Monday, December 15, 2008

IWF v Wikipedia and the Rest of the World (except OUT-LAW)

Ever late to the party, still-bronchitic Pangloss would just like to make a few points about the Great Wikipedia Cleanfeed Debacle, if only for her own aide memoire, as she's still re-writing her porn chapter, and so she can say I told you so before it moves completely off the national radar.

In brief: IWF, allegedly little known (though much written about by Pangloss) non elected, industry based censorship quango, were told about dubiously legal naked picture of pre pubescent child on ancient record sleeve; IWF, after usual behind closed doors consideration, added image to "Cleanfeed" (as it's wrongly known) blocklist of child sexual abuse images distributed to almost every UK ISP; image found on page on Wikipedia, a high traffic site, m'lud, so more cumbersome than usual to block; (some) UK ISPs implemented IWF block requirement by funnelling their entire subscriber traffic to Wikipedia through two proxy servers, making only 2 IP addresses visible ; Wikipedia's systems interpreted this as a vandalism attack and closed down write access from UK servers; meanwhile most UK ISPs except , notably, Demon, configured their servers to return 404 error (site not found) when UK surfers searched for this page, rather than the more honest 403 (site prohibited); Demon however truthfully announced that the site had been bl0cked by the IWF as they believed it to be child porn.

Internet predictably plunged into maelstrom of geek horror at censorship of t'net; image reposted on every virtual frat dorm door; IWF reconsiders ban; and for confused reasons not apparently wholly to do with the law ("in light of the length of time the image has existed and its wide availability"), rescinds ban. Everyone happy, sort of, except OUT-Law, who stick to original guns and back IWF original ban.

Pangloss has no yearning for freedom of access to child porn and no dislike for the IWF, who are individually and collectively a most worthy and unselfish set of individuals, but she has long felt worried about the existence of Cleanfeed ever since the government effectively forced every ISP of any size in the UK to install it as proactive upstream filtering, back in late 2007, by threatening that otherwise legislation would be introduced to impose this.

Why is the IWF blocklist worrying? Not because banning access to child porn is in itself wrong - indeed since possession is a crime, preventing possession of child sexual images is arguably doing those seeking it a favour , as well as prtecting the public - but because the mechanism of censorship here employed is non transparent, covert, undemocratic, non judicial and non accountable. I argued this in a SCRIPT-ed editorial at the original time of government backed imposition of Cleanfeed, and have been glad to see this quoted in a few places lately.

I am also glad this particular incident has arisen, because it exemplifies rather beautifully some of the reasons why, although stopping child porn is a Very Good`Thing, this is not, yet, quite the right way to do it. (I am not concerned here with the isue of incompatibility between Wikipedia's defences and the IWF tactics.)

Non-transparent: it is the essence of accountable censorship in a democracy that we know that something has been censored and why, even if we are, correctly and according to law, not allowed to see it. In this incident, only Demon provided that information (and apparently against their own best legal advice!) Why did no other ISP supply this information?

One problem suggested is that if an ISP says "You cannot see this because it is child porn" and it turns out not to be in law, then an action for libel might fall against the ISP. However this can be easily avoided by wording such as Demon indeed used ("we aren't showing you it because the IWF said it might be unlawful"). As`an even more belt and braces excuse, even draconian English libel law clearly allows for public interest privilege, ie, that sometimes there is a duty to say what you believe to be true for the benefit of the public, even though there may be legal dubiety as to its truth. That would surely apply to a warning that a user could not access an image because it was believed to be child pornography.

As a first step, the IWF must (as ORG has also suggested) issue guidelines to UK ISPs that there must be 403 transparency in cases like this in the future, not 404 obfuscation.

Non-judicial: the IWF has often said, when criticised in the past, that it does not need to be a court, nor composed of lawyers and/or judges to do its job, while its scope is restricted to simple images of child sexual abuse. With child porn, they say, "an elephant is an elephant". Yet the case in point clearly stood at the edge of legal certainty. And this case did not even concern less well defined legal areas the IWF purports to review, such as hate speech (added to its remit relatively recently, and unlilaterally.)

Non-accountable: the IWF`applied their own appeals procedure to the decision, after media pressure, and reversed it. Effectively they changed their mind. This is not how true courts and tribunals work, where an appeal must be heard by a seperate body with an account of what factors lead to a different legal decision. The IWF may have truely reconsidered their opinion as to the law (although their own press release rather speaks against this), but they may equally well have simply bent to public pressure, or practical enforcement problems. For those who truly want an objective system which responsibly cracks down on child porn, this is surely unacceptable. Justice is a system, not an arbitrary private discretion.

Combining the two factors above, we come to a simple conclusion that the IWF to meet basic principles of due process and retain respect and public confidence must consist of judges, or at least be chaired by, a judge.

It is simply historical accident that this is not the case already. The IWF was set up in haste in the early days of the Internet, not as a government agency or tribunal, but as a protective self-regulatory watchdog body, whose aim was to to protect the ISP industry from being prosecuted as distributors of child porn.

In the years since, the IWF has done a great deal to up its"pro bono" profile, eg added members from children's charities, released statistics and minutes, trained its members (though exactly how is not clear); but it remains fundamentally a self appointed quango of non judicial, and non elected membership. This is simply not the right way to deal with as important a decision as the one it makes, which simultaneously label sites as criminal suppliers of child porn, users as criminal possessors, and restricts public freedom of expression.

Having the IWF chaired by a judge would also enable it to resist popular or media - or governmental - pressure to remove - or add - an item to the blocklist. Here we come to the most worrying part of this whole affair; the fact that IWF censorship is covert. Court based, conventional justice is public; proceeding are public, reports are available. With the IWF, however, not only are the decisions taken behind closed doors, arguably understandable in the light of the sensitivity of the matter under concrn, but so is the implementation.

The IWF blocklist is encrypted; arguably so that when it is sent to ISPs, the number of people who can actually read it is minimised. Again, many would agree with this as an aim - a comprehensive list of illegal child porn sites and images (effectively a user's guide to finding child porn) would certainly be worth a great deal to some people, and would not be in the public interest to releease.

But the consequent opacity of the blacklist and the lack of any public vetting of it or access to it, means that in theory almost anything could be added to the list without almost anyone in the country knowing. (And this could be done by the ISP, as well as by the government pressurising the IWF.)

As I wrote in 2007, it is widely rumoured that the IWF has already come under some governmental pressure to add sites containing pro-terrorist images, notably videos of hostage executions. These images may be unpleasant but they are not AFAIK illegal to view. Have we done right to construct a system which provides for secret nationwide blocking of any kind of unwanted online content?

Again I would suggest the presence of a judge as chair of the IWF should restrain these fears, and restore national confidence. As OUT-LAW noted we DO certainly already have censorship in the UK and yes, it is sometimes a good thing; but I want the kind of censorship we already have : acountable, publicised, judicial censorship. Struan says "The government trusts it[the IWF] to do this job." Well, I don't. I trust judges, as any good law student should. Censors should be independent, not just of the state, but of other interest groups, such as the industry itself, and yes, the child protection sector. There is no good reason other than cost (which is not a good reason) why the Internet alone of media should be subject to non judicial yet government imposed censorship.

Finally, what this incident has also revealed is the strangeness of a system where illegal material is successfully and swiftly removed in the UK primarily by means of notice and takedown (the IWF boast, quite rightly, that in their few years of existence they have managed to almost wholly remove child porn from UK servers) but where we apparently make no effort to procure take down abroad, before blocking, even from well known and responsible sites like Wikipedia. (And yes, Wikipedia refused to take down this time - but that does not mean they always would, or that all other sites would act in the same way.)

As Richard Clayton has pointed out in the past, international co-operation now means that foreign phishing sites can usually be taken down in hours , not days; why can we not achieve this for foreign servers hosting child porn? There may be legal dificulties outstanding here I am not aware of, but it seems obvious that more take down means less need for blocking, means less oportunity for covert censorship - unless that is the aim..?

I hope these concerns will be taken forward, perhaps as one of the research projects sponsored by the Safer Internet Programme mentioned below?

Gowers Rides Again

Stunning polemic by Andrew Gowers, author of the eponymous report, in the FT today. Disses term extension of sound recording copyright, and the "moral case" for it, as the lobby-driven, celebrity-star-struck tosh it is, but also says much much more. Bravo.

"First, to music companies: you have moved beyond trying to close the internet down as a distribution channel, but you have still not done enough to exploit the swirl of creative and commercial opportunities unleashed by the world of social networks and web 2.0. Please focus on innovation, not on trying to eke more rent from the successes of yesteryear.

Second, to policymakers: many of you are debating how government can support business in these challenging times, and that is fine. But you would do well to pick the targets for assistance and the instruments you use with care. Get it wrong, and you will end up looking silly and out of touch like Mr Burnham."

Cyber(in)security roundup

Producing the Macafee VCR makes you more than normally aware that every vendor and their (robo)dog , plus apparently most NGOs, produces a report on some aspect of online spam, crime, fraud etc in that vital run up period to Christmas when apparently our minds are focused on fun, festivity and, er, fraud:

My esteeemed co-author Blogzilla helpfully summarises a few from the US and international organisations:

"Securing Cyberspace for the 44th Presidency — the Center for Strategic and International Studies argues that President Obama should create a comprehensive national security strategy for cyberspace, echoing many of [the Macafee] recommendations.

Financial Aspects of Network Security: Malware and Spam — the International Telecommunications Union develops a framework for assessing the financial impact of malware.

The OECD calls for a global partnership against malware, and a move from reactive responses to proactive threat reduction and mitigation."

But there's also been some more local offerings:

The Garlik UK Cybercrime Report 2008 - which, like our report, top-lines the credit crunch and its effect on cyberfraud. Despite the name the figures appear to relate to 2007. For the UK, it is claimed,we have seen
  • Overall cybercrime has risen by 9% from 2006
  • Online financial fraud is up by 24%
  • Online card fraud is up 45%
  • 84,700 cases of online identity fraud
  • 40% of all identity frauds are facilitated online
  • "More than two million victims suffered abusive or threatening emails, false or offensive accusations posted on websites and blackmail perpetrated over the internet, up from 1,944,000 in 2006." Much of this apparently tookplace on social network sites. Pangloss is curious where they got this figure - must go print out the whole report.
ENISA, the EU's security agency, also produced in early December a rather underlooked report ENISA - Photo Sharing, Wikis, Social Networks –Web 2.0 and Malware 2.0.
This has an interesting analysis of risks primarily to *systems* from the hard technical viewpoint, as opposed to the emphasis most the other reports place on risks to *users* (though of course the two are connected.) The risks of cross - scripting exploits in multi-origin environments like SNSs are highlighted, along with typically weak control of authentication and access privileges. The policy recommendation to governments are interesting:

"Policy incentives for secure development practices such as certification-lite, reporting exemptionsand the funding of pilot actions. These incentives are needed to address the large number of, eg,cross-site scripting vulnerabilities caused largely by poor development practice.
• Address/investigate Web 2.0 provider concerns about conflicts between demands for content
intervention and pressure to maintain ‘mere conduit’ or ‘common carrier’ (US) status. This is
considered a very important problem by Web 2.0 providers because of the strong user-generated
content component.
• Encourage public and intergovernmental discussion on policy towards behavioural
marketing (eg, by the Article 29 Working Party)."

Perhaps unsurprisingly in light of all this, the EU has just announced (9/12/08) its plans to continue funding its Safer Internet Programme to the tune of 55 million Euros:

"The EU will have a new Safer Internet Programme as of 1 January 2009 (to 2013) . ..While 75% of children (aged between 6 and 17 years) are already online and 50% of 10-year-olds have a mobile phone, a new Eurobarometer survey published today shows that 60% of European parents are worried that their child might become a victim of online grooming (when an adult befriends a child with the intention of committing sexual abuse) and 54% that their children could be bullied online.. The new Safer Internet Programme will fight grooming and bullying by making online software and mobile technologies more sophisticated and secure."

The money is to go to:

  • Ensure awareness of children, parents and teachers, and support contact points that are providing them with advice on how to stay safe online.
  • Provide the public with national contact points for reporting illegal and harmful content and conduct, in particular on child sexual abuse material and grooming.
  • Foster self-regulatory initiatives in this field and stimulate the involvement of children in creating a safer online environment.
  • Establish a knowledge base on the use of new technologies and related risks by bringing together researchers engaged in online child safety at European level.
So more media literacy, more research, more IWF style hotlines, but no apparent endorsement of the ISP or mobile coms sectors being required to impose mandatory "upstream" filtering: either of the IWF-lead UK Cleanfeed inititiative or the disputed new Ozzy variety. Interesting..

Friday, December 12, 2008

Macafee Virtual Criminology Report 2008, and Predictions for 2009 in the IT Law World

Pangloss is back in town (well, Edinburgh) after her jaunts to Israel and London, which culminated in a brief and rather bronchitic appearance on the Today programme talking about cybercrime - the germ (contracted in Israel) was clearly genetically engineered by Mossad to take out the EC's top legal brains. Er, well, or something like that:)

The 2008 Macafee Virtual Criminology Report, which I was plugging on the aforesaid Today prog, is now available free online in a variety of languages, edited by myself and Dr Ian Brown of the OII, with this year an even wider selection of contributing international experts we interviewed - read and comment here should you wish!

Our top level findings this year included:

- the credit crunch will inspire greater investment in cybercrime by criminal gangs etc, especially in the financial phishing area where the confusion of mergers and bankruptcies in the financial sector has left the consumer confused and vulnerable
- difficult financial prioritising may also leave both the conmercial and public sectors vulnerable to further security and personal data breaches, and compliance action must take this into account
- local individuals may be pulled into international phishing as "money mules"; new e-payments and virtual world payments systems are also likely to be utlised to launder the profits of cybercrime
- cyber terrorism continues to be an issue, with more attacks from alleged sources in China and Russia, especially against the likes of Georgia in 2008
- however some excperts also suspect misdirection and obfuscation as to where the true sources of both cybercrime and cyberterrorists attacks are; it is easy to direct Internet traffic via "scapegoat" countries and some cybercrime overlords may be much more local than we think.
- creating "cybercops" is a tough job for nation states, especially in the non Western countries and we may need to look at the creation of a NATO-style transnational "standing cyber-police".

Meanwhile Pangloss was also one of a number of practitioners and academics asked to contribute ideas to the SCL's round up of predictions for what the IT law field may see happening in 2009. The results make interesting if relatively consistent reading (credit crunch will reduce IT and law spending, more out sourcing, more clampdowns on personal data breaches , more powers for ICO, more copyright maximalism by rightsholders, more attempted IP infringement by the bored/unemployed) which probably means something entirely different wil happen instead..

Israel was a remarkable experience, which I hope to write more about at some point. It is quite something for a privacy scholar, even of the non-fundamentalist variety, to see in action a society which so clearly thinks in the majority, that in its unique case, security simply demands substantial inroads into what we would see here as basic personal autonomy and privacy standards. As my niece, studying in Tel Aviv, put it; "It makes me feel safe".

There is a norm of having bags searched on entry to most public places; cars and travellers can be stopped for no reason; security alerts closing public transport and roads down are commonplace. On the other hand Tel Aviv is extremely Western and secular (it reminded me of a cross between LA and Barcelona) and the privacy and technology lawyers at Tel Aviv University who hosted me are as involved as any at Berkeley and Harvard in promoting human rights standards, anti racism, and running pro bono clinics etc. As I visited they had just been involved in condemning e-voting in Tel Aviv local elections which did not meet democratic standards, and they are helping Israel to apply for privacy "adequacy" certification under the EC Data Protection Directive. It was a fascinating time and I hope to go back and discover more in the not too distant future. Thanks to Michael Birnhack and Assaf Jacob especially for inviting me!

Friday, November 28, 2008

3 Strikes and the Telecoms Package: What's Going On?

I've been unable to keep up with the latest machinations following the pre vote leak earlier this week and the actual vote on Thursday, due to utter deadline crises, but brave LawClanger and Monica Horten are still right in there, keeping us informed. ORG will also no doubt continue to cover the story. A "historical" version of the tale is also likely to appear from Simon and myself in SCRIPT-ed in December.

Chaos reigns still, but the upshot seems to be that the CoM have , as expected, excluded the European Parliament , Commission-backed amendments (especially 138) which might have protected due process and human rights (bad news); but on the other hand, the CoM itself seems to have succumbed to pressure to seperate content from conduit regulation, and has removed or watered down some of the provisions which appeared to provide an EC foundation for Sarkozy's 3 Strikes law (good news). Indeed, La Quadrature du Net are claiming Sarkozy now faces an uphill struggle in bringing his law in even in France.

Pangloss is, frankly, confused and without the time to find out more. Off to Israel Sunday to speak on social networks and privacy at the University of Tel Aviv! (And also to visit my niece :-)

Will be back in London to promote the global launch on Dec 9th of the 2008 McAfee Virtual Criminology Report!! Watch this space for our phishy, financial and other findings this year (it's a co-production by myself and Ian Brown of the OII.) I wonder if we can top last year when the Chinese government called a press confernce to rebut our acusations of Chinese cyber terrorism!

Thursday, November 27, 2008

MySpace suicide bully found guilty of.. hacking???

The Register reports that in this extremely bizarre case, Lorie Drew has been found guilty of unauthorised access to the MySpace website, ie a crime rather than a civil infringement - because in breach of its terms and conditions, she pretended to be someone she was not in order to bully a teenage girl and eventually incite her to commit suicide.

The facts are so crazy I'm just going to paste from El Reg here..

"The case was heard in Los Angeles because that is where the MySpace servers are.

Lori Drew created a fake MySpace profile in the name of Josh Evans. She used the persona to flirt with a thirteen year old girl called Megan Meier, who her daughter had previously fallen out with.

After weeks of flirting Drew then sent her message which said: "You’re a shitty person, and the world would be a better place without you in it." Hours later Meier hung herself in her bedroom.

Local police in Missouri would not charge Drew and the LA prosecutor has been accused of grandstanding. The charges were downgraded from felonies to misdemeanors - three counts of accessing a computer without authorization - but Drew could still face jail, the New York Times reports.

The case has split legal observers with some welcoming extension of the use of the Computer Fraud Act to social networking sites. But Matthew L Levine, a defense lawyer in New York, told the NYT: “As a result of the prosecutor’s highly aggressive, if not unlawful, legal theory, it is now a crime to ‘obtain information’ from a website in violation of its terms of service. This cannot be what Congress meant when it enacted the law, but now you have it.” MySpace T&Cs oblige users to be truthful in information they post."

This is a good example of how hard cases make really bad law. The problem here apparently was that Missouri had no relevant criminal stalking law - which would have been the obvious way to deal with this. So Missouri passed, and an ambitious LA prosecutor saw a way to go for a conviction under their equivalent of the UK's Computer Misuse Act 1990, s 1 - an "unauthorised access" law, which was clearly originally designed for hacking.

What is "unauthorised" has been a bugbear throughout the history of these kind of laws. Originally , "unauthorised" in most jurisdictions contemplated outsiders breaking into a computer or system. In the UK, some of the earliest CMA cases ruled that unauthorised access could occur even where an insider - say a disgruntled employee - used a password or simply physical access rights to get into a computer system to say, defraud the employer or commit e-vandalism. A serious problem is whether you are authorised simply to access a sustem, or to access it for a particular purpose. A number of cases, eg, dealt with policemen abusing their rights of access to the Police National Computer to wreak private justice on ex girlfriends and the like.

More recently in the famous Lennon case, a court also had to decide if sending a few million emails as a DOS attack to a mail server was "unauthorised". The first instance court said no: mail servers offer a standing permission to receive mail, don't they? The appeal court more pragmatically said, yes, but they don't authorise receiving several million emails sent with a malicious intent. I warned at the time that, although useful as extending s 1 of the CMA to fight DOS and DDOS, this approach would have consequences. And here, sort of , they are.

What the UK has never really come to grips with - and the Drew case does - is whether "unauthorised" is also what you do when you break the contractual rules relating to access to a website (whether express ie in the EULA, or AUP, or T & C - or implied - as in Lennon).

Let's have an example. Blogger's content policy says that images of nudity should be posted only behind a Friends-lock. What if I post a (harmless, non child porn, non violent, non criminal) nude picture here for the world to see? (Like say this one?) By all means Blogger should have the right to throw me off its site - that's their contractual privilege. But should I be open to a criminal prosecution under s 1 of the CMA for "unauthorised access"? I don't think so.

Blogger's content policy (which is I think the same as Google's now) is pretty sensible in fact. I had to look quite hard to find an example of what I might do that would breach their T & C and not already be an criminal offense, eg, incitement to racial hatred. But remember that unlike the criminal law, what a site puts in its EULA or T & C is its privilege, and need not confirm to popular views as to what is societally unacceptable or wrong.

This is why it is crucially important to keep civil sanctions for breach of contract quite seperate from criminal sanctions for crininal behaviour, even though there is obviously an overlap in the actual types ofconduct. In the Drew case, the answer could have lain with using stalking laws rather than hacking laws to prosecute the undoubtedly evil accused; in the UK the answer could be to clarify exactly what "unauthorised" means (or to abandon the s 1 offense of "pure" hacking, and allow it as an offense only when used to pursue an illegal subsequent activity?).

I hope this US case will be seen as what it is: an unfortunate aberration.

EDIT: Link on (US) legal opinions on whether suicide-watching online (not the same as instigation , at least necessarily) is illegal inducemnt or abetting of suicide.

EDIT: Link from Making Light giving more info about the Drew case.

Monday, November 24, 2008

Public sector implications of phishing

It's funny how things creep up on you. A year ago e-government was still just another buzz word to me ; e-commerce yes; but do my public sector stuff online? Nah.

And yet in the laast couple of months. I have paid for my road tax online, ditto for my TV license, and having failed to make my self assessment deadline, will be (ahem) paying someone else to do it for me online. E-government really is here.

Whih means it will no doubt be only a matter of minutes before the phishers catch on and exploit it as mercilessly as they're currently playing the troubled banking sector and its conbused customers. Today I got yet another Lloyds TSB -etc phish and for some reason decided to investigate this one. It was surprisingly mote sophisticated than last time I looked. The usual ploy; a fake URL which magically trasnsported you to a site that was NOT Lloyds TSB.

It was in fact

Quite clever that huh? The even vaguely clued up punter now knows to like for the right URL - and it has the part right. That intrigued me so i looked up whois and found this:

Front Page Information

Website Title: Lloyds TSB - Logon
Title Relevancy 66%
Meta Description: This is the Lloyds TSB logon page
Description Relevancy: 71% relevant.
AboutUs: Wiki article on

So they've again anticipated the even vaguely clued up punter and poisoned the whois directory. Now that IS bad. The fake Wiki article link is also quite neat. I checked and it doesn't link to Wikipedia itself but an obviously f(ph) ishy advertising site. However i'm sure the next lot along will easily concoct a real Wiki article. After all it only has to stay up for a day or so...

All this makes it even clearer that expecting the consumer to spot a phish sit e is ever more unlikely. We need better anti phishing tools, better take down networks, more police/bank collaboration and better rules about phishing liability, and , as I've saiid before, soon.

Note: and the fake site is down - so that WAS take down within 12 hours or so..

Thursday, November 20, 2008

3 Strikes..

The story is now on OUT Law and El Reg (and of course ORG).

Hugh Hancock has set up a Facebook group to help campaign- go join!

I'm also advised the email addresses of the Ministers to write to should you wish to are

Stephen Carter :

Shiriti Vadera:

Wednesday, November 19, 2008

Ethical leaking?

Just as we have long had a debate in digicircles about ethical hacking, do we now have to start having it about ethical online leaking?

Thought inspired by the much bally hooed leak of the entire BNP membership list in breach of court injunction.

WikiLeaks has of course been in this business for a long time - but I suspect rather more of the UK population than before has just begun to wake up to the world in which court gagging orders are simply a waste of time. (I just went there to get the URL, and surprise, it's slashdotted. I don't know if they do have the BNP list.) I could go and torrent that list now anyway, with no danger of the re publisher being tracked(though of course I won't). This is possibly the most effective counter-injunction leak in the UK since people discovered they could get illicit copies of Spycatcher online.

Someone I know has already to her shock found an old family friend on the list. People are scared of losing their jobs. Some of them , like police officers, arguably should. There are children on it enrolled as part of a family membership package -how may they feel? Now or in the future when they have their own views?

Is this really, finally, the transparent society, and if so, do we like it?

Tuesday, November 18, 2008

Fighting Dustbin Hogs, the RIPA Way!

In apparently lighter vein (though still serious stuff at root), that famed investigative journal , the Daily Mail!! has sparked controversy with an undercover FOI operation which has revealed that half of Britain's local councils are using powers under the Regulation of Investigatory Powers Act (RIPA) to " watch people putting rubbish out on the wrong day".

Well you can tell what really gets the British public steamed up can't you? Forget the credit crunch, the collapse of the global economy and the war in Iraw, it's early rubbish-sneakers we're really worried about... (give them large roadside wheelie bins like we have in Embra! , says Pangloss, holding her nose).

Actually the story is (surprise) misleading - the Mail really mean that half of those who replied - only 151 out of 474 councils - admitted to tactics such as putting spy cameras on bins, lampposts and in tin cans.

The Regulation of Investigatory Powers Act 2000, or RIPA, has apparently been used, according to the Mail be justify surveillance operations via a variety of grounds, including to 'protect public health' or the 'economic well-being of the UK'. When of course we all know it ought only to be used to catch serious criminals or terrorists. But - hang on a mo.

Pangloss is a teeny bit bemused. Local councils and police can put up CCTV cameras anyway, she thought, and merely give notice in the standard ways according to ICO Codes of Practice that they are so doing. Consent of data subjects is not needed if the purpose is to aid law enforcement or prevent crime. Why were RIPA powers needed at all? (Good for public transparency in that it would then figure in statistics, but..) Presumably because it was covert monitoring which is usually regarded as against DP law (see ICO Codes) but is allowed under RIPA Part II.

But that Chapter - which is little talked of in digital circles , as we are normally interested in the parts on interception and retention of communications and traffic data, and encryption - to a large extent merely codified previously existing police powers (or so I have always assumed). It was the *monitoring* and *decryption* Parts - 1 and 3 - which were novel with RIPA, and which were delayed in implementation by political controversy.

Furthermore none of RIPA was actually specifically introduced as an anti- terror law - it originated well before 9/11 etc and makes as many references to crime (not just serious crime) , economic well being and public health (eg) as "terror" or national security. It was the Anti-Terrorism, Crime and Security Act 2001 which was a specific response to terror (surprise).

Whichi s not to say that this wasn't a bad use of a bad law, and we should hope the Mail does more entertaining digital investigations in future :) But it may not actually have been an "abuse of anti terror law" at all.

(belated thanks to Hugh Hancock for pointing me towards this story!)

Fighting 3 Strikes, the French way?

If you have been following the 3 strikes in Europe saga thus far on this blog, you may be interested in taking part in the campaign La Quadrature du Net has now launched to preserve Amendment 138, the amendment to the Telecoms Package which expressly preserves both the right of due process and the right to fundamental liberties such as privacy, in any extra-judicial process designed to impose sanction on filesharers.

It is dfficult to see how any democratic organisation could object to such values being embedded in any type of dispute resolution process, and indeed the Amendment was passed by 88% of European MEPs and endorsed in the Commission report; however the Council of Ministers removed it from their draft proposal, and will almost certainly be continuing this opposition when the Telecoms Package comes to its next major vote on Nov 27th.

The right to due process, if preserved, will indubitably strike a significant blow against Sarkozy's plans to introduce a 3 strikes law and thus this vote is of particular importance to the French.

However it is significant in many other European countries too, notably our very own United Kingdom of GB, where the result of the current (now closed) consultation on the BERR-sponsored Memorandum of Understanding might well be the introduction of a similar process a similar process compelling ISPs to clamp down on alleged filesharers, and similarly lacking safeguards of impartialitry, exaination of evidence and opportunity for legal assistance in the UK. Indeed the UK process might turn out to be more damgerous, since while the French law primarily contemplates outright disconnection, the UK process might include less transparent and more obscured sanctions such as traffic slowing and filtering. Opponents of covert censorship thus have an agends here as well.

If you are worried, check out the La Quad site and see what you can do.

If you want to read more about this and see more legal backing for these claims, see the brief prepared by Simon Bradshaw and myself on interpreting the Telecoms Package.

If you want to see a video of a Swedish MEP explaining what he sees as at stake here, see here.

Saturday, November 15, 2008

More possible solutions to credit card scams..

.. which might not drive consumers crazy??

Credit cards which generate one-time PINS.

"The next-generation cards feature a numeric keypad on the back of a plastic card. Customers enter their PIN code to generate a one-time password. This code, displayed on a card’s display panel, is then used to authenticate online purchases.

The approach is an alternative to using a password when authenticating online purchases through the much-criticised Verified by Visa scheme. As previously reported, VbyV passwords can often be easily reset knowing only card details and a user's birthday."

Re my previous suggestion of decent roll out of two factor ID, ie, dongles etc, A Reader writes:

"Physical banking tokens are a complete pain in the arse; I either carry the sodding thing about with me, in which case we have the modern equivalent of 'keep your chequebook and cheque guarantee card separately' -- no, actually, I am a woman and I carry a handbag because my business clothes do not have pockets, and all this stuff is in it; plus, although it's not terribly heavy, it's another thing to carry -- or I am essentially disenfranchised from key banking services when I'm not at home. I get particularly pissed off with the physical token when I make periodical payments of random amounts from my current account to my offset mortgage account. I have paid money to this account before. Lots of times before. The chances of this transaction being fraudulent is nil. Why are you asking for token codes?"

EDIT: a new report on this on OUT_Law makes it a bit clearer that this tchnology replaces BOTH the verified-by-Visa type programmes and the dongle. Instead the one time PIN generated requires the user to both have the card and the usual PIN - efectively making online, card not present transactions as secure as face=to=face ones.

Although this obviously still allows for some fraud, it does seem a major step forward. Here's hoping the trial is successful, says this very fed up online shopping card user.

AReader also rather sensibly asks why all banks can't demand as little security as PayPal, ie, one usrname and password. Presumably because when losses acrue due to hacking of PayPal accounts the losses stay with the credit card isssuers not PayPal ? Does anyone know how PayPal manages risk??

Eloquence for the end of the week

Andres (Technollama)on media bashing of WoW players and kneejerk legal demands for regulation

"While I have low expectations of the British media, it seems to me that there is a deep Luddite vein that is exploited repeatedly whenever games and virtual worlds are concerned. For most people, gaming simply replaces other entertainment activities, such as reading, watching TV, or listening to the radio. When you boil it down to basics, gaming is a way of removing oneself from reality and experiencing other points of view. But is that not the same of reading? When reading I have spent countless hours lost in Middle Earth, visited Macondo, explored the Galaxy in Culture ships, and metamorphosed into a giant insect. On TV I have followed the perilous journey of the Battlestar Galactica in its brave escape from the Cylons. In cinema I have witnessed the triumph of the Rebel Alliance, followed the romantic adventures of a French waitress, and seen seven brave samurai rescue a village from bandits. Those are hours of my life "wasted" in other realities instead of "being outside" doing "real things" and interacting with "real people". Are there people who abuse gaming? Sure! But so do lots of people abuse alcohol, knitting and sport. To me this is the most fallacious of dichotomies, people who are inclined to spend 12 hours in front of a computer screen playing a game are not likely to suddenly go out and become involved in "real life" if you switch the computer off."

Bravo, even tho I'm not a gamer.

Friday, November 14, 2008

Security madness

Pangloss has just booked a ticket to Edinburgh on and had the booking details sent to her mobile. I was sent an authorisation code which lets me pick up the tickets from an automated machine.

Not a very difficult process you might think; certainly not for a professor of Internet law?

But in fact every previous time I have started to do this, I have given up in sheer frustration and irritation and just gone to the station and bought the damn ticket - why?

Because making this very simple everday e-commerce transaction involves:

- remembering my login - not easy because they refuse my "normal" passw as it does not have numbers in it (thus encouraging me to use a highly guessable password instead as the types of numbers people can remember ARE highly guessable - you know what I mean :)

- going through not just ordinary debit card security, but ALSO RBOS's *extra* security (since my debit card is RBOS) - which involves re entering much of the same info, plus a DIFFERENT passw from the one I already use for RBOS's *own* on line banking, again, a different passw from my "usual" passw, because of their *own* arcane restrictions)

- putting in my mobile no, but having to go through yet anothr log in get a "verification code" before I can actually get the damn booking reference sent to my damn phone.

Do you begin to see why I might prefer just to go queue at the station??

By contrast, in the days when I flew to Embra from Soton, somehow I could book a plane using an ordinary credit card, avoid extra security by using a credit card which hadn't yet invented "VisaSafe" or whatever :-), get a reference no, and just stick the credit card in a machine at the airport to get my tickets printed out. Damn it, I could even print my tickets AT HOME and forget all my ref nos.

This rant is partly then about why can't it be as easy to get a train ticket as a plane ticket when logic suggests it should be the other way around.

But mainly it is about B2C e-commerce and payment security in general. This is NO WAY to build a business model. I should not have to re enter fiddly personal details in different abstruse combinations three or four times to complete a simple transaction.

The banks' security, upped in reaction to their fears of having to reimburse CNP fraud losses (even though they off lay most of it on to the merchants) have reached the point where, I assert, they will do their best to deter most ordinary customers. I don't know what the answer is, though I suspect it has to do with identity management, or with physical token roll out to everyone, not just prized upmarket customers. But this simply will not do.

Thursday, November 13, 2008

Analysing the European Telecoms Package: Even More About Three Strikes and You're Out

Back in July, Pangloss readers were alerted to the stealth tactics surrounding the European revision of the Telecoms Package: a vast programme of EC law reform involving five Directives and primarily to do with regulation of the telecoms framework (duh) and nothing to do with content regulation or copyright - allegedly.

However as I reported then, there was serious concern (raised by La Quadrature de Net and Monica Horten at IPIntegrity) that some interest groups (in the main, it seems, the French Sarkozy government, and the global content industry lobby) were using this complex law reform exercise as a Trojan horse to pass through some fairly bland looking proposals, which when looked at more closely proved to lay what might well be a framework for European legitimisation of Sarkozy's "3 strikes and you're out law".

This law - whose basic idea is that alleged repeat filesharers should be summarily disconnected from the Internet without the intervention or supervision of the courts, on the say so of the content industry - had already been rejected in principle by the European Parliament as a breach of due process and fundamental rights such as privacy and freedom of expression.

As a result of publicity and a write in campaign to MEPs, these issues became better known, and safeguards were inserted into the Telecoms Package at the European Parliament reading stage. However these were subsequently removed (with little or no) publicity in the leaked Council of Ministers proposed amended version. Opaque waters were further muddied when a week or so ago the Commission came back with their (official) proposed version, which attempted to address some , but not all, of the worriesome issues in the Package. At this point I was asked, along with trainee barrister, blogger and IT law expert Simon Bradshaw, to have a look and say just what there was (if anything) still to worry about in the Telecoms Package as of right now, since its level of incomprehensibility had already reached beyond 11 on a scale of 1 to 10, for anyone except trained combat Internet lawyers (and we were struggling too:-).

After much burning of midnight oil and pixels, these are our conclusions. We hope they are useful to all participants in the European democracy and legislative process; in particular we hope they inform both the public and the politicians during the current vital period when the future of the Telecoms Package and whether it will go to a second reading in the EUP are being decided behind closed doors.

Here is the top level summary; the whole report can be downloaded here.

"The central issue discussed here relates to the current state of the Telecoms Package and
the extent to which it allows or does not allow (or requires, or does not require) the
disconnection of alleged filesharers from the Internet, without the involvement of courts to
assess the evidence for the possibility of error, and to provide protection for due process and
fundamental rights . It is indubitable that the Telecoms Package also provides many important
consumer friendly guarantees, but these are not the topic of this brief.

In particular, we wanted to find out if the Telecoms Package, at its latest stage, still provides a potential guarantee of legality for the “3 strikes and you’re out” legislation currently being implemented in France and of interest in some other member states such as, notably, the UK. The key parts of the argument above have been emboldened.

On the basis of our analysis it is clear that the package does, or at least can, provide a
mandatory basis for the “warnings” part of a French-style connection sanctions law (the
“strikes”) (see para 12 of brief), and also potentially provides a means by which public CSPs
(ISPs and the like) can be compelled by the national regulator to work with (“promoting
cooperation”) rightsholders to implement a disconnection scheme (the “you’re out” – see para
19 of brief). Wording in various places of the latest version seems to confirm that this “cooperation” is a more extensive obligation than simply providing copyright related
public interest information.

This is a crucial set of obligations, about to be imposed on all of Europe’s ISPs and telcos,
which should be debated in the open, not passed under cover of stealth in the context of a
vast and incomprehensible package of telecoms regulation. It seems, on careful legal
examination by independent experts, more than possible that such a deliberate stealth
exercise is indeed going on. When passed, these obligations will provide Europelevel
authority for France’s current “3 strikes” legislation, even though this has already been
denounced as against fundamental rights by the European Parliament, when it was made
clear to them what they were voting for or against.

Importantly, two amendments originally inserted by the EUP did provide protection against
nonjudicial imposition of disconnection and other sanctions against alleged filesharers,
in particular Art.32a of the Universal Service Directive (see para 35 of brief) and Art.8(4)(ga) of
the Framework Directive (see para 28 ). However, both of these provisions were deleted by
the CoM, and did not appear in the CoM’s proposed final text.

Somewhat unexpectedly, however, one of these “safeguard” provisions, Art 8(4) (ga) ,was in
fact reinstated by the Commission in the latest version. Why both Amendments 166 and 138
were not so reinstated is unknown, but may relate to “horse trading” between the Commission,
the Council of Ministers and the European Parliament to get the package passed during the
Sarkozy Presidency of the EU. Whether (ga) will survive to the final version of the Telecoms
Package is anyone’s guess, but it is clearly a key defence for civil liberties and against “3
strikes”, as it explicitly protects both the right to due process and the right to private life. This
brief commends its re-inclusion and suggests that Amendment 166 also be reinstated...

...Finally we reiterate that this brief has been prepared to give a legal, rather than a lobbying,
perspective upon the telecoms package. Good European law cannot be made when sectoral
agendas are hidden within nested sets of amendments, obscure definitions by reference, and
overly wide and vague terminology. The purpose of this brief has been to open up these
obfuscated agendas to the light of day. The brief is based on the Telecoms Package state of
play as at 12 November 2008. It will be updated as developments occur. "

Finally, thanks for help with this relating to European policy and process from the ever-helpful Judith Rauhofer, Research Fellow at UCLAN.

Monday, November 10, 2008


Via Tom Coates of ORG:

Obama has a few statements on his new website about technology plans that may be relevant to the IT/IP community:

In particular:

"Protect the Openness of the Internet: A key reason the Internet has
been such a success is because it is the most open network in history.
It needs to stay that way. Barack Obama strongly supports the
principle of network neutrality to preserve the benefits of open
competition on the Internet."

"We live in the most information-abundant age in history and the
people who develop the skills to utilize its benefits are the people
who will succeed in the 21st century. Obama values our First Amendment
freedoms and our right to artistic expression and does not view
regulation as the answer to these concerns."

"Safeguard our Right to Privacy: The open information platforms of the
21st century can also tempt institutions to violate the privacy of
citizens. As president, Barack Obama will strengthen privacy
protections for the digital age and will harness the power of
technology to hold government and business accountable for violations
of personal privacy."

Sounds good doesn't it - net neutrality. certainly. Privacy protection definitely - could we finally see the rise of omnibus privacy regulation in the commercial sector of the US? But many wiser people than me are worried about what "artistic expression" means. Remix artists right to rip mix burn, or rights for music labels? Optimism says the former; realism the latter.. does Obama want to be darling of Hollywood, or the opiate of the masses? anyone care to speculate?

Saturday, November 08, 2008

Blogs are what happen when....

I long to debate the exciting things that are happening: the Google Library settlement, the Telecoms Framework latest Commission compromise position, the French passing 3 Strikes and You're Out, data retention , Internet libel cases in the UK courts, and how to deal with regulating the security of wi fi - but too busy actually doing things that relate to these to have time. Ag! I seem to have made a F austian bargain of my own - surrounded by a panoply of interesting legal developmnets, but noooo time to chat about them. Sigh.

Things wot I have done instead:

helped (a bit ) with the ORG response to the BERR filesharing consultaion;

helped (a bit more) with the ORG response to the UK consultation on implementing the Internet data part of the Data Retention Directive (link to follow)

supervised the preparation of an excellent brief by Simon Bradshaw on how the Telecoms Framework , having now been through the European Parliament, the Council of Ministers and the Commission report stages, still contains provisions which may well enable and legalise a France style "3 strikes" regime throughout Europe. We (Simon, ORG and myself) hope to publish this brief in the next few days. Thanks also to Monica Horten for invaluable assistance on this project.

So instead, meanwhile here's the latest XKCD cartoon, which as usual is superb :-)

Wednesday, November 05, 2008

I Have a Dream?

Well, some night huh? As Obama said rather wittily I thought, he was never the likeliest candidate.

So Boing-Boing is already speculating on Fantasy Presidential Staff. Could we see Lessig at the FCC, they suggest, or Schneier at Homeland Security? Would any of my US`readers care to speculate if this sort of thing is actually plausible?

In much more important political news (ha), Becky Hogge is stepping down as chief leaderette and PR person for the Open Rights Group (ORG.), the UK's leading digital rights campaigning group. She's done an amazing job and will be a tough but enthralling act to follow. If you're interested, have a look

The advert is here:

And feel free to pass this link on. (Disclosure: I am on the Advisory Board.)

Tuesday, October 14, 2008

Ireland against the Data Retention Directive: AG nixes constitutional attack

From Digital Rights Ireland: (and thanks to Judith Rauhofer for the tip off)

"The Advocate General of the European Court of Justice has just given his Opinion (summary, PDF) on the Irish Government’s challenge and has recommended to the Court that the challenge should be rejected, holding that the Data Retention Directive was correctly dealt with as an internal market measure rather than a criminal justice measure (which would have required unanimity to pass). Opinions of the Advocate General aren’t binding but are generally followed by the Court, making it more likely that the Government’s challenge will now fail.

It’s important to point out, though, that this ruling only relates to the procedural way in which the Directive was passed. It doesn’t affect our case that the Directive breaches fundamental principles of human rights, and we still await a decision from the High Court referring these issues to the European Court of Justice."

Pangloss is speaking tomorrow at a Parliamentary and ISPA event on the UK consultation on implementing the DRD by March 2009, so this is rather timely. However as DRI points out, to some extent this is almost a side issue: the real issue continues to be whether it is proportional to the aim of reducing crime and terrorism to retain all forms of e-communications by te entire UK population for up to two years. In the UK consultation, a year's retention is recommended for e- and telecoms traffic to help cut down on serious crime; yet almost every example but one given in the document relates to an investigation which was solved using data retained for a matter of hours, days or weeks, not a year. How thus is one year the "proportionate" response to the invasion of privacy sanctioned?

I think it was Ray Corrigan (though I can't seem to find the reference, sorry!) who pointed out the bad science involved in the much quoted statement in the consultation, that retention for a full year was justified because, in a trial month in 2005:

"there were 231 requests for data relating to communications that had taken place between 6
and 12 months earlier. 60% of these requests were in support of murder and terrorism investigations and 26% of the requests were in support of other forms of serious crime including armed robbery and firearms offences. "

But the key point for such stats is how many requests were made in 2005 in TOTAL? Privacy International quote that figure as 439,000, drawn from government stats. Thus assuming a similar rate of request across the year, the requests for data over 6 months old were only 0.006% of all requests made in 2005. Does that justify retention for a year for every type of communication data, given the privacy implications? (And given the anecdotal evidence so far that such data is being requested by local authorities for purposes other than catching serious criminals or terrorists??

A nice quote, also from DRI and via B2fXX: ""Laws requiring monitoring of the entire population are astonishing in a democracy."

E-money Rides Again, at the Least appropriate Time Possible

This report from El Reg on the Commission's new Working Document on e-payments is so gloriously cynical that I'm not even going to try to re-write it.

"The European Commission has launched a new legal framework to boost the use of "electronic money" within the EU, even as we all realise we had even less real money than we thought.

The Eurocrats have admitted that earlier utopian predictions that we’d all be loading cash on our mobile phones, travel cards or internet accounts have proved to be somewhat overblown. In part, it is blaming itself, saying current rules “have hindered the takeup of the electronic money market, hampering technological innovation”.

Translated, this means the foolish peasants (the rest of us) have refused to stop keeping anachronistic wads of notes and piles of coins in stupid places like pockets, in wallets, under mattresses, that sort of thing, when what they really should be doing is paying smart young things to take their money and convert it into cyber cash, loaded on trustworthy items like phones, Oyster cards, servers and deelie boppers.

So, in the interests of keeping the dream alive, Brussels has proposed a new framework for “issuing electronic money”. This will include a “technologically neutral and simpler definition”, ie that electronic money is “monetary value stored electronically on receipt of funds and which is used for making payment transactions". This will include e-cash stored on devices in the holders' possession or “remotely at a server.” "

Internal capital requirements for EMIs will be reduced to 125,000 Euros - "“enabling market entrance for smaller players" - is this really what we want to encourage at a time when giants like HBOS etc are dropping like flies?! What happens when an EMI goes under? Does the relevant national underwriting guarantee apply? We have all the potential problems of Icesave staring us in the face as a stark example that national guarantees do not transpose well to virtual banks.

As all IT lawyers know, the main problem with the old EMI Directive was indeed that it was not technology-neutral at all, but modelled around smart card money, which was terribly hip before all the schemes like Mondex etc quietly flopped and failed. When in reality it turned out that what people wanted was credit, not debit, in times of free fast credit thrown at you from all directions, and/or alternately to use anonymous, data-protecting, handy account-based systems like Paypal (complete with useful guarantee for eBay transactions) rather than carry round yet another card whose loss might result in loss of actual money, without guarantee of repayment.

It sounds like Brussels has now finally recast the definition of an EMI to firmly cover the likes of Paypal. (See the now defunct argument about this via Andres Guadamuz here.) Which is sort of amusing when PayPal itself long gave up on the clunky EMI framework and instead just became a bank in Luxembourg. And when the bottom has dropped out the credit market so thoroughly that pre-pay debit cards might just possibly become saleable again.. (though I wouldn't hold my breath. The Oyster card/debit car all-in-one model however should be useful whenever they iron out the commercial holdups.)

What will be really interesting to see is how far the proposed new rules cover mobile- phone-as-e-wallet - which is the development that was already looking set to revitalise the digital payments sector, if anything could.

Also the problem remains that paying by Paypal , even when linked to a credit card, is not covered by the usual guarantees of the EC consumer credit legislation - or at least not according to the UK Banking Ombudsman and the FSA - and should thus really be discouraged for dubious or large purchases (eg travel companies about to go bust, unknown ebay sellers).

I doubt the consultation touches this , being mainly concerned with capital requirements and the like, but I'll report back when i've actually read it properly , ok?

EDIT: OK, an hour later..

The consultation does indeed refer to MNOs (MObile Network Operators)) as another problem for the definition of e-money, along with "server-based" systems like Paypal.

It is starkly admitted that traditional smart card systems a la Mondex are dead. Contactless transport cards as e-money are catching on yes (22 in the Czech Republic), but still almost exclusively used at unmanned sites such as transport turnstiles or car parks. Public shows no sign of wanting to use e-cash more extensively. (This may explain the mysterious failure of the Oyster system to expand to small value real world purchases eg newspapers..)

The only major problem asserted with the current ElMI system apart from the definition issues is the high internal capital requirement - hence the suggestion to reduce from 1 m Euros to an eighth of that!

There is no mention of the difficulties with credit card like guarantees for paypal etc payments, unless it is dealt with tangentially in the under discussion harmonisation of EU payment laws under the Payments Directive, currently due to be passed November 2009.

Similarly money laundering - which is known to be increasingly used by criminals to get funds past national borders, especially to Africa and Eastern Europe - is left to be dealt with as and when by financial fraud legislation.

Overall, a remarkably unambitious and pretty redundant consultation. One suspects it might habve been more sensible if politically difficult to shelf this document entirely untiul the dust settles a bit on the current financial meltdown.

Saturday, October 11, 2008

Fun Times for Phishing

The credit crisis is doing interesting things to computer crime. One might have predicted that a background of banks crashing, closing access to depositors and being bailed out would be seventh heaven for phishing emails, with uses failing to distinguish real reassuring emails from fake ones in the confusion. And so it has transpired - with Chase, Wachovia and Bank of America among the most popular targets with scammers, according to the US's watchdog, the FTC.

But of course what are you phishing FOR? As credit dries up, the old standby of stealing personal id so as to apply for limitless amounts of credit loses its efficacy. Soon, the days of easy credit cards will be gone. So instead, phishing attacks have switched from ID theft to to faking credentials to allow withdrawals from existing accounts. This is interesting - surely such attacks should be more visible than plain old ID theft? Would this not be a good time to look at banking security and supervision with a view to automatedly spotting upsurges in microwithdrawals from multiple accounts?

The HL recently reiterated its call for banks to be legally held liable for phishing losses to bank accountholders. At the moment, despite the lack of mandatory control, banks usually, though not universally , pay up. As margins tighten and liquidity disappears, and as phishing attacks mount (already up 180% in the UK from January to June 08 compared to the same period in 2007, according to Apacs) it will grow ever more tempting for banks to find ways to get out of reimbursing phishing losses eg by claiming that users failed to take adequate security steps. Considering the imbalance in technical knowledge and control between banks and users, this must be resisted. Phishing liability needs to be put on a legal basis, and soon.

Statute of Limitations & Privacy Round-Up

Brief moment of self aggrandisement - looking something up, I notice I've just missed the three year anniversary of this blog, having started in September 05. Cor. The private lawyer in me notes that the first claims for negligent misstatement or defamation should now be time barred.

Now that I am finally installed properly in Sheffield as of this week, I hope this blog will return to more rgular service than of late :-)

Advance warning - Ian Brown and I have just completed this year's Macafee Virtual Criminology Report 2008 and it should be launched week beginning Dec 8th. Clear your virtual desks in antici-pation!!!

More bathetically, in a bid to encounter friendly natives, I will be at the Sheffield Law Society Halloween bash on Oct 31st!! If you're in the area and want to meet the (in) famois Pangloss do say hi! I believe costumes are mandatory however so I will be unrecognisable, and probably dressed as a Russian botnet. Should be fun :-)

Two actual items of content: one, the very in(famous) Mr Mosley, of Nazi orgy fame, is to petition the ECHR to change privacy law and require the media to notify people before they punish stories about them. Briefly this seemed a nice idea to Pangloss, but of course all it would do is enable preliminary gagging of the press by immediate seeking of injunctions in every case. One cannot see this going anywhere as the essence of the libel/freedom of speech compromise is that post factum damages are preferable to prior restraint. I can't see any reason why this policy balance should be unsettled by reference to privacy rather than defamation. Still, interesting times.

Secondly, an oldy but a goody - yet more evidence that no one reads privacy policies. Well, if you tried to, it would take you anything from ten minutes to half an hour.

"Were people to actually read the policies and charge for that time it would cost $652bn a year.

Though that figure has limited usefulness, because people rarely read whole policies and cannot charge anyone for the time it takes to do this, the researchers concluded that readers who do conduct a cost-benefit analysis might decide not to read any policies."

As a former reader of fantasy, I love law and economics ...

Monday, October 06, 2008

The OPA rides again..

Bleeding heck. This and the UK extraditing someone for denial of Holocaust, a crime we don't actually have here, all in one week?

I hate to say it, but both the Lib Dems and the Telegraqh are dead right on this one. I'm all for reasonable restraints on freedom of speech, of which this certainly is one, but the correct approach should then be a public debate in the UK as to whether this is a crime we wish to recognise (or introduce) not a blank cheque to the receiving country's police. That way lies extraditing Western citizens to Saudi Arabia for sever penalties for (say) sleeping with married women. No please.

The Girls Aloud stuff is equally vile but the principle has long been understood: no more prosecutions of literature, stick to obscene pix. Even the IWF now says it is after "images of child abuse" not "child porn". As Wendy Grossman pointed out, if this prosecution is successful, will the IWF have to start considering the artistic worth of stories and fan fiction, so as to add it after complaint to its block list. Really no please. That is for courts.

Are conservative values reasserting themselves in recession or is it just autumn and time for some Internet moral panic stories?

ps this is my first blog post written on my beautiful new and very tiny Acer 1: staggeringly cheap, fast, decent keyboard, virus free Linux OS, built in web cam. I am a total convert. All I need now is mobile Internet sub and I can happily write all my articles on the train to Sheffield :-)

Saturday, September 27, 2008

SCL POlicy Forum transcripts

The Society for Computers and Law organised for the third year running its blue-skies policy forum earlier this week in London, on Legislating for Web 2.0. This year, Chris Marsden was ably in charge, and as ever Herbert Smith hosted and wined and dined us most pleasantly. The conference was broadly on the policy and legislative agenda opening up in the next few years as we see the legal reform of the information society from both the content and carrier ends. viz

• The Audiovisual Media Services Directive was enacted on 18 December 2007 and is currentky being implemented;
• The new review of the Electronic Communications Services Framework (5 Directives and a Regulation) is taking place in the course of 2008;
• The Electronic Commerce Directive remains under constant review and is in tension with several national laws;
• The Consumer Acquis (8 Directives) is currently being reviewed.

I personally found day 1 of the conference a real learning curve as I struggled with the economics of broadband next gen networks roll out, and the politics of spectrum. Funny how eerily cosy and familiar it suddently felt, as we eased onto content issues like protection of minors, and media issues like public sector broadcasting, and then downright freewheeled down to the familiar battles of regulating web 2.0 services, intermediary hosting immunities, and copyright enforcement online on day 2. Old e-commerce and IT law hands like me need days like this to teach us that infrastructure issues are just as basic as contracts and copyright to making the Internet work.

The diferent attitudes of telecoms and e-commerce academics were fascinating; at root the former seemed to reply 90% on economic justification for policies, the latter 90% on normative issues (fairness, equality, human rights). Similar rooted differences as to the worth of market and regulatory forces showed up between the American and US attendees, especially in the data privacy arena. It made it very plain just how difficult international legal harmonisation of any kind is. The most heated session as a result was on whether Google, as the dominant player in the European search market, should be more explicitly regulated, whether by competition law or other means. Just about all the US, UK and European academics could agree on was that they were all sure they weren't as keen on regulation as Germans. (the speaker himself, Nico van Eijk of IVIR , was proudly Dutch.) Pangloss was amused at the idea of the new US:EU data "safe harbor" wars that seemed potentially on the horizon, and may be driven to write her own paper on Google-regulation yet.

MP3s etc of all the presentations, including the heated ISP immunities session Pangloss chaired , and her own presentation on music copyright enforcement, "3 strikes" and the new UK MoU, can be found on the SCL website

Friday, September 26, 2008

Stil not dead. Well, not QUITE.

Just back from the third instalment of GikIII, exhausted, flu-ridden and exhilarated. Horrible to puff one's own baby, but I continue to be staggered at people's inventiveness, cleverness and sheer powerpoint bravado when they pull the stops out for GikIII. Best quote I've seen so far from virgin attendee, machinima geek and Twitter blogger Hugh H:

"What's fascinating about this conference - well, one of the things - is the level of showmanship. It's like a very lawyerly open-mic night."

I think that really sums it up :-)

More coherence soon , when I am over my man-flu (and decided it really isn't leprosy. Andrea, I expect my eye patch to be in the e-post).

Powerpoints will also I imagine be up very shortly as soon as Andres has got over his hangover, er jetlag. (Actually some of them are already here.)

Many thanks to the as ever consummately efficient Ian Brown for chairing this year (while organising a few million pound grants on the side in teabreaks) and the attendees and participants for as ever putting their and soul into this conference. Next year: possibly in Amsterdam! and certainly earlier in September to avoid start-of-term clashes which kept a few regulars away. Watch this space! Also please let me know if you blog GikII and I might conceivably have missed it.

Wednesday, September 17, 2008

Still Not The End of the World: No Britains Dead

Wired blog reports on a remarkable recent example of hacking, in no less a venue than the Large Hydron Collider in Geneva at CERN :

"Shortly after physicists activated the Collider on Wednesday, hackers identifying themselves as Group 2600 of the Greek Security Team accessed computers connected to the Compact Muon Solenoid detector, one of four key subsystems responsible for monitoring the collisions of protons speeding around the 18-mile track near Geneva, Switzerland.

A few scientists had worried that the experiment could inadvertently create a planet-swallowing black hole. Physicists called this impossible, or at least extraordinarily unlikely. But the hack raises a different sort of worst-case scenario: the largest and most complicated science experiment in history, intended to reveal basic information about the composition of matter, derailed by malevolent intruders."

According to the Telegraph, the hackers were "one step away" from the computer control system of one of the huge detectors of the machine, a vast magnet that weighs 12,500 tons, measuring around 21 metres in length and 15 metres wide/high.

Fun as it might be to speculate on whether hackers could have generated The End of the World (movie rights opending, surely) it's very clear that the worst that could have been done would have been the derailing or contamination of the experiemental results. But considering that £4.4 billion was spent on the LHC, even that would have been somewhat more serious than hax0r tricks.

If the US wants to sentence Gary McKinnon to life, what would they do to these guys if they get hold of them? Luckily for them if they ever get caught, the jurisdiction would presumably fall to the Swiss or Greek courts!

ICO Speaks Total, Utter Sense

No irony meant, honest.

OUT-LAW again say: "Organisations must not use the Data Protection Act as a smokescreen for not giving out information, privacy regulator the Information Commissioner's Office (ICO) has warned.The ICO has identified the most common data protection myths which it says are used to avoid transparency or that have just developed through ignorance of the actual law.

Deputy Commissioner David Smith said that "The Data Protection Act does not impose a blanket ban on the release of personal information. What it does do is require a common sense approach," he said. "It should not be used as an excuse by those reluctant to take a balanced decision."

Too bloody true. Unfortunately the examples given by the ICO are mainly related to the public sector: universities refusing to send results to anyone but the students themselves, schools refusing to let people take photos of children in school plays. In Pangloss's experience these bodies are usually fairly reasonable; eg there are often good reasons not related to DP law to reveal results to no-one but students in person, to do with confidentiality, trust and over demanding relatives, and as a bright line it still seems the best policy. Most universities will however send results to a student's home address on request, which deals with the "student off abroad and parents desperate to know" problem.

Those who really choose to use the DPA as the Don't Tell Anyone Anything Act are notoriously not non profits like schools, but the commercial sector and in particular, communications, banking and utility companies who cynically use the slice of lime factor of " it's against DP law" to cynically get rid of annoying customers and minimise customer service. Pangloss, eg, has spent many an unhappy hour trying to pay money INTO various accounts to pay for TV, cable, Internet and other bills and been told this wasn't possible "because of the data protection act". What possible release of personal data to the payer need this involve?

Another problem is what happens when one member of a couple has set up an account eg for telephone, and they then split up acrimoniously. It is hardly sensible, and potentially even dangerous, to advise the other partner that they cannot later acces or alter the details of their account without getting the estranged partner to ring. Indeed in some seperations, communication may have entirely broken down and it may be vital to change details eg if the matrimonial home is rented to a new tenant. All utility and similar companies should have sensible procedures in place to deal with such situations (an, crucially, which are trickled down to call centre level).

Should using the DPA to repel honest enquiries or non-privacy-invasive transations be regarded as a kind of corporate fraud? So long as there is effectively no real hard infringement of DPA law, large companies will continue to use the DP as a stonewalling excuse, because the nature of bureacracy is to gather as much data and reveal as little of it to others as possible. the evaporation of personal service in favouir of anonymised call centres with pre written scripts also has a great deal to answer for.

Suicide is Painful (If You're an ISP?)

The government has announced it is legislating to clamp down on suicide websites (a good vote getter while the electorate panics alternately about theur savings, their mortgage and when Brown wil resign? says Pangloss, who has her mortgage with IF aka HBOS and is having a stiff drink..)

"The law on "suicide websites" is to be rewritten to ensure people know they are illegal, the government has said.

It follows concerns people searching for information on suicide are more likely to find sites encouraging the act than offering support.

It is illegal under the 1961 Suicide Act to promote suicide, but no website operator has been prosecuted.

The law will be amended to make clear it applies online and to help service providers police the sites they host."

Pretty clearly this is not new law at all, but mainly a sop to worried parents after the blanket publicity around the WElsh village of ABridgend as a suicide hot spot.

"Justice Minister Maria Eagle said "Updating the language of the Suicide Act, however, should help to reassure people that the internet is not a lawless environment and that we can meet the challenges of the digital world."

One wonders what relation this law will have to the familiar ECD Art 14 hosting immunities. Will ISPs be given a specific time limit for notice and take down, as in the E-Commerce Directive terrorism regulations? I'd gamble yes.

Will the IWF add suicide websites to their encrypted cleanfeed blocklist despite the acknowledged difficulties in spotting the difference between a site promoting suicide and one providing support to the suicidal? Yes again, I'd say.

Will the change in law be enforced against sites hosted abroad? Hmm - With great difficulty, and..

Will the legislature remember suicide law is different in Scotland and that there is not only no statute but no clear common law on the illegality of assisting or promoting suicide? I do hope so, otherwise we might see an upsurge in suicide websites hosted on Scottish servers!

We now return you to your regularly scheduled panic-stricken watching of Newsnight...

More Scottish info privacy news

While we're making Scotocentric comments on HBOS meltdown day, another snippet, slightly late, from OUT-LAW on 12/9/08:

The Scottish Government has asked a panel of experts to produce rules for public bodies to follow so that personal information and privacy is better protected. The move follows a series of UK-wide data breaches involving public authorities.

The panel will produce guidance for public bodies to ensure that they are treating personal information properly. That guidance will be subject to public consultation before any adoption by the Scottish Government.

The group of experts includes representatives from the public and private sectors and includes Rosemary Jay, a privacy law expert at Pinsent Masons, the law firm behind OUT-LAW.COM.

The group also includes Gus Hosein of Privacy International, Scottish Government director of corporate services Paul Gray, assistant information commissioner for Scotland Ken Macdonald, Edinburgh University honorary fellow Charles Raab and Jerry Fishenden, Microsoft's lead technology advisor for the UK.""

Pangloss notes with approval this list of luminaries but feels slightly sad they didn't ask her, just when she's (sort of) moved back to Edinburgh. Ah, hubris!

Sunday, September 14, 2008

Tweets! (and RSSs)

Ok, should you wish to subscribe to notifications of updates to this blog via Twitter you now can: just log into Twitter and subscribe to Panglossle at .

Pangloss herself is not quite sure of the point of this (but somone suggested it as a good idea): you'd have to go to the web to read the full thing anyway so why not just subscribe to Pangloss's RSS feed and see updates via whatever you read RRS feeds in (PG herself uses LiveJournal as her RSS reader but knows that isn't very professional - it works though)? Perhaps someone can enlighten me.

However this does remind me that I should publicise the RSS feed, which I will do once I get round to revamping the template which requires wholesale change since the Blogger upgrade (oh god, life is just so complicated..)

Atom link:

RSS link:

On that note, I'm worn out!


Testing out Twitterfeed for the greater good of my readership. Hang on in there a mo..

Wednesday, September 03, 2008

Law Blawging UK OK

Slightly belatedly, via Binary Law:

TimesOnline does the round up of the usual suspects (no Pangloss, helas!) on the UK blawging circuit. As Nick Holmes comments, the scene is really rather rosier than both the article and the comments seem to indicate.. in fact if you look at Charon QC's enormously usual single page of UK blawgers, there are many many blawgs I've never heard of or sadly never get the time to look at..

Actualy IMHO I am quite staggegered how many laws practitioners (as opposd to we feeble academics) find time to maintain decent readable blawgs. Where do they put it in time billing one wonders?

Burning Chrome

I've now seen in a few places (and been asked to comment) on this extract from Google's new browser Chrome's EULA: (see eg

The part people are worried about is

11.1 You retain copyright and any other rights that you already hold in Content that you submit, post or display on or through the Services. By submitting, posting or displaying the content, you give Google a perpetual, irrevocable, worldwide, royalty-free and non-exclusive licence to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content that you submit, post or display on or through the Services. This licence is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.

My opinion FWIW (without prejudice etc) is that this is harmless. The part in bold is the important bit. Yes Google are getting a (non exclusive) license to your content but ONLY to show off and advertise theur toy. This is a very common clause: in fact I'm told Google have it as a standard clause in all their contracts and I'm sure they do and it's bothered nobody.

I remember Hugh Hancock from machinama land asking me about a very similar clause in (I think) a MS machinima license. Basically if someone provides a free cool web service, they want to use your cool content to show off in demos to clients, on the web etc etc. And they don't want to have to come ask you for copyright permision. In return for a free service, this doesn't seem unreasonable to me.

There is also a very outside chance that Google are protecting *themselves* against a claim of copyright violation for their browser being used to make a copy of someone site who then claims he didn't give permission for that. In other words, normal uses of a web browser.

What it does *not* mean is that Google are grabbing the right to steal your entire video blogsite accessed via their browser, package it into a Richard and Judy bestseller book, turn that into a best selling film and retire on your profits :)

Rest easy kids.

EDIT: Google are apparently going to retrospectively clarify the issue.

EDIT 2: and apparently already have : " As of 2 p.m. PT, it looks like the terms have changed. Section 11 now reads simply: "11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services."

Tuesday, August 19, 2008

And meanwhile...

.. while Pangloss continues its summer hiatus and if you want some light reading, you might be interested to know that many of my recent and even not so recent articles are now available in pre-print form on SSRN .

Many thanks to Nadine Ericksson-Smith for doing the admin involved in getting these there!

Happy soggy summer to all, ho ho ho..

Also to whet your appetite for the autumn, upcoming places to see Pangloss.. (gosh , it's just like the Edinburgh Fringe comedy tours!)

Scottish SCL Meeting, September 3rd - Edinburgh, Faculty of Advocates, Mackenzie Building (behind Fringe Office) High Street, Edinburgh - Facebook and the Law: CyberStalking Paradise 2.0?

SCL 3rd Annual Policy Forum 2008 : Legislating for Web 2.0 – Preparing for the Communications Act? 22 & 23 September 2008 , London

GikIII 24th-25 September, Oxford: Data Protection 2.0: This Time It's Personal (Data?)

Practical Law Seminar, 30 September, London : Social Networking, privacy and Other Legal Issues

QMIPRI-SIIA Conference: Digital Publics - 2 October, London

Tel Aviv University, Israel, invited lecture - December 4th

Monday, August 11, 2008

Important Contact News and SCRIPT-Ed conference

Pangloss has temporarily moved back to lovely Auld Reekie pending resettlement at her new job as Professor of Internet Law at Sheffield University. I am currently looking for nice rented accommodation with garden for homeless cyberprof and two well (honest :-) behaved kitties should you know any useful slum landlords in the area (or, indeed, be one) ..

IMPORTANT: From September 1 2008 will CEASE TO OPERATE. (Rather unlike,it has to be said, lovely which two years on is still faithfully forwarding the odd email..)

My new email is . You can start using this as of now but it will become vital after September 1. Please note the odd spelling of my first name :)

I am also stepping down as Director of ILAWS. I remain Associate Director of SCRIPT/the AHRC Centre for Intellectual property and Technology at Edinburgh.

Talking of which , one of my happiest jobs in that capacity is to still act as a Managing Editor of SCRIPT-ed, the online journal of the AHRC Centre, whose remit is very broadly the interaction between law and technology. The most recent issue (Vol 5 No 1) includes papers on topics as varied as trade mark dilution, user attitudes to P2P services and the ethical issues surrounding 'bionic' athletes. We are always interested in prospective contributions for SCRIPTed, and we are also keen to hear from suitably-qualified referees to help peer-review submissions. One of the key strengths of SCRIPT-ed I think is that in a field as dynamic as IT and IP law we can usually guarantee swift publication, while retaining the rigour of peer-review.

Not content with running a journal, the managing committee are now organising the SCRIPTed Conference, to take place at the University of Edinburgh from 29-31 March 2009. Taking as its theme 'the Governance of New Technologies', it will focus on evolving and emerging technologies and new-technology-driven practices and their impact on the overlapping fields of healthcare, information technology and intellectual property. The Call for Papers is open until 15 November, whilst an outline programme is available. Dan Hunter is one of the special guests whom Panglos herself wil be very eager to meet again - Dan is one of the foremost experts in both the US and Australia on virtual worlds and the law.

So, why not make a date in your diaries for what promises to be a fascinating and enjoyable three days in the beautiful city of Edinburgh?