Tuesday, April 29, 2008

When all about are losing their's..

This is wonderful. Many moons ago Pangloss gave a paper, loosely on virtual property in online worlds, and used some analogies from personality rights cases featuring unauthorised uses of celebrity images. One fortunate synchronicity was that at the same time, Wendy Grossman, the tech journalist about town, asked her for some advice on the theft of - get this - a life size AI-equipped, animatronic head of Philip K Dick - the reality-bending deceased sf author - which had been programmed with the entirety of PKD's works in the hope it could give answers PKD himself might have while alive. My paper ended up being called, snazzily I thought : "Bring Me the Head of Philip K. Dick: New Forms of Virtual Property"

The head disappeared when its creator, David Hanson, accidentally left it on the overhead rack on an America West plane. Hanson subsequently sued AW for the loss of the head, worth c $350,000. Boing-Boing reports that the suit has just been dismissed in no uncertain manner in a hilarious judgment which is itself intensely self referential.

Am I time travelling, insane or just still in a coma? : ) Reality bites!

Ps this ties up rather well with advertising that I'll be giving an updated version of this talk in Exeter in May at the rather groovy looking Workshop on Virtual Worlds, May 20th, 2008 University of Exeter..
For further information, please contact: A.Harcourt@ex.ac.uk

Thursday, April 24, 2008

The European Draft Common Frame of Reference (CFR)

Panloss went to a very interesting lecture yesterday by Hugh Beale of Warwick and formerly the English Law Commission on the publication of the first part of the European CFR project - namely the Draft CFR on Contract (CFRC).

What is the CRC and why should you care? This is a grand plan, which has in various forms been gathering momentum for many years, to distill principles out of the whole of European private law - as derived from the now 27 members of the EU - and create a kind of codified version of those principles. Naturally, given the differences not only between common (England, Ireland) and civil law (everyone else) not to mention linguistic, political and economic differences (the arrival of the Access countries has kind of complicated things:-) this has not been an easy task. One can tell how pleased Hugh Beale and his colleagues (including Eric Clive at Edinburgh, whom Pangloss also saw talking about this a few weeks back - and was very pleased to be given a copy of the Draft CFRC) are to finally show off the first fruit of their labours.

Is this going to impose a European Civil Law Code on you, me and my mum? No, in no uncertain terms. Although aspirational academic work on such a code is ongoing, it is recognised to be politically and probably legally impossible for the EC to take such a supranational stance. Instead the CFR will be used as a "toolbox" which can be explored for stuff like common EU definitions of key legal terms (like "damages" or "termination"); as a kind of model law which EC member states might adopt when reforming their law; and more controversially, as a model the EC might look to when it reforms its law. In many ways, the spur for the completion of this particular part of the CFR has been the EC's ongoing attampts to reform and modernise its consumer law - the so called Acquis, which is currently found in a multitude of Directives.

Still wondering why IT lawyers should be interested? Well one possible thing that might happen next is that the acdemic CFR may be turned into a more limited "political" CFR - espoused officially by the European Commission - which might become available (via an "optional instrument") as a kind of new extra legal system. Rather in the way that a contract cane be governed by, or arbitration can currently be decided under the "the law of the Vienna Convention", say, a business - Amazon say - might sell to all the inhabitants of the EC with the contract, and any dispute arising, governed by the "law of the CFR".

THis is where it gets exciting. At present, one of the big problems about cross border selling is having to worry about the consumer protection laws of every country you sell to. In Europe, Rome 1 (now a Regulation) , on choice of law, dictates that even if Amazon UK (say) dictate that the law of the contract shall be English law, if they're selling to a French (or Finnish or Latvian) person they have to take the risk that if there is a dispute. the "mandatory rules of consumer protection" of France (or Finland or Latvia) will still apply, and over-ride the law they know and had calculated their insurance premiums upon (English).

Sounds a very academic point but businesses , especially SMEs and one-man outfits are highly risk averse. Facing unquantifiable risk, they'll choose to sell at home and not to France or Latvia or Finland. None of this is good for the dream of the low cost, high choice, competitive Single Market for consumers. And in real life the Commission has already noticed that even big players like iTunes (who can afford Finnish and Latvian lawyers) are choosing to sell to some parts of the EU (usually the safer better known Western members) and not to the full 27.

But the "law of the CFR" will be specifically drafted to already include what is seen as at least the minimum EU-wide consumer protection - possibly more than that. So there's no policy reason why Amazon or iTunes shouldn't be able to select "the law of the CFR" as the governing law and NOT have to worry about the law of France, or Finland, or Latvia or whoever next joins the EU.

What about the consumer? Well the idea is also that the consumer will get a choice. When making a contract with Amazon, they'll be presented with the option to accept "the law of the CFR" - or to demand their home consumer law applies. The "CFR" choice will be a Blue Button - so the scheme is the "Blue Button" plan.

Panglos wonders what the point is of presenting the consumer with an option. No consumer she has ever known has rejected a sale because of the governing law - only because it wasn't cheap enough or good enouigh in quality. Consumers will never know enough to make an informed choice about giving up their home law protections. And from the retailer end, the smart money is they won't offer a real choice anyway, but will simply say , if the consumer refuses "the law of the CFR" that they won't accept their order - and we're back to the status quo of partition of markets.

But the "Blue Button" choice apart, the concept of a "law of the EU" as a choice of law seems a brilliant solution to the current Single e-Market impasse - my congratulations to whosever stroke of inspiration this was.

Finally the CFR folks (academic version) very much want feedback on their draft CFRC. It is I believe available at http://www.law-net.eu/ . One piece of feedback Pangloss has already delivered is that she would very much like to see this "toolbox" feed into the review of the Electronic Commerce Directive which has started about now. As every e-commerce lawyer knows, the provisions on when and how an e-contract can be made in the ECD Art 11 are a complete mess, for the simple reason that the ECD drafters were unable politically to harmionise EC basic formation of contract law. The CFRC might provide a way out of this dilemma. Let's hope someone passes the good news on :)

Monday, April 21, 2008

Incitement to terrorism becomes an EU crime?

According to Michael Geist's BNA reports of 21 April 08..

"European Union justice ministers have agreed that using the Internet to publish bomb recipes or call for acts of terrorism to be committed should count as a criminal offence. The 27 member states agreed on Friday to introduce as new offences "public provocation to commit a terrorist offence, recruitment, and training for terrorism" which would be punishable "also when committed through the Internet." [Deutsche Welle]"

The German source adds

"The 27 member states agreed on Friday, April 18, to introduce as new offences "public provocation to commit a terrorist offence, recruitment, and training for terrorism" which would be punishable "also when committed through the Internet."

People found guilty of "disseminating terrorist propaganda and bomb-making expertise through the Internet can therefore be prosecuted and sentenced to prison," the justice ministers said in a joint statement.

The commission's proposal would also allow EU law-enforcement agencies to demand cooperation from Internet providers in order to identify the people making such calls and to ensure that the offending material is taken off-line."

Interesting last para. This echoes what the UK government has already done with The Electronic Commerce Directive (Terrorism Act 2006) Regulations . These apply a 2 day strict notice and take down period under the ECD where the police can ask for take down of pro-terrorist material and ISPs must comply on pain of being seen as endorsing the hosted material.

But the Internet does not stop at the English Channel or even at Turkey. What is the position going to be of an apparently US hosted site like Bombs for Beginners , or this site providing downloads of the Anarchist's Cookbook (which itself recommends instead http://www.pyronfo.com/ for homemade bombmaking, and does not seem to admit where it is hosted?) (And am I committing an offense by linking to either of these??)

The current UK guidance on how the Regulations apply the s 3 notice provisions of the Terroriosm Act 2006 says thusly:

"38. Section 17 [of the 2006 Act] confers extra-territorial jurisdiction in relation to the section
1 offence (encouragement of terrorism), but not to the section 2 offence
(dissemination of terrorist publications). Extra-territoriality is only conferred
in relation to the section 1 offence as it relates to encouragement to
commit Convention offences. These offences are listed in Schedule 1 to
the 2006 Act."

Schedule 1 does not however seem to contain any offences relating to encouragement of terrorism either, by publication of propaganda or educational instructions about bomb making alike. One assumes therefore the UK LEAs cannot issue a take down notice to Wikipedia (or to Le Monde's website in France either.) Is the future new EU legislation intended to allow intra-EU take down notices in the terrorism area? The French may go along with this (zut alors) but one doubts somehow that the US will agree to allow EU police to issue take down notices against their own US-hosted websites though? (What of the First Amendment and the good old Yahoo! case?)

Pangloss is not an expert in the anti-terorism area and would appreciate any helpful comments.

Pangloss has also been informed about Information Security Week 2008 which runs week from 21st April 2008. Some events look quite interesting for Internet Lawyers -- notably

23rd April Debate on the need for an e-crime unit in the UK with Charlie McMurdie, Detective Superintendent, Police Central e-Crime Unit Project ; Philip Virgo, Secretary General, EURIM; Tony Neate, Managing Director , Get Safe Online; Dr David King, Chair, Information Security Awareness Forum (ISAF).


22nd April Launch of the PwC Department for Business, Enterprise and Regulatory Reform Information Security Breaches Survey 2008.

Sunday, April 20, 2008


No particular point to make here except this may certainly enhance a few powerpoints:)

Thursday, April 17, 2008

Internet Libel (not "liable") or Who's the Daddy(place)?

A story I meant to mention from last week - the Telegraph reported what is being called the largest ever Internet libel settlement in the UK, in relation to allegations on a site called "Dadsplace" about Gentoo, a housing development company.

"Gentoo Ltd, formerly the Sunderland Housing Group, became the subject of an attack by "a seriously defamatory, abusive and scurrilous anonymous website at dadsplace.co.uk", according to a statement read in court by the organisation's counsel, Hugh Tomlinson QC, before Mr Justice Eady today."

Eventually after some two years of malicious attacks downloaded "millions" of times, "John Finn, the owner of rival housing firm Pallion and a former local council candidate in Sunderland ...admitted his involvement, agreeing at the time to pay £125,000 towards Gentoo’s legal costs and a total of £21,000 in compensation.. he and Pallion [then] agreed to pay Mr Walls damages of £100,000 to settle his claim for libel and harassment."

The webmasters of Dadsplace were also made subject to injunctions not to repeat the offending statements but do not seem to have been sued for actual damages.

Now interestingly the solicitors for Gentoo - Olswangs - have commented publicly on why they think the settlement was so high. Factors seem to include:
- the length of the slandering campaign - two years
- the quantity of defamatory allegations - made almost daily
- the "extensive steps to publicise the Web site and their other publications" made by Dadspace - so the damage caused to the reputation was very extensive.

They also indicate how difficult it is to investigate a campaign of anonymous libel eg on a bulletin board or mailing list site, involving "months of painstaking investigation involving a combination of high-tech computer forensic work and old-fashioned evidence gathering".

Finally there are some interesting thoughts on Internet libel from Ashley Hurst the Olswang lawyer involved:

"This raises the question of whether reform is required to give the Internet the same badge of respectability that is enjoyed by other forms of media, including the press (regulated by the PCC) and television companies (regulated by Ofcom). However, the Internet is of course an entirely different medium and the answer is far from straightforward, particularly given the global reach of the Internet and the many different foreign laws that can apply. Would extending the remit of Ofcom or the PCC, or developing a voluntary code of conduct, make any difference?"

Pangloss gets an awful lot of requests to provide advice on Internet libel, though she is uncertain if this is because there is so much of it, or because her article on Net defamation (from 2000!!) comes up first in Google UK if you put in "Internet libel". (Bored students may be glad to know this piece will finally be updated in the 3rd edn of Law and the Internet upcoming.)

But most the people who contact her (unike Olswangs, perhaps, who charge :-) are not the alleged victims of libel, but are websites or hosts of some kind (often charitable or one-man outfits) who suddenly receive take down notices out the blue making vague threats of legal action, and then have no idea what their legal risks are. In an Internet culture where flaming is still fairly prevalent, these hosts often feel they have no alternative but to take down, even where they have no idea what if anything illegal or actionable has been said. This is not good for freedom of speech, democracy or indeed the morale of the voluntary/charitable sector. Sabre rattling and fear of legal risk , it seems, often overwhelms common sense and resilience.

Helpfully, the SCL website as well as providing the Olswang interview, also provides some hints to websites as to when they are liable for content posted on their site by third parties.

Pangloss doesn't disagree that a voluntary code relating to offensive content on websites might be of some use for the victims of malicious allegations (though how would it be policed? the PCC model, both of jurisdiction and sanctions, does not readily transfer, she feels, and that's before we come to the fact that web content is just as likely to be uploaded abroad as in the UK.)

But she also wonders if we do not also need to do more to protect individuals and small unincorporated associations who run or host the websites from random take down notices from anyone who is a wee bit disgruntled or wants to stifle perfectly reasonable criticism or debate.

At the very least it would be good to see a responsible body - the CABxs ? ISPA? BERR? - providing some plain language guidance on line, perhaps an advice hotline, and perhaps even an adaptable form response to takedown notices which do not meet the requirements of regulation 22 of the ECD regulations. Some take down notices do not even sometims specify what ( or where) the alleged libel IS. (The title of this piece comes from one just like this Pangloss saw yesterday - where the aggrieved sender of the take down notice knew so little he had spelt "libel" as "liable".)

As`my gift to the world Pangloss may post her own typical response letter tomorrow. After I've checked it's in no way libellous:)

Stamping out child abuse image websites?

Interesting report on the Beeb about how the IWF have identified how many sites trade such images and concluded there are 2,755 such sites worldwide.

"Of these, 80% are judged to be fully commercial operations.

The IWF said this "manageable" number could be eliminated if net firms, governments and police worked together".

A laudable aim and if achieved, quite amazing. It doesn't of course take into account the anecdotally well known fact that serious organised pedophile rings now mainly obtain and swap their wares via closed P2p nets - "darknets" - and that penetrating these is getting ever harder since the arrival of easily used encrypted P2P.

However perhaps this isn't the time to be too cynical (what me?) and as the IWF imply, closing down commercial websites would at least cut off the feed from those not already inducted into the "inner circles" of darknets.

Then perhaps we could start putting more resources into actual child abuse in this country and less into the shadowy scare figure of the online pedophile :)

Wednesday, April 16, 2008


A week or so back I mentioned an interesting report from Bill Dutton and associates at the Oxford Internet Institute on married couples who met online and how they behaved online towards each other. The report was sponsored by e-harmony.com, a dating site who promote making better marriages on line.

I just wonder what they think of this :)

OK back to the dissertation salt mines.

Aha! One last insight into the glories of Pangloss's work life - thanks to the good offices of Cory Doctorow I have now received permission from the godlike Randall Munroe of XKCD so that this - my favourite web cartoon evah - will be the cover of the 3rd edition of Law and Internet, coming to you in autumn 08 :) I am very very pleased :) Thanks to both Randall and Cory!

Thursday, April 10, 2008

Stupid Idea of the Month

(Thanks to Ian Sorensen for the tip off.) News from way back on April 4th 2008 -

"Registered child sex offenders will have to provide their email addresses to police in a move to stop them using social networking Web sites, the Home Office announced on Friday

Police will pass the addresses on to the sites which will then be expected to monitor usage or stop offenders logging on. Sex offenders will face up to five years in prison if they fail to hand over the details or provide a false email.

The proposal is one of a series of measures announced by Home Secretary Jacqui Smith to make it harder for child sex offenders to meet children online."

Oh come on, Jeremy. Anyone heard of hotmail, yahoo, gmail, a 1000 other ISPs? Your average pedophile is at least smart enough to realise that even if conscientiously and truthfully hands over (one? all?) of his email address (es), it doesn't take long to get another.

This really is a bad case of "having to be seen to do something, anything". I feel actually embarrassed for our poor polis who'll have to implement this piss-stupid idea.

The wider question again, is how legitimate is it to ban someone from the Internet (all of it? some of it? is tere any realistically any halfway house?) just because their past or future potential crimes might use the Internet. We` routinely allocate ASBOs and domestic injunctions barring certain persons from eg schools, shopping centres or the homes of ex-spouses, but these are in general (a) limited in geographical area (b) proportionate to the crime and (c) enforceable, in that there is very likely someone who has reason to take note if the area restriction is broken.

Arguably, none of these justifications apply to a total Internet ban. But who cares, it's clear`that considerations of civil liberties simply melt away compared to the votes that can be won by name-dropping the "will no one think of the children line". And not mentioning that by far `and away the majority of the sbuse is by someone known to the child and usually resident in their own home, not by stranger online pedophiles. At least in the US there appears to be a debate about the constitutionality of Internet band - Pangloss has seen little or no sign of this in the UK.

Hell, they could simply plant 3 downloads on the pedophile's hard disc and that'll be them banned from the Net for life shortly :)

Future Strategy of the ICO

As the final part of Pangloss's catch up of vital reports on privacy and DP that all seem to have emerged while I was on holiday (sigh), the ICO's own report on its future strategy on DP enforcement needs read. I refer you in the meantime to cogent comments at Naked Law.

Very broadly, the ICO propose that they "will not focus on enforcement, but on reducing the risk to UK residents of misuse of personal information about them. " This may of course however be all subject to change given the expectation that the current Commisioner Richard Thomas will retire in the not too far distant future.

Thanks also to IMPACT blog who (inter alia) drew to my attention to the large ICO survey on attitudes to privacy which preceded the issue of the strategy paper and came out March 19 08. It's all go :) One of the most remarkable and yet not unexpected findings is that after the HMRC data scandal the British public has officially lost faith in the public sector: "The ICO poll of 1,000 people found that 53% of those asked no longer had confidence in the way banks, local authorities and government departments handled personal information." See Beeb summary here.

More on 3 Strikes & Phorm: the ISP Strikes Back, but still true to Phorm

3 Strikes, semper passim :)

Technollama has a good post on Carphone Warehouse's opposition (in its guise as ISP TalkTalk) to the idea of "3 strikes and you're out", and the BPI's response of threatening court action. According to the Telegraph, CW received the following warning by fax from the BPI:

""... unless we receive your agreement in writing that within 14 days Carphone Warehouse will implement procedures set out above [bold added], we reserve our right to apply to court for injunctions and other relief without further notice to protect our members' rights."

Which leaves one wondering: WHAT procedures? Last Pangloss heard, negotiations were going on between the ISPA and the MPA as to a protocol for "progressive" discouragement of filesharing by eventual disconnection, but no agreement had been struck; certainly if the BPI has fomed a binding contract or even voluntary code of practice on similar lines with some or all UK ISPs, this is something the public should know about surely?

If, as seems more likely, no agreement exists, the BPI seem to be making some wrong assumptions about the remedies available to them. As it stand the common consensus is that ISPs are protected from liability for the actionable or illegal activity of their users unless they are shown to have actual or constructive knowledge of material they host fo rnusers (E Commerce Directive, Art 14). If the liability relates to the ISP's role as a mere conduit (Art 12) then ISP's are immune whether or not they receive notice. In all other circumstances, the BPI are limited merely to seeking an injunction against the ISP; although they are of course free to sue the actual users. "Other relief" - which can surely only be construed as implying either the imposotion of a filtering obligation or damages - does not prima facie seem to be available.

Of course in Ireland, also in apparent contradiction to both Arts 14 and 15 of the ECD, the music industry are currently attempting to impose an obligation to filter out pirate tracks on Ireland's biggest ISP, Eircom.Various Irish legal commentators notably TJ Macintyre and the unpronounceable Daithi McSigh have already pointed out the major policy and legal objections to such a claim. But it appears to be saber rattling season on both sides of the Irish Sea, presumably in anticipation of the consultation paper on 3 Strikes we are promised by BERR sometime between now and the autumn.


Talk Talk/CW themselves should not be regarded too quickly as heroes of the hour though. Remember Talk Talk is one of the ISPs already signed up for the currently rather controversial Phorm system. Since it seems unlikely UK ISPs are going to go down the 3 Strikes route without legislation, CW/TT have good PR to gain, and nothing much to lose, by speaking out against the BPI :)

On Phorm, matters currently appear to be running against the pioneering or invasive new ISP-level adware system (depending on your side of the fence.) The ICO amended their postition on Phorm yesterday after considerable pressure by inter alia, ORG and FIPR:

"Ad-targeting system Phorm must be "opt in" when it is rolled out, says the Information Commissioner Office (ICO)

European data protection laws demand that users must choose to enrol in the controversial system, said the ICO in an amended statement.

The decision could be a blow to Phorm which before now has said it would operate on an "opt out" basis.

The ICO will monitor the trials and commercial rollout of Phorm to ensure data protection laws are observed."

EDIT: there is a rather sensible comment on the Beeb site about the likely implications of opt-in for Phorm.

This statement, interestingly, still leaves untouched the question of whether Phorm is not only potentially in breach of DP law but an illegal interception of communications under RIPA. The ICO of course has an interest in surveillance, but does not oversee it; interception is technically supervised by the Interception of Communications Commissioner . Home Office communications have indicated they think Phorm legal in this respect, but other commentators such as Nicholas Bohm, differ.

MEPs condemn 3 strikes and you're out

Via Ray Corrigan and Cory Doctorow:

" Danny sez, "Last year, Euro Boing Boing readers wrote and called their MEPs to complain about European Union proposals advocating Internet filtering and blocking on behalf of the music industry. Not only were the amendments voted down, but now ninety MEPs from across the political spectrum have tabled a new text which condemns IFPI's plans to exile from the Net anyone they accuse three times of file-sharing:"
Calls on the Commission and the Member States to recognise that the Internet is a vast platform for cultural expression, access to knowledge, and democratic participation in European creativity, bringing generations together through the information society; calls on the Commission and the Member States, therefore, to avoid adopting measures conflicting with civil liberties and human rights and with the principles of proportionality, effectiveness and dissuasiveness, such as the interruption of Internet access.

(Translations into other EU languages here.)

"Among the advocates of the new language is Michel Rochard, the former Prime Minister of France. That's significant because present French PM Sarkozy is the only Euro leader currently seriously considering implementing IFPI's three strikes plan. With this kind of opposition, it looks like France might remain an anomaly, if it doesn't abandon the plans entirely.""

Wednesday, April 09, 2008

DP law and search engines

There is a truely remarkable amount happening right now on what one might very loosely call the "Web 2.0" privacy front. On top of the UK Byron report and the Ofcom report dealt with in last two posts to this blog, we also now have the EC Article 29 working party opinion on data protection issues related to search engines.

Very roughly, this report takes the long -expected, but not uncontroversial (especially if you're Google) stance that IP addresses are (mostly) personal data. This follows the view taken previously by the Art 29 WP in its WP 136 that"… unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side". Basically even dynamic IP addresses can be connected to particular users given the cooperation of log-keeping ISPs. As such potentially all IP addresses must be viewed as "personal data".

It also argues that:

the Data Retention Directive (2006/24/EC) is clearly highlighted as not applicable to search engine providers. This is because Article 2 sub c of the Framework Directive (2002/21/EC), which contains some of
the general definitions for the regulatory framework over "electronic communications services", explicitly excludes services providing or exercising editorial control over content. Notably, earch engines both filter out illegal content, provide safe search, and respect no-robots text tags on sites, all functions search engines should continue to exercise.

Search engine providers must thus delete or irreversibly anonymise personal data once they no longer serve the specified and legitimate purpose they were collected for, and be capable of justifying retention and the longevity of cookies deployed at all times. The DRD is NOT an excuse to retain data for longer (as Google have previously claimed.) The WP recommended retention for no more than 6 months. Similarly, if search engine providers use cookies, their lifetime should be no longer than demonstrably necessary.

- the DPD does however clearly apply to search engines which deposit cookies on the machines of EU resident users, even if the search engine is based economically or physically outside the EU eg the USA.
European data
protection law also applies to search engines in specific situations, for example if they offer a caching service or specialise in building profiles of individuals based in the EU.

- on DP law, search engines generally fail to say exactly for what purposes they gather personal data of users. If it is used for purposes users might not reasonably have anticipated eg building profiles of users for advertisers, the search industry may be breaking DP law.

The WP also considered the new so-called "people search engines " such as PIPL and Rapleaf, which draw on data from a wide range of sites, often including blogs and SNSs as well as the general Web, to form indexed profiles of individuals. Such profiling may both reveal unexpected data, and throw up misleading correlations, and some have already drawn adverse comment. The WP emphasised that these sites "must have a legitimate ground for processing, such as consent, and meet all other requirements of the Data Protection Directive, such as the obligation to guarantee the quality of data and fairness of processing."

Pangloss is pleased to see this issue adressed: it provides a compulsory legal basis for what is emerging as good industry practice, namely (a) email the data subject whose profile is published (b) allow them to remove or correct or make private the data published. Of course we still need to make sites not based in the EU take notice of EU law. Eventually, what we desprately need is a technical fix, namely better multiple identity control - roll on the research into distributed identity management.

Updates : OxII Social Networking Conference, and Phorm

Pangloss had an interesting time at the OxII /Ofcom conference on Social Networking on Monday (7 April 08). I believe powerpoints and presentations will shortly be available on that site. The conference launched the Ofcom report on social networking which was partly produced to feed into the Byron report (see previous post on this blog). The report confirms with empirical evidence a number of common regulatory and legal assumptions about social networking - notable that "From Ofcom’s qualitative research it appears that concerns about privacy and safety are not ‘top of mind’ for most users" and "all users, even those who were confident with ICT found the [privacy] settings on most of the major social networking sites difficult to understand and manipulate."

What was slightly less predictable was that almost equal numbers of children and adults would equally fail (or not care enough to) use any privacy settings to safeguard their personal data (41% of children aged 8-17 who had a visible profile had their profile set so that it was visible to anyone, as compared to 44% of adults). Also interestingly, the report admits that while many respondents cited potential for abusive use of data revealed on SNSs, few examples of actual harm were in fact reported.

Pangloss's own view is that the report supports the view that protection of users - especially young users - on SNs s cannot be achieved solely by education of users - or "media literacy" - alone. Too many drivers - popularity, peer pressure, ignorance, inertia, technophobia, lack of incentive for SNS sites themselves to protect privacy, because advertising revenue is derived primarily from disclosure - drive SNS users towards unthinking disclosure, rather than rational protection of their personal data. In Pangloss's view , education of users needs supported by regulation (perhaps co-regulation) of SNS sites, in the form of code regulation that would minimise privacy harms. This will form the subject of a Pangloss paper coming real soon now :)

One of the prevalent themes of the conference (rather than the report) was how people use SNSs to further intimate relationships (oo er vicar). Apparently 6% of married Internet users first met their partners online. This seemed high to Pangloss, but it also includes people who met through chatrooms, IM and presumably, blog sites, although these were not name checked, as well as conventional dating sites. 20% of married Internet users admit to checking their partner's emails and 13% to having checked their browser history. Partners seemed to extrend similar levels of surveillance to each other. Pangloss wonders how many have worked out how to use passwords and Clear History commands.. (indeed how many couples share passwords - almost more intimate than sharing a joint bank account these days..)

Pangloss however had to take a pinch of salt at the persuasive man from Match.com who insisted on line dating was no different from off line dating, merely more effective. I felt forced to point out the clear difference is that there is a great deal more lying at the start of on line relationships than is possible in the real world..

Meanwhile in the world of commercial rather than interpersonal stalking, Simon Davies of 80: 20 passes this info on.

"80/20 Thinking is holding a Town Hall meeting on Phorm this coming Tuesday, 15th April, between 18.30 and 20.30 at the Brunei Gallery lecture theatre, SOAS, University of London.

Details are at http://www.8020thinking.com/events

Please do spread the word as much as possible. The meeting is open and free, but we ask people to notify us if they want to come so we can keep track of numbers. Again, those details are on the 80/20 page."

Sadly I can't go but I look forward to hearing about what emerges.

Wednesday, April 02, 2008

Someone Has Thought Of the Children, Honest..

Cogent post by Technollama on the insatiable hunger of the UK press for scare stories about the horrors of the Internet, especially re Facebook, MySpace, chatrooms, child porn etcetera.

All this furore has of course been partly whipped up most recently by the publication of the much-awaited Byron Report. Pangloss has not had time to read the Byron Report in full yet but was initially relieved that it seemed to have concentrated on "having a national strategy for child internet safety which involves better self-regulation and better provision of information and education for children and families" and not on further extension of the invisible upstream censorship model pioneered by the IWF and BT Cleanfeed to, eg, sites like Social networking sites SNSs), or online games; or types of content which are arguably harmful to children, but not illegal, such as adult sexual content (although read on for discussion of existing upstream filtering in schools and local libraries, and the consideration of extending a "child-safe" Internet to everyone, children and adults alike).

The main features of the Byron Report , beyond the usual calls for parental involvement, understanding that children know more about the net than parents, integration of e-safety into the school curriculum, and consumer and teacher education, seem to be:

(a) "better" ie more granular, classification of video, console and on-line games;
(b) refinement of our understanding of how offline laws apply to online content eg are suicide websites illegal?, and
(c) the creation of a one-stop shop for regulation child safety on the Internet issues, to be named the (slightly Orwellian) UK Council on Child Internet Safety, and run by Home Office and DCFS with help from DCMS, which will "lead the development of a strategy with two core elements: better regulation – in the form, wherever possible, of voluntary codes of practice that industry can sign up to – and better information and education, where the role of government, law enforcement, schools and children’s services will be key".

Reading further on gives us some idea of the key tasklist the Council is meant to undertake. This is a long and interesting list but these are a few items that stood out to me.

- making sure home computers are sold already loaded up with kitemarked parental control software (but not by default already switched on and fully functional - see 4.72)
- making sure search engines offer clear indications if safe search is on, and that these can be "locked on" by parents
- making sure 100% of schools and local services (computers in libraries and museums eg) to children have Becta accredited filtering services
- working with user generated content hosts (eg Facebook) to establish an independently monitored voluntary code of practice for the moderation of user generated content.

Despite all this the executive summary concludes with the following quote ;

"“Kids don’t need protection we need guidance. If you protect us you are making us
weaker we don’t go through all the trial and error necessary to learn what we need
to survive on our own…don’t fight our battles for us just give us assistance when we
need it

I feel, in my slightly confused position as a former specialist in child law and nowadays a specialist in Internet law, that we are getting mixed messages here. How are children going to go through "trial and error to learn" when they inhabit a world where parents can defer any parenting discussions on adult content to a kitemarked filter they don't understand enough to alter? Where school , library and museum access is 100% filtered? (And I have an acquaintance who runs the filters for a certain Scottish local authority 's schools - and I was mildly appalled by how far it filters beyond what is legally proscribed content.) Where their own version of their own real life on their own UGC sites is potentially censored? (As if they need to go to the Internet anyway to see teens engaged in nudity, sex, drugs and unsafe behaviour - they can just watch Skins .)

Less controversially, there is an interesting suggestion at 4.19 about how UGC or social networking sites might handle the tricky issue of moderation of content and legal liability. Many SNSs, hosts and ISPs have long argued that they cannot monitor/moderate illegal content and remove some, because they are then "on notice" for the whole site's contents, and will be liable for any illegal content they have let slip past (see Art 14 of the Electronic Commerce Directive and the ghost of the Prodigy doctrine.) Byron rather smartly observes that such risks might be minimised if a third party was used to audit the site and give notice to the host site only about material which definitely breaches the law, and which could then be removed, and adds a recommendation that "the Council explores the possibility of developing such arrangements to minimise the risks of liability for companies that take steps to make their products safer for children". Who PAYS for such third party auditing is not discussed :)

Byron also recommends that sites be encouraged to sign up to specific public commitments on take down times, which sites currently tend to avoid for fear of being deemed in breach of contract if they do not take down in time ; Facebook, eg, has already publicly guaranteed to take down on complaint, content containing "nudity, pornography,harassment or unwelcome contact" within 24 hours. This Pangloss approves of, having seen in her own empirical research, the very wide variation in take down times from hosts and ISPs according to variables such as size of organisation, type of content and type of organisation, and the uncertainty this can cause both hosts and users (MumsNet were reportedly forced into settlment re liability for allegedly libellous UGC , by not being sure if they had taken down "expeditiously").

Overall though, despite the odd mention (and I emphasise again my not having read whole report fully yet) there is a definite air about the report , as Jonathan Zittrain once put it, of it being "so 2005". What use will filtering requirements on schools , and parental control software be, when as will be true in about 5 Internet minutes, every child routinely accesses Facebook or Bebo on their way to school via their smart mobile phone?. The report itself admits that 37% of 11-16 year-olds already have access to the internet via a mobile (ChildWise 2008). Even if mobile phone operators are corralled as upstream supervisors as well (a voluntary code of concuce for mobile operators has existed since 2004, but Byron admits "it is difficult to establish the effectiveness of work in this area" - 4.109) what about wi fi accessed via their smartphones, IPod Touch or equivalent, on the school bus, in cafes, at friends' houses and at clubs? These issues are actually, praiseworthily, raised, with research commissioned to examine access outside the home (4.69) but in the end there is no solid recommendation of any serious way of how to deal with these impossibly difficult problems (4.106, 4.116,4.117).

There also seems to be a rather worrying supposition that SNSs are the domain solely of children. Bebo may be, but many are not. Recent research showed, rather amazingly, that in the UK as of September 07, the median age of a Facebook user was 34! (Pangloss herself is an FB user and er rather over that age :( Should a 34 year old be subject to a UGC moderation code which refuses to let him publish a tasteful non-illegal erotica picture of his girlfriend? I am not really sure. We are getting dangerously close to the famous ACLU v Reno No 1 case which asserted that , even in the interests of children, the whole of the Internet should not be reduced to the level of a "children's reading room".

Putting the job of censorship on to ISPs, host and SNSs rather than directly exercised by the state, does not make it any less censorship - it just makes it less transparent and less accountable. There is a slightly chilling discussion at 4.54ff of the idea of network (ISP) level blocking of all unwelcome content - ie blocking non illegal but non child friendly content to ALL USERS , by all UK ISPs - with the onus on, or choice by, over-18s to opt out of this blocking. The Report chooses to not go down this route for large numbers of very sensible reasons, but adds somewhat worryingly "this may need to be reviewed if the other measures recommended in this report fail to have an impact on the number and frequency of children coming across harmful or inappropriate content online." (4.60) This puts Technollama's suggestion that next we will see regulation of social networking sites positively in the shade..

In short, the Byron Report is a brave and largely non-tabloid-scare-oriented attempt to deal with a difficult problem. Much of the child developmental information in the first two chapters is excellent and it is very valuable to have it in one place in front of policy makers and lawyers' noses. But as far as as solutions go, one does have a feeling that it is perhaps not looking far enough ahead; because "far" on the Internet is usually not that far at all.