Friday, June 30, 2006

G'Buy to PayPal?

The Google empire have gone into the on-line payments business.

"Search giant Google has launched an online payments system which aims to compete with auction giant eBay. Dubbed Google Checkout, the system is designed to boost Google's main source of revenue - selling advertising. The service offers some free order processing to Google's millions of advertisers, but will initially be available only to stores in the US.
EBay unit Paypal is the market leader in online payments. EBay stock slipped ahead of Checkout's launch. "

Interestingly, the Beeb report downplays the idea that GBuy (as it is apparenly mostly already known) is intended to rival or destroy Paypal. Correspondents on Boing-Boing, NY Times and ZNet see it rather differently. "Google is charging merchants 20 cents plus 2 percent of the purchase price to process card transactions, less than most businesses pay for credit card processing. Banking industry executives say that credit card processors typically pay MasterCard and Visa a fee of 30 cents and 1.95 percent for every purchase, so Google will be subsidizing many transactions".

This could be good competition for PayPal - a good thing surely - and even the end of credit card domination of on-line payments - an interesting thing. Will Google, like PayPal, seek to be accredited in Europe as an Electronic Money Issuer, hence getting preferential treatment under the EMI Directive? It's only currently available in the US but one would think its case is even weaker than PP's (perhaps surprisingly successful) aplication - according to the Beeb again -

"The Google service will simply act as a transferring house, whereas Paypal has the facility for users to set up their own accounts to pay into - as well as offering credit card payments. "

To be an EMI requires stored value in essence - so it looks unlikely Google Checkout can qualify.

What does Google get out of it? More advertising is the main noted benefit; plus it supports their business opposition to Yahoo! and eBay/Paypal's recent tie up; but the NY Times also observes:

"Google may get several additional benefits from the checkout service. It will encourage more users to register and give it personal data, allowing Google to display advertising based on specific attributes of the viewer. More broadly, the data the company gets from transactions could help it improve the way it chooses which advertising to show to which users".

So we have interesting privacy implications too. Good thing Google does no evil, huh?

ps from John Battelle's SearchBlog, June 29 2006 -
The Oxford English Dictionary--last bastion of standardized English--includes "Google" as verb in the latest draft for its next edition. The pending definition, noted by Resource Shelf: intr. To use the Google search engine to find information on the Internet. trans. To search for information about (a person or thing) using the Google search engine.

WEIS and blog

The Security Lab people at Cambridge - including the esteemed Ross Anderson - have their own blog: full of interesting stories about computer security, including related legal issues.

I'm just back from WEIS, the Workshop on Economic Issues in Security run by that self same man : and boy, my mind is blown. I have things I now desperately want to write/research about selling zero day exploits, cyber insurance, and privacy seals , value of (actually less than zero) ; but I'm currently just too ill ! as I also came back with a bug and a high temperature.

But very shortly there will be a very long post about fascinating papers I've seen! In the meantime try Bruce Schneier's summary, with pointers to some of his highlight papers.

Also gratified by more abstracts that have arrived for GikII while I was away: it's looking goooood, kids!

Sunday, June 25, 2006

New Privacy Laws for the USA?

Two interestingly almost simultaneous calls for a uniform set of privacy laws for the US, applicable to private as well as public sectors, have emerged in the last few days. reports : "Google, Microsoft, Intel, eBay, HP, Oracle and Sun are amongst the signatories to a statement calling for personal information to be protected across the US. Non-profit lobby group the Center for Democracy and Technology organised the companies into the Consumer Privacy Legislative Forum.

"The time has come for a serious process to consider comprehensive harmonized federal privacy legislation to create a simplified, uniform but flexible legal framework," said the CPL Forum's statement. "The legislation should provide protection for consumers from inappropriate collection and misuse of their personal information and also enable legitimate businesses to use information to promote economic and social value." "

Meanwhile Hillary Clinton has called for a Privacy Bill of Rights. Hilary,a likely Democratic candidate for 2008, stated that she wanted to to create a "privacy czar" within the White House to guard against recent problems like the theft of personal data from the
Department of Veterans Affairs'. She also wants legislation to let consumers know what information companies are keeping about them and how it is used, and create a tiered system of penalties for companies who are not careful with consumer data. "Clinton also waded into the debate over anti-terror eavesdropping. ..Clinton said any president should have the latest technology to track terrorists, but within laws that provide for oversight by judges."

And a San Francisco Chronicle report notes inter alia that technological invasion of privacy is not only accelerating but is also becoming more and more consumer friendly and "cool".

"Americans' rights to privacy will be tested even more in the next few years as biometric technology creeps increasingly into everyday arenas. For example, on the campus of UC San Diego, biometric experts are testing a soda machine that uses both fingerprint and face-recognition technology. The machine is in a lounge for grad students in UC San Diego's computer science building.
"The students are very excited about getting it working," Serge Belongie, a UC San Diego associate professor of computer science, says in a phone interview. "People think it's very cool. ... No one uses money. They have accounts. What would be fun is if (the machine) recognizes you and says, 'Would you like your usual?' "

As I have often suspected, the report indicates that although biometrics can be far more privacy threatening than ordinary methods of ID consumers favour them due to convenience factors:

"If UC San Diego students are reluctant to use the machine, their privacy concerns are outweighed by convenience -- a sentiment echoed in survey after survey on biometric technology. In March, Unisys Corp. released a report on public perception of "identity management" that said convenience and efficiency were the two biggest reasons consumers would use biometric technology. (The most preferred biometric methods are fingerprints and voice recognition, according to the survey. The least preferred, because of its perceived intrusiveness, is an iris or eye scan.) "

But not everyone is enthralled by the "brave new world in aisle 5":

"Pay By Touch admits it has encountered some resistance among shoppers it approached in supermarkets that already use the company's fingerprint service. But Morris, its president, says many of these customers are quickly won over by the convenience of Pay By Touch, which is free for consumers, and that the company keeps data points based on users' fingerprints, not actual fingerprints. So far, supermarkets in 40 states use the Pay By Touch system. .. The company insists it will never sell users' personal information or fingerprints to anyone else -- a pledge that's backed up in writing when users sign up with the company. But what if federal authorities, citing national security, insist on the finger scan and payment history of a Pay By Touch user? "

The times they are a changing. Last year, at a workshop I organised in Edinburgh, Peter Swire, effectively Bill (not HIlary's) privacy czar during that administration, was pessimistic that post 9/11 there was much scope for the private sector and governmental privacy legislation that the Clinton era might have favoured. Is the pendulum swinging again, in the light of recent personal data scandals, to the point where privacy is a vote-getter in the USA? Watch this space.

Saturday, June 24, 2006

Alan Moore vs the Copyright fairies

While we're considering pop culture and IT law (great stuff for a GikII paper here!) the IPKat reports that Alan Moore, father of the graphic novel is potentially running into trouble with his latest project,a graphic novel called Lost Girls which is "a meeting between Wendy (of Peter Pan), Alice (of Alice in Wonderland) and Dorothy of The Wizard of Oz) once they have grown up". It is also allegedly "erotic fiction at its finest". Hmm. As every IP lawyer knows of course, there is a specific exception in UK copyright law (s.300 of the CDPA )which grants perpetual copyright in J M Barrie's Peter Pan, which goes to the Great Ormond Street Hospital by virtue of a legacy to the hospital in Barrie's will. And the hospital are apparently deeply unhappy with being connected with this project and its possible paedophilic implications, and may seek to have publication banned in the UK and Europe.

The IPKat suggests that "the hospital [has after 2007] a right to royalties, not the full rights of a copyright owner. This would mean that the hospital could make money from the novel, but not that it could stop its distribution." Others suggest the whole idea of perpetual copyright, even as a pleasing anomaly given the storyline of Peter Pan , should be abolished. Alan Moore himself is no stranger to copyright fights: the tangled tale of Marvelman, Miracleman, Moore, DC, and Gaiman et al is too confusing to even begin to tell here. Moore, after various disputes, has also refused to allow film adapations of any of his works to which he still owns full copyright and has removed his name from adaptations he cannot control, even where they have been critically well received as with the recent V for Vendetta. He is a formidable adversary in respect of his work, and it will be interesting to see where this dispute goes next.

Dr Who and the Semantic Web

Tim Berners-Lee has been round the houses latel;y, proselytising not only for net neutrality (see earlier posts) but also for his baby, the Semantic Web. The Guardian has an informative and occasionally entertaining piece on his efforts.

"..the BBC, one of the organisations that led Britain on to the web, is keen to share some of its data. Tom Loosemore, head of strategic innovation, says the corporation will shortly place online the catalogue of its entire surviving programme library - not the 950,000 television and radio programmes themselves, but the names, transmission details, often production credits and in some cases who is interviewed..

"What is interesting is what the audience does with that data," [he says] although Loosemore imagines that Doctor Who fans will be early adopters. It will be available through an API (applications programming interface) at BBC Backstage (, which allows data to be re-used for non-commercial purposes - a model that the Ordnance Survey hopes to follow."

Friday, June 16, 2006

Internet libel : why, how and where

It's always good to see empirical research backing things you intuitively anyway :-) I've long asserted in my textbook Law and the Internet that email is particularly defamation-prone because of the odd nature of the medium, which combines the spontaneity of speech with the archiving capacity of text. Now we have actual scientific confirmation of the first point.

"In effect, e-mail cannot adequately convey emotion. A recent study by Profs. Justin Kruger of New York University and Nicholas Epley of the University of Chicago focused on how well sarcasm is detected in electronic messages. Their conclusion: Not only do e-mail senders overestimate their ability to communicate feelings, but e-mail recipients also overestimate their ability to correctly decode those feelings."

Two scientists in the area, Michael Morris and Jeff Lowenstein add "One reason for this, the business-school professors say, is that people are egocentric. They assume others experience stimuli the same way they do. Also, e-mail lacks body language, tone of voice, and other cues - making it difficult to interpret emotion.

"A typical e-mail has this feature of seeming like face-to-face communication," Professor Epley says. "It's informal and it's rapid, so you assume you're getting the same paralinguistic cues you get from spoken communication." "

Which raises an interesting point for various legal systems: if sarcasm or fair comment or "joke" (in rixa in Scots law) is a legal defense, is it to be measured by what the sender meant, the recipient understood, or what the "reasonable man" would have taken out of the communication? Probably the latter in most systems, given libel damages are measured by the damage to the reputation - but what if, as the study evidence seems to show , there is no objective "true" interpretation of email speech, only different subjective interpretations? Oh how postm0dern!

On the more legal front, another new English Internet libel case is Al Amoudi v Brisard and JCB Consulting International SARL [2006] EWHC 1062 (QB). (Via )

Ethiopian-born businessman Mohammed Hussein Al Amoudi, who normally lives in Saudi Arabia but spends around two-and-a-half months a year in England, sued Swiss resident Jean Charles Brisard and his Swiss company, JCB Consulting International SARL in the English courts. Brisard claims to be a world expert on terrorist financing. In two reports on JCB's site he made references to Al Amoudi. These suggested that Al Amoudi might be "a knowing participant in the economic, financial and/or terrorist networks of the terrorist Osama Bin Laden". Al Amoudi sued for defamation, seking summary judgment ie judgment without trial of the evidence. The key point on which this was rejected by the court was that Al Amoudi had not proved "substantial publication" in England and this could not be proved. (It was not argued at this stage whether the coments themselves were defamatory.)

Legally, in England, damage in libel cases is presumed, and therefore need not be proven, but, as a norm, circulation figures are provided to back claims of "substantial damage" in cases involving non-English defenders. In this case however, there was a dispute over how long the offending website had been available for, and it was thus submitted only that "publication over the Internet takes place if and only if the material is accessed and downloaded by a third party within the jurisdiction". Crucially, Mr Justice Gray held that "I am unable to accept that under English law a claimant in a libel action on an Internet publication is entitled to rely on a presumption of law that there has been substantial publication".[italics added]. Acordingly the case was denied summary judgment and the claimant must prove publication in the ordinary way if he wishes to proceed.

This is an interesting application of last year's major Internet libel case, Dow Jones v Jameel , [2005] EWCA Civ 75. In that case, only five people in England were shown to have "clicked through" a link on the defender's (DJ's)online Wall Street Journal website, which lead to an allegedly defamatory item. These 5 persons "clicking through", furthermore, included the solicitor of Mr Jameel (the person allegedly defamed)and two of his business associates. Thus, it was argued by the defendant, the court should dismiss the case, as damage to reputation in England that was more than nominal had not been proven.

Several very famous non-Internet libel cases were, however, cited by Jameel as precedents that " under English law there is a presumption of damage in libel cases, [thus] the plaintiffs did not have to adduce evidence of damage arising from the publication of the article in question": see eg Duke of Brunswick v Harmer (1849) 14 QB 185, Shevill v Presse Alliance [1996] AC 959 and Berezowsky v Michaels [2001] 1 WLR 1004. In other words, damage to reputation would be presumed. The Court of Appeal in Jameel upheld these precedents, and furthermore held on review of them that this presumption was still, in practice, irrebuttable. In conventional publication, it is extremely difficult to establish how many people have read a publication, so the presumption of damage makes sense or proof may become a bar to redress in very many cases. However with Internet hit counters, proof of publication in the jurisdiction (& numbers of readers) can become trivially easy. The court nonetheless thought there were good reasons why damage should still always be presumed, and furthermore that such a presumption did not "chill" freedom of expression under the Human Rights Act 1998 and/or Art 8 of the European Convention on Human Rights.

However this was not the end of the story. Jameel's case was still rejected as an "abuse of process". Since this was a non-EU, non-Brussels Convention case, an application to serve outside the jurisdiction of England was necessary, which raised the question of whether 'a real and substantial tort ha[d] been committed within the jurisdiction': Kroch v Rossell [1937] 1 All ER 725, Chadha v Dow Jones & Co Inc [1999] EMLR 724, and Civil Procedure Rules 6.20(8). Since the damage to Mr Jameel's reputation in England was apparently minimal, in the Court of Appeal's view, only "very modest damages" would have been available after what would have been a lengthy and expensive trial. So the case was thrown out as an abuse of process.

LJ Phillips MR noted that : "There have been two recent developments which have rendered the court more ready to entertain a submission that pursuit of a libel action is an abuse of process. The first is the introduction of the new Civil Procedure Rules. Pursuit of the overriding objective requires an approach by the court to litigation that is both more flexible and more pro-active. The second is the coming into effect of the Human Rights Act. ... Keeping a proper balance between the Article 10 right of freedom of expression and the protection of individual reputation must, so it seems to us, require the court to bring to a stop as an abuse of process defamation proceedings that are not serving the legitimate purpose of protecting the claimant's reputation, which includes compensating the claimant only if that reputation has been unlawfully damaged."

This case (which I must shamefacedly admit to having missed when it first came out) is a remarkable step forward, by a cleverly lateral route, from the much-criticised jurisdictional rules on forum non conveniens applied to date by the English courts in Internet-related cases like Berezovsky and Loutchansky v Times Newspapers & Ors Nos 2 to 5 [2002] QB 783. Jameel does not over-rule these cases (inded it could not, not being of House of Lords level). Nor does it impose a US style single publication rule, as Geoffrey Robertson QC has suggested in a number of cases, nor does it change the rules established in The Spiliada [1987] AC 470, as to when England is an appropriate forum (basically, nearly always:-)

But it does provide an alternative route by which to argue, sensibly, that the English courts should not be involved in cases where the circulation of the libelous item in England has been tiny, and the damages in England are therefore also likely to be minimal. This is a giant step forward for opposing the "chilling effect" of the threat of action in England in relation to texts on international websites which essentially have little or no connection to English readers. The Master of the Rolls is to be congratulated.

This author would however suggest that it's still not enough: Internet cases require a total revamp of the rules of forum non conveniens. Imagine if Berezovsky had been argued on post-Jameel rules, for example. That case concerned a tiny circulation of the libellous item in question in England, compared to an enormous circulation in the US - but still a circulation significant enough for more than nominal damages. I suspect the court would still have been forced to take it, even given the addition of the "abuse of process" concept - in other words we have still not budged from the idea that if England is an appropriate forum but obviously not THE most appropriate forum, it will still accept all comers. On the Internet this is clearly turning England into a "libel case magnet" as was asserted during Berezovsky. Given the weight of post-Spiliada authority any change will however require legislation: which will be , one suspects, a long time coming.

Wednesday, June 14, 2006

Who needs keyloggers? USB hacking for Dummies.

Steve Stasiukonis, VP and founder of Secure Network Technologies Inc, tells us how easy it is using social engineering to collect passwords and data from a large and apparently secure corporation , by means of leaving USB drives around and waitinmg for people to wonder "I wonder what's on it?", and click..

"We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us...

..The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.

..After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management."

Glorious stuff. How should the law begin to help deal with this kind of thing? An obigation of security of systems, just as we currently have to provide a safe system of working under health and safety, seems the way to go, at least for any industry which handles the personal data of third parties. (of course, we theoretically have that already under DP law at least in Europe - but as usual, where's the enforcement mechanism?)

Monday, June 12, 2006

EBay Goes Ad-wards

"EBay is to launch keyword advertising - where internet users will be directed to specific auctions linked to words on the web page they are visiting.
Under the plan, site owners hosting the adverts for the online auctioneer will get a slice of the product sale price.

Called AdContext, EBay's new system may prove popular with blog site publishers who would be able to use it as an extra generator of revenue, analysts said.

The technique of contextual advertising is already used by Google and Yahoo. "

.. says the Beeb astutely adding that "EBay is one of the biggest advertisers on both Google and Yahoo and the plan could reduce its reliance on these sites, analysts said. "

Interesting , not just for its implications for eBay's business model and profits, (and indeed for the increasingly professionalised blog business model too), but also for what it might say about eBay's current EU and US immunity from liability for content originated by third parties. When eBay are actually facilitating the driving of traffic towards particuar auctions, by providing this particular advert model, with the specific intention of getting a cut of the final price (and driving that price up by greater traffic, one presumes) how neutral a third party intermediary really can they still be? (Also the contractual relationships must be fascinating.) I will shortly be writing up thoughts in this direction for the SCL's Journal of Computers and Law.

More Wiki than Geeky

Yochai's Benckler new Wealth of Networks, which is causing a veritable hail of interest, has, suprise, suprise a wiki.

And there are some very interesting links to commentary on the issue of wikis and the peer production method at Ray Corrigan's excellent blog.

This is a placeholder for my summer reading, natch; but it's also a chance for me to repeat my favourite IT law joke wot I thought up, as adapted freely from Sellar and Yeatman's fabulous 1066 And All That.

Students with a classical background , having finally managed to decipher their lecture notes,sometimes look up at their IT law profesors and say "Veni, vidi, vici!"* At which their law professors run away, thinking they have been (correctly) called Weeny, Weedy and Weaky, and this knew they had All been divided into Three Parts (like Gaul).
Only nowadays the ignorant non Latin loving profs think the students are just criticising their class Wiki!

Which is also a good place to plug my blue-skies cutting-edge and any other adjective you care to call it workshop on IT law and associated topics, GikII, to be held in Edinburgh on 5th September . Abstract deadline extended to June 30th, subsidy available for travel and accomodation and we already have papers on everything from digital property and virtual worlds governance to entropy in IT law and technophobia in Lord of the Rings!

* For Classicophobes, I came, I saw, I conquered! in Latin, as Julius Caesar is reported to have cried on conquering Britain (er, or somewhere else - see comment below..).