Wednesday, December 09, 2009

Facebook Privacy:: Fact or theory?

Xmas comes early for privacy advocates?!

The Register reports

"Facebook has ordered its 350 million users to sort out their privacy settings right now, before it throws the switch on its revamped security system.

The social networker farmer in chief Mark Zuckerberg, told its users last week that, "We're adding something that many of you have asked for — the ability to control who sees each individual piece of content you create or upload." He also promised a simplified privacy page.

..In today's warning, coinciding with the actual launch of the tools, Facebook promised its new Publisher Privacy Control would allow users to set a privacy setting for each piece on content they create.

The firm is also removing its "regional networks", in favour of four basic control settings: friends, friends of friends, everyone and customised.

This will be allied with an "easy, intuitive and accessible" privacy settings page."

Well, hmm, let's see - but Blogzilla. looks like we may finally have to rewrite that FB paper!

Of course in other news today, Sophos, who discovered 2 years ago that most FB users would revel their most private details to cartoon frog, found that 2 years on, relicating the study in Australia, ... well, nothing had really changed.

"The survey found that 46% of users in a fictional 21 year old's age group accepted the offered friendship, while 41% of a fictional 56 year old's peers did.

On Facebook once someone has been accepted as your 'friend' they can see more information about you, but you can still choose to hide information from those friends or limit it to specific groups amongst your online friends....

"Both groups were very liberal with their email addresses and with their birthdays," said Sophos head of technology in Asia Pacific Paul Ducklin. "This is worrying because these details make an excellent starting point for scammers and social engineers.""

Ah well, you can't have everything!

Something Different for the Midweek: Google and Criminal Liability

Yesterday Pangloss was very happy to have a guest lecture for her Internet Law class given by Trevor Callaghan, Managing Product Counsel of Google UK. Trev gave a hilarious lecture on the law relating to search and copyright, which conbined legal insight, practical tips, and social responsibility with some Glasgow humour that would have put Armando Iannuci of The Thick Of It fame to shame (albeit with (slightly) less swearing). I enjoyed it, lots, and i think the students did too.

Anyway, this all reminded me that actually quite a few things are going on I should be talking about as well as (or perhaps even in combination with) the Digital Economy Bill. One of these, which has received suprisingly little press (even wonderful OUT-LAW hasn't mentioned it since February) , is that right now, four Google executives - including Privacy CEO Peter Fleischer- are on trial - yes, criminal trial - in Italy, in relation to a short phonecam video made by some school children of a bullying incident involving a child with learning disabilities, and then posted on Google Video.

In Italy, it appears that libel and , possibly, infringement of privacy laws, can be a matter of criminal as well as civil law. Google took down the video on notice within a day of receiving an official complaint from a consumer group, although the video had been online for about 2 months before that. Italian prosecutors investigated for two years but then decided to proceed.

For Pangloss this seems a not very difficult case that ought to be easily decided under the EC E-Commerce Directive safe harbours in Art 14 and 15, as often discused in this blog. If these aren't implemented into Italian law, then it would seem Italy must be in breach of EC law itself. Google was clearly a host here, and Art 14 provides that such sites are protected from criminal liability for the activity of users of the service, unless they receive actual notice, and fail to take down expediently. This is a case about criminal liability so there is no need even to move to the second branch of Art 14 (which is far more controversial) and discuss whether Google should have known - ie had constructive knowledge - of the activity or content. Injunctions would have been relevant, despite the safe harbours, but these are not the issue as Google already took down straightaway on notice.

So why on earth is this case coming to trial? Pangloss is perplexed. One possibility as noted above is that simply that Italy's domestic law is in breach of EC law (in which case Google should have a Francovich claim for damages against the Italian government, though that may not be much comfort to the men awaiting trial.) Another possibility, though rather an unlikely one, is that the Italian prosecutors have confused the activities of Google as a search engine, with Google as a host. The ECD does not give search engines , or hyperlinkers , a special immunity from liability as it does hosts and "mere conduits" : though a number of EC countries have in fact decidd to extend such an immunity, either under Art 12 or 14, or both. However in this case case it seems pretty clear Google was a host not a hyperlinker in terms of liability. So, what on earth quid iuris?

Another remote possibility is that the suggestion is that Google as a provider of free services does not gain the benefit of the Art 14 safe harbour. This uncertainty has been around for a long time, since only providers of "information society services"(ISSPs) get the benefit of Arts 12-15 and that definition is of an online service "normally provided for remuneration" (see recitals 17 and 18). Yet majority opinion has long felt that this particular point is no obstacle to the likes of Google (or Facebook, or Hotmail?) claiming safe harbours.

First, while renumeration might not come directly from users, it certainly does come in the form of the adverts Google place alongside its services. Second, search services are certainly something that would "normally" be paid for if they weren't, happily, often provided for free: they are of huge commercial value . Thirdly, it seems a strange policy in terms of public interest which would discriminate against services of great public value provided for free, in favour of those given purely for direct consideration.

There is no clear ECJ ruling on this yet but there is likely to be soon: in the upcoming Adwords conjoined referrals to the ECJ (Google France v Louis Vuitton, etc), the Advocate-General has already given a preliminary opinion in which he found:
"There is nothing in the wording of the definition of information society services to exclude its application to the provision of hyperlinks and search engines, that is to say, to Google’s search engine and AdWords. The element ‘normally provided for remuneration’ may raise some doubts as regards Google’s search engine, but, as has been pointed out, the search engine is provided free of charge in the expectation of remuneration under AdWords. (68) Since both services are also provided ‘at a distance, by electronic means and at the individual request of the recipient of services’, they fulfil all the requirements necessary to be regarded as information society services."(para 131)
And for what it is worth, a roughly similar finding was reached, albeit obiter and with an admission of some possibility of doubt , in the recent English libel case of Metropolitan v Designtechnica, where Eady J opined: "it would appear on balance that the provisions of the 2002 Regulations [defining an ISSP] are apt to cover those providing search engine services." (para 84)

So what does that leave? Well there is perhaps a clue in the New York Times account.

"Google and the prosecutors agree the video was uploaded Sept. 8 and removed Nov. 7, 2006. The prosecutors presented evidence showing that in early October, a month before the video’s removal, there were comments posted saying that it should be taken down. One of those messages read, “This is shameful! This should be taken down immediately.”

“It is reasonable to imagine that comments like this were followed by requests by these same people that the video be removed,” the prosecutors wrote in the document they presented to the judge."

So when are such shocked responses or "requests", "actual notice" as required by Art 14? Do comments on a video hosting site cut it, as opposed to an official request for takedown? To put it another way: does a hosting service have a duty to read comments about videos posted by, and probably of interest only to, their creators and viewers? Surely not.

Compare the situation to the original world Art 14 was designed to deal with, that of web 1.0. If Demon Internet hosted a basic site for (let's say) Anglers Magazine, and it contained a chatroom where libellous remarks were made about particular fly-fishers, would Demon be expected to monitor that chatroom for explicit or implied requests to take down those comments? Again, surely not. It would be up to the aggrieved angler to send his request for take down direct to Demon. The whole point of Art 14 was to reassure host providers they had no need to monitor the activities of those to whom they provided hosting services. Not only would this involve huge expenditure of effort and cost, but it might also be privacy invasive and chilling of free speech. Art 15 states this absolutely explicitly:

"Member States shall not impose a general obligation on providers, when providing the services covered by Articles 12, 13 and 14, to monitor the information which they transmit or store, nor a general obligation actively to seek facts or circumstances indicating illegal activity."

Still another way to put this is to ask , what are the minimum requirements for notice? This is a perennial problem. The US DMCA largely gets it right, with a statutory form which requires a complainant to give clear details including their own address and status as rightsholder, and provides sanctions for false accusations. The ECD, being a EC wide framework, is hopelessly vague. The UK's own regs help a little but not much - there is no DMCA type statutory notice but Reg 22 of our E Commerce Regulations does state that

"In determining whether a service provider has actual knowledge ... a court shall take into account all matters which appear to it in the particular circumstances to be relevant [including] whether a service provider has received a notice through a means of contact made available in accordance with regulation 6(1)(c)" - ie, their official contact email address .

This stuff should be simple law (compared at least to issues like eBay and Louis Vuitton, Google and AdWords) but even it is not. The ECD deperately needs revised to get a few simple things right and harmonised across Europe: what form should "actual notice" take; what does "expediently" mean; what is constructive notice; when, if ever, can an obligation to filter proactively be placed on ISSPs; what immunities should search engines (and hyperlinkers and aggregators) have. Pangloss loves this stuff but even she is tired of writing the same stuff over and over again. It is time to review the ECD.

PS and in the interest of public policy but with just a hint of minx-itude, I have helped draft a proposed amendment to the Digital Economy Bill for ORG which would aim to clarify some of these very matters, at least for the UK. See you in the House of Lords! :-)

Friday, December 04, 2009

Predictions 2010

The SCl Journal is as usual publishing pithy predictions for next year from the great, good and garrulous in IT Law (though they don't seem to have asked me this year - sob!

The best so far of course is from the wonderful Jeremy Phillips:

From Jeremy Phillips, IP Consultant, Olswang LLP

* 'Three strikes' proposals, even if enacted, will be shown to be feeble, cosmetic inconveniences. What's more, downloaders will assert they have a right to two free infringements.
* The Ministry responsible for IP/IT will change its name, its role and its Minister.
* The aggregated figure for victims of Data Protection Act data leak will exceed the population of the UK.
* The government will proclaim that innovation is ‘key’ to the country's well-being while further restricting its exploitation and taxing it to death.
* Some people will continue to believe in Santa Claus, a flat Earth and the Manchester Manifesto.

I particularly love the second point. One wonders if it's like the professor for DEfense against the dark Arts in each harry Potter novel - each government reshuffle, a new incumbent and name for the department required!

Less funy, but equally to point and often overlooked as we focus on three strikes, data breaches and e-commerce:

"From Jaron Lewis, Partner, Reynolds Porter Chamberlain LLP

2010 will be the year that our pre-internet libel laws are kicked into shape. Legislation is expected to prevent publishers being sued over archived web content. We will also see a consensus forming over the introduction of more streamlined - and cheaper - procedures for resolving libel disputes. Finally, our libel judges will continue to make clear that those providing the web infrastructure - such as ISPs and search engines - should not be liable for defamatory content, even when they are on notice of a complaint."

Having taught Internet libel law, substantive and jurisdictional for almost 20 years now, I really hope we are going to see real change here on the UK's antiquated libel magnet laws - Metropolitan v Google, which Pangloss really should have found time to blog properly, isalso an especially heartening and sensible decision. It is just a shame the current review of the single publication rule (still open till Dec 16th) is not looking at place as well as time.

Finally although not a prediction or even legal I must leave you with my favourite quote of the week for everyone out there who spends their life glued to a keyboard:

from Ben Goldacre on Twitter:"if anyone needs me i'm flying to america tonight so i can kill everyone involved in writing and marketing microsoft word."

Tuesday, December 01, 2009

The Death of Public Wi fi: Grauniad

I decided to write up a user friendly version of the wi fi story for the Grauniad, as you can see here. Many thanks to Francis Davey, inter alia counsel for, who pointed out the difficulties of the word "agreement" in terms of defining a subscriber and an ISP in the Digital Economy Bill.