Thursday, June 28, 2007

SCL: Web 2.0 Conference

Aha! My mate Simon Deane-Johns, the CEO of Zopa the innovative P2P lending company, has come good on his stated intention to start a blog in the wake of the enthusiasm generated by the SCL conference (and not all of it about FaceBook and virtual detachable genitalia, either.)

His write up is here.

Nick Holme's of Binary Law has one here. I particularly like his reminder of the phrase of the conference: Tom Ilube's daughter describing her father's efforts to keep up on the social network scene as "so January".

Pangloss took lots of notes - and will try to transcribe some of them before it becomes Too Late.

Wednesday, June 27, 2007

Extreme porn bill

Busy day today; after this, no more spodding:)

The Extreme Pornography law has been published, tucked away in the Criminal Justice and Immigration Bill.

The key section is the definition of an "extreme" image, possession of which will be a crime, and which is as follows:
s 64(6) "An “extreme image” is an image of any of the following—

(a) an act which threatens or appears to threaten a person’s life,

(b) an act which results in or appears to result (or be likely to result) in
serious injury to a person’s anus, breasts or genitals,

(c) an act which involves or appears to involve sexual interference with a
human corpse,
(d) a person performing or appearing to perform an act of intercourse or
oral sex with an animal,

where (in each case) any such act, person or animal depicted in the image is or
appears to be real."

In an age where "torture porn" is not just the height of chic but appearing in a multiplex near you as I write (Hostel 2, anyone?) frankly I do not think this is unreasonable. (Classified films are in any case excluded from s 64 so no one is attempting to make possession of a Casino Royale DVD illegal because it involves images of murder and torture.) The usual suspects are however predictably upset.


For some reason (OK, to avoid writing about data protection, let's admit it) Pangloss has FINALLY after about a year, re-organised her blogroll, including many of the blogs of the great speakers I've met here and there over the last year, in particular at GikII last year.

If you think I've unjustly ignored your pride and joy, please comment and let me know! I'm not attempting to blogroll every blog in the universe, more the ones which reflect the British scene and especially those focusing on my own current obsessions: privacy, security, virtual worlds, Google and "law 2.0".

FaceBook Brought to Book?

My colleague Ian Brown of Blogzilla reports on an interesting post on why Facebook may be violating European privacy law.

The article reveals that creating an "exploit" in FaceBook - ie hacking the privacy of unsuspecting users - is trivially easy. All you have to do is use Advanced Search and you can search across controversial (and in European DP language, "sensitive") pieces of data such as Religion and Sexuality in apparently unlimited numbers of profiles. This is true even if the user has taken steps to protect the privacy of their data (see below). As Ian comments this is a security failure on FB's part, which should have been trivially easy to fix in their code.

Having just returned from the SCL Conference where it was revealed that over 3 million people in the UK are on Facebook (including apparently nearly every corporate lawyer in the UK.. and definitely at Allen and Overy :-) and it is growing in the UK at 6% per WEEK, this is serious, er, excrement.

Pangloss's own experimentation proves that in fact hacking FaceBook is even easier than this. Suppose you want to stalk person X who you know lives in London. All you have to do is set up an FB profile, join the London network - which requires NO validation, certainly not a University of London email address or the like - and suddenly you can see all their personal details - some of which (on brief inspection) are highly revealing , of social and sexual data that many people would not want public. Of course they may not have joined the London network - but very often it will be very easy to guess what network the stalkee is in.

Of course, will say FaceBook, you, the stalkee, can stop this. You can in fact change all your privacy defaults on FB so no one can see ANYTHING on your profile site unless they are people you have accepted as "Friends". (Pangloss has just gone and done this, with a vengeance.) Fair enough, except that the default privacy settings on FB are almost entirely in favour of disclosure and there is very little direction or instruction on the site to "change these defaults for heaven's sake, 300,000 people can see who you want to sleep with".

As the blogger above, Quiet Paranoia (great name) comments, "Users cannot be expected to know that the contents of their private profiles can be mined via [advanced] searches, and thus, very few do set the search permissions associated with their profile."

I agree. If an er um respected professor of privacy law can take some while to realise how exposed her data is on FaceBook, then it is unreasonable to expect children of 16 or 17 (FB is associated with high school students but the T & C say 13 up) to make these kind of difficult judgment calls, when what they are really concerned about is popularity and finding out about the good parties?

FB will say that they have provided opt-in to privacy, and anyone who does not avail themselves of the tools available is impliedly giving consent to processing of their data. They wil also point to their privacy policy which does not give the impression of overwhelming concern about the remarkably weak default privacy protection and indeed, security, offered by FaceBook.

"You post User Content (as defined in the Facebook Terms of Use) on the Site at your own risk. Although we allow you to set privacy options that limit access to your pages, please be aware that no security measures are perfect or impenetrable. We cannot control the actions of other Users with whom you may choose to share your pages and information. Therefore, we cannot and do not guarantee that User Content you post on the Site will not be viewed by unauthorized persons. We are not responsible for circumvention of any privacy settings or security measures contained on the Site. You understand and acknowledge that, even after removal, copies of User Content may remain viewable in cached and archived pages or if other Users have copied or stored your User Content."

Even Pangloss, who is no privacy fundamentalist, does not think this is good enough, particularly in relation to "sensitive personal data" where "explicit consent" to processing by third parties is required. (Is searching via key words "processing"? Almost certainly - see Art 2 of the Data Protection Directive which includes "retrieval" whether or not by automatic means. )

But FB will again say : Everyone who signs up to FB assents to the T & C. Does that mean they have given the requisite explicit consent to processing of sensitive data even by "unauthorised third parties"? Even if in pure contract law the T & C can be read this way, at this point both DP law and the Unfair Contract Terms Directive should surely both converge to make such a clause either void or unenforceable?

In comparison, another social networking site where Pangloss hangs out, Live Journal, has not only very sophisticated privacy controls, but also a culture of discussion and awareness that privacy and openness can be manipulated by the software. Of course privacy breaches do still occur (via "cut and paste fairies" for example) but they are pretty rare.

Do we need a legal solution? Is there a case for extension of DP law to cover the setting of defaults on social network sites? Should privacy not be the default, by law (perhaps with some exceptions to preserve functionality, such as name and network) and openness the opt-out, rather than the reverse? Maybe. Maybe all that is needed is an Industry Code of Practice combined with some upping of awareness of the issue. However with the number of people - especially young pre-employment proto-citizens - involved in web 2.0 sites rising by the minute, this really does seem an issue which is not merely knee jerk alarmism and should not be swept under the carpet. First year students may not care now about spilling their sexuality and contacts to the world: they may when they are older, wiser and looking for employment :)

Another suggestion might be the automatic expiry of social networking data after say six months unless the user chooses to opt in to keeping their data out there. Viktor Mayer-Schoenberger has made this kind of suggestion recently. In social networking sites where the whole business model is based around large databases of personal data, data is routinely retained apparently forever. Data retention is another area where the DPO authorities might want to have a bit of a look at whether the law needs tweaked.

E-Commerce Meets Terrorism

Via Naked Law, belated but important:

"A new anti-terror law has come into effect as of 21 June 2007 : the Electronic Commerce Directive (Terrorism Act 2006) Regulations 2007. Under these new provisions (which operate in conjunction with the Terrorism Act 2006), encouraging acts of terrorism and the dissemination of terrorist publications is an offence, including where such actions occur online. If a third party posts material which is an offence under these provisions, the police may notify a blog operator and require them to take the offending material down promptly (within two days). Failure to do so without cause could result in the Directors going to prison."

The most interesting part of this to me is the 2 day takedown. My own as yet unofficial research indicated that takedown periods for ISPS and hosts varied between about 24 hours up to a week, depending on the legal risk associated with the material (child porn might be removed more quickly than alleged libels, for example.) One wonders if "2 days" for terrorist material may create a nascent standard of 2 days as the outside edge for "expeditious" removal under the general E-Comm Regs?? Could this have informed the rather mysterious decision of the defendants, already blogged here, that Mumsnet might not have taken down expeditiously when they removed in about 24 hours??

Good News for Every Blogger!!

Apparently, law students are picking what law school to go to via blogs..

So when do we acdemic bloggers get paid extra for it huh? :-P

Monday, June 25, 2007


.. should probably be the new name for this blog. But it is an endlessly fascinating time for intermediary lawyers...

Anyway just a note that people seem to think that Google has won the first round, not against Viacom itself but in Tur v YouTube, an earlier launched case. Robert Tur is the photojournalist who sued YouTube in July when his videos of the L.A. riots and O.J. Simpson's slow-speed chase appeared on the video-sharing Web site.

Now the judge in the lawsuit has denied both sides' motions for summary judgment, ruling that more evidence is necessary to determine whether Google's video-sharing giant is shielded from liability by the Digital Millennium Copyright Act, s 512(C),

As this is the point I've been debating through three papers in two different countries over the last mont or so, I'm rather keen to see this one fully explored myself; can't wait in fact.

Tur's claim can be found here,
As I myself have previously discussed, his claim rests on the claim that YouTube does not qualify for DMCA safe-harbor protection because it derives a direct financial benefit by displaying advertising opposite his videos. Under s 512, the claim to immunity is lost if "direct financial benefit" is made. But there is a strong argument from the policy papers that preceded the DMCA, that "direct" benefit was not intended to apply to the kind of indirect profit YT may make by selling ads on its site next to videos which are both downloaded and uploaded for free. Furthermore, there are rumours that YT in fact makes no money at all at present, and therefore "financial benefit" may in reality be hard to prove.

Judge Cooper issued an order for further discovery, saying that she needed more factual evidence to establish if there was a case to answer. "There is insufficient evidence regarding YouTube's knowledge and ability to exercise control over the infringing activity on its site .. There is clearly a significant amount of maintenance and management that YouTube exerts over its Web site, but the nature and extent of that management is unclear."

Cooper also wants more information about YouTube's internal screening procedures.

"YouTube also asserts that while it is able to remove clips once they have been uploaded and flagged as infringing, its system does not have the technical capabilities needed to detect and prescreen allegedly infringing videotapes," Cooper wrote. "However, there is insufficient evidence before the Court concerning the process undertaken by YouTube from the time a user submits a video clip to the point of display on the YouTube Web site."

These quotes highlight that YT's liability (or non-immunity) is dependent not just on whether it makes "financial benefit" but also on whether it has the "right and ability" to control the infringing files. This may depend on a number of factors, including YT's terms and conditions, its policies, and crucially what filtering, both pre-and post-upload it employs. As previously documented here, YT has been developing the ability to pre-filter infringing files using code called ClaimYourContent. Until that is ready, goes their story, they not not have the "ability" required by the legal test in 512(c). Indeed, even when CYC is ready, it may still require collaboration from rightsholders before individual infringing clips or videoes can be "tagged" and recognised.

Again, watch this space!

Tuesday, June 19, 2007

Why Not Sue You Tube in the UK?

.. thought Pangloss when it was announced on May 4 that the English Premier League were suing You Tube in respect of alleged copyright infringement of Premier League clips - whose business value as sold rights is worth some $2.7 m.

The answer now becomes aparent - by suing in NY, the Football League can bring in other heavy hitters in a class action; indeed a website has been organised for this very purpose. Joining the EPL, it seems , are a number of international music publishers as well as France's top football legue and tennis association.

What still remains to be discovered is, as with the original Viacom/You Tube suit, what the litigants are really after. Proactive filtering, via the long awaited Claim Your Content technology? Plain old damages? A favourable licensing agreement? Or all three?

Watch this space. Meanwhile , have yet another announcement (as of June 6 07) that You Tube are nearly there with Claim Your Content.

Lessig Moves on

This seems worth recording, although I doubt I have anything to add that 100s if not 1000s of other commentators will not say.

Lessig has decided to withdraw as active leader of the Creative Commons movement over the next year or so to address what he regards as the underlying problem: "Corruption" , or the way in which public policy is driven (in the USA, though he does not say that) by the money of sectoral lobbying interests.

Well, one wishes him luck. It's become clear over the last few years that Lessig is no longer a law professor , no longer even a lawyer really ; he is a political animal , a camapigner, a rock star of the movement, and so this move makes perfect sense.

For myself, I'm not very excited. The Lessig who is still my hero is the Lessig who invented "code as code", still the most useful insight ever to have arrived in Internet law and one which has pervaded and informed my own work ever since. (And yes I know Reidenberg was there first , and probably others - but sometimes it takes a genius to crystalise things just right, standing on the shoulders of giants, etc etc.) I'm a little bored with CC and IP, to be absolutely honest, and it sounds like Lessig is too.

Vale atque ave; farewell and hail.

Monday, June 18, 2007

HumanLaw Blog Book

Pangloss is interested to discover a book in train via Wiki about aspects of blogging from (for once) a UK perspective. the excellent Naked Law people are doing the legal stuff: but I'm sure some of my readers might want to join in..

In other news, an unlikely segment of the User Generated Content world have just mounted yet another rebellion (cf AACS and Digg; LiveJournal and Strikethrough) - lawyers. After FaceBook was banned at Allen and Overy, the IT department was bombarded with complaints until they were forced to climb down.

Pangloss is not very surprised , following recent anecdotal discoveries that every respectable IT and law professional she knows appears to have joined FaceBook in the last month and a half. It is now officially CyberStalking 2.0 central (TM: Ian Brown). FB now seems to be becoming the first really major Web 2.0 site to transition from kiddy site full of tagged pictures of drunken debauchery, to grown up networking site essential for your everyday lawyer, banker or journalist. (One might argue that Second Life also vies for this title - but despite the discovery that it fuill of private islands hosting the creme de la creme of global capitalism, Pangloss still thinks its current interface is too crummy for world domination.)

More on this from myself and others at the SCL conference this Friday!

Thursday, June 14, 2007

Google Pot Shots

As has been true for some time, it seems to be open season on Google. With great innovation, comes great.. um.. legal liability? Here's a very quick round up..

OUT-LAW restrainedly report "Google's Street View could be unlawful in Europe".

"Well, you can't say fairer than that " said an unamed source at Google..

The question here seems to be whether you view Google Street View as more like looking at the world with your own eyes, say from the top of a double decker bus (unconditionally legal) or as more like CCTV (regulated, at least in the EU, by DP law, and also by some case law of the ECHR, such as Peck). AS OUT-LAW note, if the latter paradigm is applied, then Google need to give adequate notice that surveillance is in operation to anyone who might be caught on STreet View and identifiable a a living person. Will we see 40 feet high billboards over London announcing "YOu are now on Google Maps. Be very afraid."? It reminds Pangloss of the old suggestion that London streets should be painted with the squares of the London A-Z for easy navigation.. One way out of this not identified by the otherwise excellent Struan Robertson, is the Durant v FSA get-out - it might be argued that no particular person is the focus of the attention of Google Street View and therefore no particular person has DP rights. Of course, Durant may not last forever:-)

More seriously, Google's privacy practice is apparently worse than Microsoft's. Yes, really Jemima - at least according to the much respected Privacy International, who surveyed a variety of Internet businesses. Results:

Privacy-friendly and privacy-enhancing. Nobody...

Generally privacy-aware: BBC, Ebay,, LiveJournal, Wikipedia

Notable lapses of privacy: Amazon, Bebo, Friendster, Linkedin, Myspace, Skype

Serious Lapses: Microsoft, OrKut, Xanga, YouTube

Substantial Threat to privacy: AOL, Apple, Facebook, Hi5,, Windows LiveSpaces, Yahoo

Hostile to privacy, comprehensive consumer surveillance: Google

Not everyone is convinced - see rebuttal at .

(With thanks to Pete Fenelon for tip off.)

Wednesday, June 13, 2007

WEIS 2007

The best conference Pangloss went to last year was not a law conference, not even a policy conference, but the Workshop on the Economics of Information Security, which presents actual empirical work by economists and information seciurity specialists on what factors in the real world affect privacy and security. What a joy to actually encounter "evidence based" policy in the wild!!

So this year's papers are now up at . Sadly i couldn't make it this time but my attention has already been drawn to "
The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study
Janice Tsai, Serge Egelman, Lorrie Cranor, Alessandro Acquisti, Carnegie Mellon University , in which researchers found that if information about privacy advantages and disadvantages of a range of products was displayed to consumers, the privacy pros and cons did affect their decision on which to buy; but only up to the point of paying a maximum of about 60 cents - or 30 p - on items worth up to about £7, for better privacy.

Many more papers also available, on how far law enforcement does deter hacking; on the sale of zero day exploits; on strategies to manage phishing attacks - and much more as they say. I fervently hope this annual event comes back to the UK soon.

EDIT: Aha, a simpler BBC version at .

Tuesday, June 12, 2007

Rate My Blog, no, Hang On..

Interesting new German case reported by Tobias Escher of the Oxford II. Sadly Pangloss has no German at all (stoopid Brit) so has to rely on Tobias's word for the quoted comment.

Scurrilous remarks on the German version of the web 2.0 site, Rate My Professor (or (an innovation which luckily does not seem to have penetrated Southampton law School yet:-) lead to demands from one particularly annoyed professor that certain posts be removed. Although the website took down hastily, the professor in question then went to court demanding the operators pay 3,000 Euros (about £2,000) for any similar comments about him that might appear on the site in the future. The court demurred.

"The court has decided that a general “cease and desist” for unacceptable comments is against the law. As a professor one has to face public criticism that cannot be prohibited ex ante. ..."

and Tobias comments

"Several things have to be noted: In general this is a positive outcome for web sites that leverage the wisdom of the crowds as it offers some protection for the often not-for-profit operators of these sites. However, this does not justify defamatory comments on those sites and the court has emphasized the operators’ duty to remove those entries as soon as they are recognized. Last but not least, the subject under public scrutiny does matters as professors might well be made to face personal criticism in their role as public figures while teachers and nurses might have to be treated differently. "

Interesting but not radical: it is apparent that the E-Commerce Directive Art 14 should protect websites like Rate My Etc Etc from liability for defamatory words posted by a third party. The ECD does not, however, as is well known, prevent the seeking and gaining of injunctions or interdicts to stop such posting; it merely immunises host sites or ISPs against damages. But the ECD does provide in Art 15 that web hosts cannot be commanded by law to monitor pro-actively on a blanket basis, which seemsd to be what was being demanded here. That rule was explicitly not implemented in the UK, interestingly, but only because it was understood to already exist at common law.

In the US as Wendy Seltzer notes, the site could not even have put on notice by the professor, due to the blanket immunity granted by the CDA. Rate My P could have kept the posting up without fear of suit. Whether in this case, as Wendy suggests, free speech should trump the desire of a scholar not to have his reputation casually trashed without any comeback but the self same Internet "right of reply" .. well, Pangloss will go back to her marking :-)

On the other other hand this decision is rather good news for eBay in its continuing desire to have no duty to check pre-emptiovely on the legality of the goods it sells on its various European sites, even where there is a known history and pattern of , say, the sale of Gucci counterfeit goods .. and Pangloss has said before that she is uncertain whether THAT is fair.

Monday, June 04, 2007

Student SCL IT Law Essay Prize

I know some students read this blawg so this seems worth reproducing in full:

"SCL Student IT Law Essay Prize 2008 Now Launched

Entries are now sought for the 2008 IT Law Essay Prize with a host of rewards for the winner, including £1,000 cash, and a further prize for the institution at which the winner is studying.
The 2008 SCL Student IT Law Essay Prize has been launched with a new twist. As usual, the winning student is richly rewarded with prizes, including £1,000 cash, a valuable placement with a top IT firm and free attendance at the SCL Conference, but for 2008 a further prize is available for the institution at which the winner is studying. The winning institution will be given £1,000 to purchase library books in support of IT law teaching and research.

The topic for the 2008 Essay prize is "Virtual Properties and Virtual Economies: How should activities with economic consequences in virtual worlds like 'Second Life' and 'Everquest' be dealt with by real-world legal systems?

The purpose of the prize is to reward and acknowledge academic research and writing excellence in the field of UK or EU IT Law."

Jolly good, says Pangloss, and my students will certainly be badgered to enter:-)

Yet Another Survey on Surveillance

or who will watch those who watch the watchers?

Pangloss should not be so flippant or indeed, so late.

The HL Constitutional Committee issued a Call for Evidence in late April on "the impact that government surveillance and data collection have upon the privacy of citizens and their relationship with the State. " Consultation closes June 8!!v so you still have time , just, to get in words of wisdom.

The Enquiry is being assisted , I am glad to see, by my former colleague and learned privacy expert, Charles Raab at Edinburgh.

For Auld Lang Syne

In a fit of nostalgia, Pangloss feels like posting that the 3rd Scottish Information Commissioner Report has been published (even though Pangloss now does not live in Scotland and tries to avoid FOI like the plague.)

Still, it does seem kinda remarkable though that:

"1082 appeals [have been] received in the two years since the inception of the Freedom of Information (Scotland) Act (including 511 appeals in 2006) – twice as many applications as the Information Commissioner in England and Wales.

By the end of 2006 the Scottish Information Commissioner had completed 781 cases, with 326 decisions covering 350 separate applications. 328 applications were closed without investigation and 103 settled or withdrawn."

Twice as many as in England? Which has 10 times the population? What? Are Scots just naturally nosy? :-) What am I missing?


"65 per cent of appeals came from ordinary members of the public
• 236 decision notices issued by the Commissioner
• The Court of Session has upheld the Commissioner’s decisions in all four of the appeals it has considered so far"

- which is a pretty good showing too.

Want to be a Porn Star?

.. no? well who said you got a choice?

"A 17-year-old college student is taking legal action against a pornographic film company after it "stole" a photograph of her and used it on the front cover of one of its productions."

One wonders what her threatened cause of action is. Data processing without consent? Breach of confidence? Or breach of publicity rights in the US where the porn company is based (now THAT would be a fun choice of law case under Rome II if action raised in the UK..)?

Ah if only these cases didn't always settle ! :-)

The porn film company optimistically opine that they were "entitled to use the picture because Lara had put it in the ''public domain'' ". Would be nice to see that one laid to rest in UK case law.

(Thanks to Steve Green for the tip.)