temperature.

But very shortly there will be a very long post about fascinating papers I've seen! In the meantime try Bruce Schneier's summary, with pointers to some of his highlight papers.

Also gratified by more abstracts that have arrived for GikII while I was away: it's looking goooood, kids!

Sunday, June 25, 2006

New Privacy Laws for the USA?

Two interestingly almost simultaneous calls for a uniform set of privacy laws for the US, applicable to private as well as public sectors, have emerged in the last few days.

OUT-Law.com reports : "Google, Microsoft, Intel, eBay, HP, Oracle and Sun are amongst the signatories to a statement calling for personal information to be protected across the US. Non-profit lobby group the Center for Democracy and Technology organised the companies into the Consumer Privacy Legislative Forum.

"The time has come for a serious process to consider comprehensive harmonized federal privacy legislation to create a simplified, uniform but flexible legal framework," said the CPL Forum's statement. "The legislation should provide protection for consumers from inappropriate collection and misuse of their personal information and also enable legitimate businesses to use information to promote economic and social value." "

Meanwhile Hillary Clinton has called for a Privacy Bill of Rights. Hilary,a likely Democratic candidate for 2008, stated that she wanted to to create a "privacy czar" within the White House to guard against recent problems like the theft of personal data from the
Department of Veterans Affairs'. She also wants legislation to let consumers know what information companies are keeping about them and how it is used, and create a tiered system of penalties for companies who are not careful with consumer data. "Clinton also waded into the debate over anti-terror eavesdropping. ..Clinton said any president should have the latest technology to track terrorists, but within laws that provide for oversight by judges."

And a San Francisco Chronicle report notes inter alia that technological invasion of privacy is not only accelerating but is also becoming more and more consumer friendly and "cool".

"Americans' rights to privacy will be tested even more in the next few years as biometric technology creeps increasingly into everyday arenas. For example, on the campus of UC San Diego, biometric experts are testing a soda machine that uses both fingerprint and face-recognition technology. The machine is in a lounge for grad students in UC San Diego's computer science building.
"The students are very excited about getting it working," Serge Belongie, a UC San Diego associate professor of computer science, says in a phone interview. "People think it's very cool. ... No one uses money. They have accounts. What would be fun is if (the machine) recognizes you and says, 'Would you like your usual?' "

As I have often suspected, the report indicates that although biometrics can be far more privacy threatening than ordinary methods of ID consumers favour them due to convenience factors:

"If UC San Diego students are reluctant to use the machine, their privacy concerns are outweighed by convenience -- a sentiment echoed in survey after survey on biometric technology. In March, Unisys Corp. released a report on public perception of "identity management" that said convenience and efficiency were the two biggest reasons consumers would use biometric technology. (The most preferred biometric methods are fingerprints and voice recognition, according to the survey. The least preferred, because of its perceived intrusiveness, is an iris or eye scan.) "

But not everyone is enthralled by the "brave new world in aisle 5":

"Pay By Touch admits it has encountered some resistance among shoppers it approached in supermarkets that already use the company's fingerprint service. But Morris, its president, says many of these customers are quickly won over by the convenience of Pay By Touch, which is free for consumers, and that the company keeps data points based on users' fingerprints, not actual fingerprints. So far, supermarkets in 40 states use the Pay By Touch system. .. The company insists it will never sell users' personal information or fingerprints to anyone else -- a pledge that's backed up in writing when users sign up with the company. But what if federal authorities, citing national security, insist on the finger scan and payment history of a Pay By Touch user? "

The times they are a changing. Last year, at a workshop I organised in Edinburgh, Peter Swire, effectively Bill (not HIlary's) privacy czar during that administration, was pessimistic that post 9/11 there was much scope for the private sector and governmental privacy legislation that the Clinton era might have favoured. Is the pendulum swinging again, in the light of recent personal data scandals, to the point where privacy is a vote-getter in the USA? Watch this space.

Saturday, June 24, 2006

Alan Moore vs the Copyright fairies

While we're considering pop culture and IT law (great stuff for a GikII paper here!) the IPKat reports that Alan Moore, father of the graphic novel is potentially running into trouble with his latest project,a graphic novel called Lost Girls which is "a meeting between Wendy (of Peter Pan), Alice (of Alice in Wonderland) and Dorothy of The Wizard of Oz) once they have grown up". It is also allegedly "erotic fiction at its finest". Hmm. As every IP lawyer knows of course, there is a specific exception in UK copyright law (s.300 of the CDPA )which grants perpetual copyright in J M Barrie's Peter Pan, which goes to the Great Ormond Street Hospital by virtue of a legacy to the hospital in Barrie's will. And the hospital are apparently deeply unhappy with being connected with this project and its possible paedophilic implications, and may seek to have publication banned in the UK and Europe.

The IPKat suggests that "the hospital [has after 2007] a right to royalties, not the full rights of a copyright owner. This would mean that the hospital could make money from the novel, but not that it could stop its distribution." Others suggest the whole idea of perpetual copyright, even as a pleasing anomaly given the storyline of Peter Pan , should be abolished. Alan Moore himself is no stranger to copyright fights: the tangled tale of Marvelman, Miracleman, Moore, DC, and Gaiman et al is too confusing to even begin to tell here. Moore, after various disputes, has also refused to allow film adapations of any of his works to which he still owns full copyright and has removed his name from adaptations he cannot control, even where they have been critically well received as with the recent V for Vendetta. He is a formidable adversary in respect of his work, and it will be interesting to see where this dispute goes next.

Dr Who and the Semantic Web

Tim Berners-Lee has been round the houses latel;y, proselytising not only for net neutrality (see earlier posts) but also for his baby, the Semantic Web. The Guardian has an informative and occasionally entertaining piece on his efforts.

"..the BBC, one of the organisations that led Britain on to the web, is keen to share some of its data. Tom Loosemore, head of strategic innovation, says the corporation will shortly place online the catalogue of its entire surviving programme library - not the 950,000 television and radio programmes themselves, but the names, transmission details, often production credits and in some cases who is interviewed..

"What is interesting is what the audience does with that data," [he says] although Loosemore imagines that Doctor Who fans will be early adopters. It will be available through an API (applications programming interface) at BBC Backstage (http://backstage.bbc.co.uk), which allows data to be re-used for non-commercial purposes - a model that the Ordnance Survey hopes to follow."

Friday, June 16, 2006

Internet libel : why, how and where

It's always good to see empirical research backing things you intuitively anyway :-) I've long asserted in my textbook Law and the Internet that email is particularly defamation-prone because of the odd nature of the medium, which combines the spontaneity of speech with the archiving capacity of text. Now we have actual scientific confirmation of the first point.

"In effect, e-mail cannot adequately convey emotion. A recent study by Profs. Justin Kruger of New York University and Nicholas Epley of the University of Chicago focused on how well sarcasm is detected in electronic messages. Their conclusion: Not only do e-mail senders overestimate their ability to communicate feelings, but e-mail recipients also overestimate their ability to correctly decode those feelings."

Two scientists in the area, Michael Morris and Jeff Lowenstein add "One reason for this, the business-school professors say, is that people are egocentric. They assume others experience stimuli the same way they do. Also, e-mail lacks body language, tone of voice, and other cues - making it difficult to interpret emotion.

"A typical e-mail has this feature of seeming like face-to-face communication," Professor Epley says. "It's informal and it's rapid, so you assume you're getting the same paralinguistic cues you get from spoken communication." "

Which raises an interesting point for various legal systems: if sarcasm or fair comment or "joke" (in rixa in Scots law) is a legal defense, is it to be measured by what the sender meant, the recipient understood, or what the "reasonable man" would have taken out of the communication? Probably the latter in most systems, given libel damages are measured by the damage to the reputation - but what if, as the study evidence seems to show , there is no objective "true" interpretation of email speech, only different subjective interpretations? Oh how postm0dern!

On the more legal front, another new English Internet libel case is Al Amoudi v Brisard and JCB Consulting International SARL [2006] EWHC 1062 (QB). (Via OUT-Law.com )

Ethiopian-born businessman Mohammed Hussein Al Amoudi, who normally lives in Saudi Arabia but spends around two-and-a-half months a year in England, sued Swiss resident Jean Charles Brisard and his Swiss company, JCB Consulting International SARL in the English courts. Brisard claims to be a world expert on terrorist financing. In two reports on JCB's site he made references to Al Amoudi. These suggested that Al Amoudi might be "a knowing participant in the economic, financial and/or terrorist networks of the terrorist Osama Bin Laden". Al Amoudi sued for defamation, seking summary judgment ie judgment without trial of the evidence. The key point on which this was rejected by the court was that Al Amoudi had not proved "substantial publication" in England and this could not be proved. (It was not argued at this stage whether the coments themselves were defamatory.)

Legally, in England, damage in libel cases is presumed, and therefore need not be proven, but, as a norm, circulation figures are provided to back claims of "substantial damage" in cases involving non-English defenders. In this case however, there was a dispute over how long the offending website had been available for, and it was thus submitted only that "publication over the Internet takes place if and only if the material is accessed and downloaded by a third party within the jurisdiction". Crucially, Mr Justice Gray held that "I am unable to accept that under English law a claimant in a libel action on an Internet publication is entitled to rely on a presumption of law that there has been substantial publication".[italics added]. Acordingly the case was denied summary judgment and the claimant must prove publication in the ordinary way if he wishes to proceed.

This is an interesting application of last year's major Internet libel case, Dow Jones v Jameel , [2005] EWCA Civ 75. In that case, only five people in England were shown to have "clicked through" a link on the defender's (DJ's)online Wall Street Journal website, which lead to an allegedly defamatory item. These 5 persons "clicking through", furthermore, included the solicitor of Mr Jameel (the person allegedly defamed)and two of his business associates. Thus, it was argued by the defendant, the court should dismiss the case, as damage to reputation in England that was more than nominal had not been proven.

Several very famous non-Internet libel cases were, however, cited by Jameel as precedents that " under English law there is a presumption of damage in libel cases, [thus] the plaintiffs did not have to adduce evidence of damage arising from the publication of the article in question": see eg Duke of Brunswick v Harmer (1849) 14 QB 185, Shevill v Presse Alliance [1996] AC 959 and Berezowsky v Michaels [2001] 1 WLR 1004. In other words, damage to reputation would be presumed. The Court of Appeal in Jameel upheld these precedents, and furthermore held on review of them that this presumption was still, in practice, irrebuttable. In conventional publication, it is extremely difficult to establish how many people have read a publication, so the presumption of damage makes sense or proof may become a bar to redress in very many cases. However with Internet hit counters, proof of publication in the jurisdiction (& numbers of readers) can become trivially easy. The court nonetheless thought there were good reasons why damage should still always be presumed, and furthermore that such a presumption did not "chill" freedom of expression under the Human Rights Act 1998 and/or Art 8 of the European Convention on Human Rights.

However this was not the end of the story. Jameel's case was still rejected as an "abuse of process". Since this was a non-EU, non-Brussels Convention case, an application to serve outside the jurisdiction of England was necessary, which raised the question of whether 'a real and substantial tort ha[d] been committed within the jurisdiction': Kroch v Rossell [1937] 1 All ER 725, Chadha v Dow Jones & Co Inc [1999] EMLR 724, and Civil Procedure Rules 6.20(8). Since the damage to Mr Jameel's reputation in England was apparently minimal, in the Court of Appeal's view, only "very modest damages" would have been available after what would have been a lengthy and expensive trial. So the case was thrown out as an abuse of process.

LJ Phillips MR noted that : "There have been two recent developments which have rendered the court more ready to entertain a submission that pursuit of a libel action is an abuse of process. The first is the introduction of the new Civil Procedure Rules. Pursuit of the overriding objective requires an approach by the court to litigation that is both more flexible and more pro-active. The second is the coming into effect of the Human Rights Act. ... Keeping a proper balance between the Article 10 right of freedom of expression and the protection of individual reputation must, so it seems to us, require the court to bring to a stop as an abuse of process defamation proceedings that are not serving the legitimate purpose of protecting the claimant's reputation, which includes compensating the claimant only if that reputation has been unlawfully damaged."

This case (which I must shamefacedly admit to having missed when it first came out) is a remarkable step forward, by a cleverly lateral route, from the much-criticised jurisdictional rules on forum non conveniens applied to date by the English courts in Internet-related cases like Berezovsky and Loutchansky v Times Newspapers & Ors Nos 2 to 5 [2002] QB 783. Jameel does not over-rule these cases (inded it could not, not being of House of Lords level). Nor does it impose a US style single publication rule, as Geoffrey Robertson QC has suggested in a number of cases, nor does it change the rules established in The Spiliada [1987] AC 470, as to when England is an appropriate forum (basically, nearly always:-)

But it does provide an alternative route by which to argue, sensibly, that the English courts should not be involved in cases where the circulation of the libelous item in England has been tiny, and the damages in England are therefore also likely to be minimal. This is a giant step forward for opposing the "chilling effect" of the threat of action in England in relation to texts on international websites which essentially have little or no connection to English readers. The Master of the Rolls is to be congratulated.

This author would however suggest that it's still not enough: Internet cases require a total revamp of the rules of forum non conveniens. Imagine if Berezovsky had been argued on post-Jameel rules, for example. That case concerned a tiny circulation of the libellous item in question in England, compared to an enormous circulation in the US - but still a circulation significant enough for more than nominal damages. I suspect the court would still have been forced to take it, even given the addition of the "abuse of process" concept - in other words we have still not budged from the idea that if England is an appropriate forum but obviously not THE most appropriate forum, it will still accept all comers. On the Internet this is clearly turning England into a "libel case magnet" as was asserted during Berezovsky. Given the weight of post-Spiliada authority any change will however require legislation: which will be , one suspects, a long time coming.

Wednesday, June 14, 2006

Who needs keyloggers? USB hacking for Dummies.

Steve Stasiukonis, VP and founder of Secure Network Technologies Inc, tells us how easy it is using social engineering to collect passwords and data from a large and apparently secure corporation , by means of leaving USB drives around and waitinmg for people to wonder "I wonder what's on it?", and click..

"We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us...

..The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.

..After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management."

Glorious stuff. How should the law begin to help deal with this kind of thing? An obigation of security of systems, just as we currently have to provide a safe system of working under health and safety, seems the way to go, at least for any industry which handles the personal data of third parties. (of course, we theoretically have that already under DP law at least in Europe - but as usual, where's the enforcement mechanism?)

Monday, June 12, 2006

EBay Goes Ad-wards

"EBay is to launch keyword advertising - where internet users will be directed to specific auctions linked to words on the web page they are visiting.
Under the plan, site owners hosting the adverts for the online auctioneer will get a slice of the product sale price.

Called AdContext, EBay's new system may prove popular with blog site publishers who would be able to use it as an extra generator of revenue, analysts said.

The technique of contextual advertising is already used by Google and Yahoo. "

.. says the Beeb astutely adding that "EBay is one of the biggest advertisers on both Google and Yahoo and the plan could reduce its reliance on these sites, analysts said. "

Interesting , not just for its implications for eBay's business model and profits, (and indeed for the increasingly professionalised blog business model too), but also for what it might say about eBay's current EU and US immunity from liability for content originated by third parties. When eBay are actually facilitating the driving of traffic towards particuar auctions, by providing this particular advert model, with the specific intention of getting a cut of the final price (and driving that price up by greater traffic, one presumes) how neutral a third party intermediary really can they still be? (Also the contractual relationships must be fascinating.) I will shortly be writing up thoughts in this direction for the SCL's Journal of Computers and Law.

More Wiki than Geeky

Yochai's Benckler new Wealth of Networks, which is causing a veritable hail of interest, has, suprise, suprise a wiki.

And there are some very interesting links to commentary on the issue of wikis and the peer production method at Ray Corrigan's excellent blog.

This is a placeholder for my summer reading, natch; but it's also a chance for me to repeat my favourite IT law joke wot I thought up, as adapted freely from Sellar and Yeatman's fabulous 1066 And All That.

Students with a classical background , having finally managed to decipher their lecture notes,sometimes look up at their IT law profesors and say "Veni, vidi, vici!"* At which their law professors run away, thinking they have been (correctly) called Weeny, Weedy and Weaky, and this knew they had All been divided into Three Parts (like Gaul).
Only nowadays the ignorant non Latin loving profs think the students are just criticising their class Wiki!

Which is also a good place to plug my blue-skies cutting-edge and any other adjective you care to call it workshop on IT law and associated topics, GikII, to be held in Edinburgh on 5th September . Abstract deadline extended to June 30th, subsidy available for travel and accomodation and we already have papers on everything from digital property and virtual worlds governance to entropy in IT law and technophobia in Lord of the Rings!


* For Classicophobes, I came, I saw, I conquered! in Latin, as Julius Caesar is reported to have cried on conquering Britain (er, or somewhere else - see comment below..).

Wednesday, May 31, 2006

EU infrastructure security proposals

The EU has released a Communication on a strategy for a Secure Information Society – “Dialogue, partnership and empowerment” COM(2006) 251. This seems to be a serious atempt to advance the preservation of the Internet as critical infrastructure from the various current security threats - viruses, worms, DoS, hacking, spoofing et al. This was first advanced as an EC priority in Communication “i2010 – A European Information Society for growth and employment”( COM (2005) 229 final of 1.6.2005). The EU's press release announces that the Commission will report to Council and Parliament in the middle of 2007 on the activities launched, the initial findings and the state of play of individual initiatives, including those of ENISA (the European Network and Information Security Agency established in 2004, also as a result of the i2010 document) and those taken at Member State level and in the private sector. If appropriate, the Commission will then propose a Recommendation on network and information security (NIS).

The Communication identifies three key threats to Internet security.

"Firstly, attacks on information systems are increasingly motivated by profit rather than by the desire to create disruption for its own sake... [Secondly] The increasing deployment of mobile devices (including 3G mobile phones, portable
videogames, etc.) and mobile-based network services will pose new challenges, as IP based services develop rapidly. These could eventually prove to be a more common route for attacks than personal computers since the latter already deploy a significant level of security... [Thirdly} Another significant development is the advent of “ambient intelligence”, in which intelligentdevices supported by computing and networking technology will become ubiquitous (e.g. through RFID11, IPv6 and sensor networks). A totally interconnected and networked everyday life promises significant opportunities. However, it will also create additional security and privacy-related risks... The emergence of certain “monocultures” in software platforms and applications can greatly facilitate the growth and spread of security threats such as malware and viruses. Diversity, openness and interoperability are integral components of security and should be promoted."

What solutions does the Communication propose?

".. given the ubiquity of ICTs and information systems, network and information security is a challenge for everybody:
• Public administrations need to address the security of their systems, not just to protect
public sector information, but also to serve as an example of best practice for other players;
• Enterprises need to address NIS more as an asset and an element of competitive
advantage than as a “negative cost”;
• Individual users need to understand that their home systems are critical for the overall “security chain”.

In order to successfully tackle the problems described above, all stakeholders need reliable data on information security incidents and trends... one of the cornerstones in developing a culture of security is improving our knowledge of the problem... [And] Wherever possible, therefore, NIS should be presented as a virtue and an opportunity rather than as a liability and a cost. It needs to be viewed as an asset in building trust and consumer confidence, a competitive advantage for enterprises operating information systems, and a service quality issue for both public and private sector service providers."

PanGloss finds all this rather pleasing, as she has recently spent much time recommending , like the new EU instrument, a "holistic approach" to computer security, rather than one based, as at present, primarily on the ineffective tool of criminal law.

We are also promised a specific work programme which includes:

- two specific Communications on (i) spam, spyware and related threats; and (ii) cybercrime, including law enforcement authority co-operation.
- the scheduled review of the regulation of electronic communications due within 2006, to be expanded to include consideration of network and information security (NIS)
- the creation of a European multilingual info sharing and alert system (this to be a goal for ENISA)
- a "multi stakeholder dialogue" on economic, business and societal drivers towards NIS
- allocation of resources to NIS research under the 7th Framework programme

And in among the succeeding detail, is a para which sparks this writer's own little obsession - how far ISPs - and indeed software companies - should be held responsible for creating the new more secure Internet.

"3.3.2 The Commission also invites private sector stakeholders to take initiatives to:
• Develop an appropriate definition of responsibilities for software producers and
Internet service providers in relation to the provision of adequate and auditable levels of security. Here, support for standardised processes that would meet commonly agreed security standards and best practice rules is needed."

This is fascinating and much needed stuff. More comment when I have had time to look in more detail.

And the IT-Dino!

My correspondent Douglas Spencer points out that the tale of the cat who wasn't there (post below)is by no means the only recent domain name dispute to involve cute anthropomorphicised animals.

"I am reminded of a dispute between a purple dinosaur and a six-year-old boy [DRS1544]: HIT Entertainment PLC produce Barney, a stuffed purple dinosaur, together with a TV show and lots of valuable merchandise, and they disputed the registration of barney.co.uk by a certain Tim Loosemore, who had a son called Barney.

However, the giant media empire was dreadfully incompetent in assembling its case, and the boy's father is a major mover in organisations like Wired, FaxYourMP, and NTK.

The stuffed dinosaur lost. Visit Barney on the web".

Thanks, Doug!! sadly , the arbiter in this case, Andrew Lothian, declined to exposit further on the reality or otherwise of either fuzzy dinosaurs or six year olds.

the ITKat :-)

Discovered, with great delight via Discourse.net, a domain name arbitration around the well known trademark Morgan Stanley, in the US, where defendant's argument was, basically, that he was a cat.

"Respondent maintains that it is a cat, that is, a well-known carnivorous quadruped which has long been domesticated. However, it is equally well-known that the common cat, whose scientific name is Felis domesticus, cannot speak or read or write. Thus, a common cat could not have submitted the Response (or even have registered the disputed domain name). Therefore, either Respondent is a different species of cat, such as the one that stars in the motion picture "Cat From Outer Space," or Respondent's assertion regarding its being a cat is incorrect.

If Respondent is in fact a cat from outer space, then it should have so indicated in its reply, in order to avoid unnecessary perplexity by the Panel. Further, it should have explained why a cat from outer space would allow Mr. Woods to use the disputed domain name. In the absence of such an explanation, the Panel must conclude that, if Respondent is a cat from outer space, then it may have something to hide, and this is indicative of bad faith behavior.

On the other hand, if Respondent's assertion regarding its being a cat is incorrect, then Respondent has undoubtedly attempted to mislead this Panel and has provided incorrect WHOIS information. Such behavior is indicative of bad faith. See Video Direct Distribs. Inc. v. Video Direct, Inc., FA 94724 (Nat. Arb. Forum June 5, 2000) (finding that the respondent acted in bad faith by providing incorrect information to the registrar regarding the owner of the registered name). ...

The Panel finds that Respondent's assertions that it is a cat provide sufficient evidence to conclude that the Respondent registered and is using the disputed domain name in bad faith. And this despite the fact that the Panel, unlike Queen Victoria, is amused."

Thursday, May 25, 2006

Blogging for fun and profit, er, strife and ruin?

NY Times report incidents of people sacked or not hired for having work related blogs

"On the first day of his internship last year, Andrew McDonald created a Web site for himself. It never occurred to him that his bosses might not like his naming it after the company and writing in it about what went on in their office.
For Mr. McDonald, the Web log he created, "I'm a Comedy Central Intern," was merely a way to keep his friends apprised of his activities and to practice his humor writing. For Comedy Central, it was a corporate no-no — especially after it was mentioned on Gawker.com, the gossip Web site, attracting thousands of new readers.

"Not even a newborn puppy on a pink cloud is as cute as a secret work blog!" chirped Gawker, giddily providing the link to its audience."



Oops.

But no one's reading this, right?:-)

Wednesday, May 24, 2006

panGloss

As you may have noticed , BlogScript has now officially changed its name to PanGloss. I'm not changing the URL currently, but to give due warning, I may well migrate this blog elsewhere in the next few months.

Why the change? Well, Blogscript was never exactly a catchy name. It was supposed to be the "blog for SCRIPT"; and SCRIPT was the acronym I dreamt up, six or seven years back, for the loose conglomeration of IT and IP law scholars at Edinburgh Law School , who later became the AHRC Centre for Intellectual Property and Technology Law in 2002. SCRIPT stood for Scottish Centre for Research into IP and Technology (Law) - rather easier to remember than the current research-council imposed name, you must admit:-) The original idea was this blog would feature contributions from the postgraduate students at the AHRC Centre, with a bit of help from myself and Andres Guadamuz, my co-teacher. In the end though, as ever, you can take a student to water, but you can't make him/her drink :-) and so, predictably, I ended up writing the content exclusively myself, and to my surprise, like most bloggers, becoming mildly addicted to the process.

And now I'm leaving Edinburgh, it seems a good time to formalise this as MY blog, not a blog for a particular course or university; and thus to dump the clunky "SCRIPT blog" name in favour of something with a bit more juice to it.

So why panGloss? Well, blame Paul Maharg. A month or so back, at the very enjoyable BILETA 2006 conference in Malta, Paul gave a storming talk entitled " ‘Borne back ceaselessly into the past’: Glossa, hypertext and the future of legal education". Paul's argument was loosely that some very interesting similarities can be observed between legal education in the centuries before the invention of the printing press, and curent electronic publishing and social software practice. Paul pointed out that in the pre Caxton world, when original texts were rare and expensive - texts like the Bible, or in law, the Roman Institutes and Digests - the practice arose of annotating them in hand writing round the edges, often in different colours and styles. These commentaries - "glosses" - were then sometimes published themselves, arranged as marginalia around the original text, as studiable texts in their own right. These glosses then over years themselves became the subject of scholarly lectures, debate and analysis, with a dense web of mutual cross referencing arising. Such glosses contributed enormously to the development of law in most of Western Europe. The analogies to blogs and hyperlinking are both obvious and irresistably enticing, and the Scottish contingent at BILETA, raised in the mixed legal system tradition on stories of the medieval Glossators and Post-Glossators, were almost too excited to stay in their seats.

So the idea of a law blog as a modern "gloss" stuck in my mind. I once edited a hard copy fanzine called Gloss (gosh! how twentieth century!) so the new electronic Gloss had to be called something slightly more exciting. eGloss was too generic. iGloss was fun and a la mode, but sounded too much like an Apple product, or maybe a paint commercial. GLawss was clever but far too cutesy. panGloss , with its echoes of Voltaire and the best of all things in the best of all possible worlds seemed to strike a suitably optimistic and technophilic note. So panGloss it is. Be seeing you!

Law and the Semantic Web

WWW06 is on in Edinburgh right now. I'm not at it, for various reasons, but I am intrigued by the reports, because it's being run by my future home, Southampton University, in my current home, Edinburgh; and because we're getting the first inklings that there may be as many legal problems about Web 2.0 as we've already had with Web 1.0.

"Hugh Glaser of the University of Southampton ..describing the semantic web, an attempt to make the web more intelligent... [said] Privacy problems could occur,.. because the semantic web deliberately combines multiple sources of information about people and places."

This problem has already reportedly come up in real life with various Grid projects emanating from the E-Science Centre (also in Edinburgh). Large distributed databases are being mined for results by researchers asociated with the high-speed "Internet 2" that is the Grid, working from different institutions in different countries. In such circumstances, it is hard to identify and seperate data controllers, processors and subjects, let alone work out what legal system has jurisdiction, and hence what information privacy rules operate. It looks like the Semantic Web takes this trend one step further. I hope to be working on these kinds of problems with colleagues at Southampton very soon.

Monday, May 22, 2006

Americans wouldn't give a triple ex for that domain name..

The Beeb reports a challenge to the US blocking of the .xxx domain.

"ICM has filed Freedom of Information requests against the US Department of Commerce and Department of State to get uncensored copies of official documents that relate to the creation of the .xxx domain.

In its Freedom of Information filing, ICM said it expected the documents to "shed light on what role the United States government played in the Internet Corporation for Assigned Names and Numbers' (Icann) consideration of ICM's proposal to create and operate a new .xxx domain".

Members of the board voted against the ICM agreement based on inaccurate information about the written statements of various governments concerning .xxx
Icann voted on 10 May to reject ICM's plans following a year of delay over a final decision on the domain. "

Oooohhhh!!! (she says, insightfully).

As various other commentators have said, the US (and one assumes, religious right) opposition to .xxx seems mighty peculiar. Implementing the domain won't create more porn or make it easier to find - it'll just make it easier for ISPs and parents to filter it out. This is what they want, right? (My own feeling is that it's an unintersting squabble anyway, because you are hardly going to convince the Russians and Moldovans to put their porn sites in .xxxx if that DOES mean they'll be more easily filtered..).

How about a domain for .phish ? :-)

Sunday, May 21, 2006

Kitchens of Distinction

Sunday observations on opt in/opt out and junk email ..

Blogscript just finally bought a new cooker. This is something of a personal triumph, but why should you be interested?

Well the Sainsbury's website, whence from this appliance was purchased (at, I should say, a very competitive price) presents the following choice as the purchaser checks out:

Please indicate below whether you would like to receive these:
If you do not wish to receive information by post, tick yes/no box
If you do not wish to receive information by telephone, tick yes/no box
If you are happy to receive information by text email, tick yes/no box
If you are happy to receive information by text message, tick yes/no box

My instinct (and I'm betting that of several hundred thousand others) was to tick NO all the way down on automatic pilot. Then I noticed I actually had to say YES to third and fourth options to NOT get junk texts/emails.

Now Sainsburies are perhaps/probably acting in good faith here; having noticed that the PECD now requires affirmative consent of some kind re spam/texts.

But I still think it's bloody misleading , no??

About time we had a very small SI mandating a standard tick box for consumer opt in/opt out - as the NCC recommended several years back.

Thursday, May 18, 2006

Even Nova-er Terra Nova

New Scientist (inter alia) reports on what they call the "first ever virtual property" law suit:

"Marc Bragg, an attorney from Pennsylvania, US, filed the suit against the company behind Second Life, Linden Lab based in California, US. He accuses the company of deactivating his account after he discovered a loophole that enabled him to buy virtual land cheaply within the game.

The suit, filed in a local district court, seeks financial restitution for Bragg who claims he invested around $32,000 in the virtual land. "This is probably the first dispute of its kind," Bragg says in a statement posted online. "This suit challenges the legitimacy of a virtual intangible purchase of an asset."

Rather US centric, as there have been several other such suits reported already in Asian countries like Korea and China. But it looks like fun all the way - here's hoping neither side decides to settle!

Nul Points to the Royaume Uni..

Strangely little attention seems to have been paid to a rather significant written answer in the House of Commons, reported by that fine organ The Register.

"The government has given internet service providers until 2008 to block all access to websites containing illegal images of child abuse listed by the Internet Watch Foundation.

In a Parliamentary written answer on 15 May, Home Office Minister Vernon Coaker said progress had been made, but hinted that if the last paedophile services were not snuffed out of circulation soon the government might take steps itself to block people accessing them.

The industry-funded IWF had already seen a drastic drop in the number of illegal sites reported to be hosted in the UK, from 18 per cent in 1997 to 0.4 per cent in 2005.

All 3G mobile operators blocked access to paedophile sites over their networks, while all of the biggest internet service providers, representing 90 per cent of broadband domestic connections, were also willingly blocking access."

There is an awful lot of fudging going on here. Yes, the IWF has been staggeringly successful at removing child porn HOSTED in the UK. Those figures are true. This is not least because virtually all UK ISPs receive the IWF URL list of illegal child porn sites, and take action on it, since otherwise they would be liable to action as publishers on notice of illegal material under the EC E Commerce Directive.

But that doesn't mean there's any less kiddy porn out there. Au contraire, it just means it's hosted in other countries than the UK, where the laws are kinder or less well enforced: noteably the US, where hate speech, eg, still thrives under the protection of the First Amendment, and the outlaw lands of the former Soviet Union.

What the government are talking about here is enforcing, not takedown of child porn sites within the UK, which is indeed almost accomplished , but upstream censorship of all feeds coming into the UK so no one in the UK can access illegal porn from sites *outside* the UK. This access-filtering and blocking can be done very efficiently via the technology BT Internet have already implemented, known as Cleanfeed and which has already been rolled out by "agreement" (since many of those who sign up to BT wil know nothing of Cleanfeed and what it does) to those who signed up to get the Net via BT.

Now all this is OK so far, you are no doubt saying. If you want a child porn free feed so that eg your kids or partner can't get at it, then signing up with BT makes sense. Anyone else still has the ability to go to another UK ISP. And if it's illegal to possess child porn (which it is in almost every state in the world now) then why not command your ISPs to block it at source, so no customers can get at it?

Because - and this is to me a rather more immediate worry than the net neutrality debate - any filtering technology dependent on keywords or a URL list, that can efectively block all kid porn access, upstream, invisibly - and which is mandated to do so by the government and MUST be installed by every ISP - can very easily be extended to block any content AT ALL coming into the country that the government finds unlikeable. As also revealed by the parliamentary question,"The Home Office had admitted that it had considered blocking websites that "glorified terrorism" under the Terrorism Act (2006). It said it was not policy to require ISPs to block content, but added: "our legislation as drafted provides the flexibility to accomodate a change in Government policy should the need ever arise." (And there is some rumour that the govrnment had considered blocking "terrorist" material before this law ever came into force, and which thus may not have been illegal at all at the time.)

I'm no free speech nut, but that last sentence quoted sends chills down my spine. This is the technology that could turn us into China, tomorrow, and the nice bit is, most non-techy people would never even notice. Banned books get headlines, banned newspapers get marches in the streets : banned websites, or pictures, disguised behind the ubiquitous error messages of the Net, rarely get noticed. And while Google providing a censored service to its customers in China dominated the tech press in the US for weeks, here, the UK - the state, not a private company - proposing China style censorship tools as part of compulsory legislation for all ISPs, doesn't even seem to have made the BBC website. (And remember . we aren't China : they don't have to use these tools to close down sites abraod that are politically dubious. They could use them to block P2P downloading sites, or sites flogging warez, just as easily.)

Anyone else feel even a tad worried?