Thursday, June 24, 2010

gIKii Programme

Should have put up this sooner!! But read and weep if you're not going to be there..

Monday 28 JuneLink

09:30-5.30 Day One

9.30 Intro
9.45-11.15 Cloudy with a Chance of Legal Issues? Augmented and clouded platforms

  • Andres Guadamuz, "We Can Tag It for You Wholesale: Augmented Reality and the User-Generated World".
  • Martin Jones, "Human! We used to be exactly like them. Flawed. Weak. Organic. But we evolved to include the synthetic. Now we use both to attain perfection".
  • Miranda Mowbray, "What the Moai know about Cloud Computing: Stone-age Polynesian technology and the hottest trend in computing today".

11.15 Coffee

11.30-13.15 We.Vote, You.Gov, She.Lurks? Social networks, politics, participation

  • Lilian Edwards, "The Revolution will not be Televised: Online Elections and the Future of Democracy?"
  • Judith Rauhofer, "The Rainbow Connection - of geeks, trolls and muppets".
  • Caroline Wilson,"Is it Politic? Policy-makers' use of SNSs in policy-formation".
  • Hugh Hancock, "Stories for Laws: the narratives behind the Digital Economy Bill, which ones worked, and most importantly: why?"

13.15-14.00 LUNCH

14.00-14.20 Apres lunch entertainment: Ray Corrigan - Maths for the Terrified (and lawyers)

14.20pm-15.40 Rip, mix, share, tweet?: Current IP/ Music Issues

  • Dinusha Mendis, "If Music be the food of Twitter – then tweet on, tweet on . . . An evaluation of copyright issues on Twitter".
  • Nicolas Jondet, "The French Copyright Authority (HADOPI), the graduated response and the disconnection of illegal file-sharers".
  • Nicola Osborne, "Dammit! I'm a Tech (the "Services" or "Site") Punter (the "User" or "Member") not a Lawyer!"
  • Megan Carpenter, "Space Age Love Song: The Mix Tape in a Digital Universe".

15.40 Tea

16.00-17.30 pm Crime and Punishment Privacy

  • Andrea Matwyshyn, "Authorized Access".
  • Rowena Rodrigues, "Identity and Privacy: Sacred Spice and All that's Nice".
  • Andrew Cormack, "When a PET is a Chameleon".

19:30 Sponsored conference diner.
The Apex City Hotel, 61 Grassmarket, EH1 2JF

Tuesday 29 June

9.30-11.00 Just Google It, Already!

  • Daithi Macsithigh, "What We Talk About When We Talk About Google".
  • Trevor Callghan, "GOOGLE WANT FREND!"
  • Wiebke Abel, Burkhard Schafer and Radboud Winkels, "Watching Google Streets through a Scanner Darkly".

11.00 Coffee

11.15-13.00 Just Artistic Temperament? IP law and theory

  • Steven Hetcher, "Conceptual Art, Found Art, Ephemeral Art, and Non-Art: Challenges to Copyright's Relevance".
  • Chamu Kappuswamy, "Dancing on thin ice - Discussions on traditional cultural expression (TCE) at WIPO".
  • Gaia Bernstein, "Disseminating Technologies".
  • Chris Lever, "Netizen Kane: The Death of Journalism, Artificial Intelligence & Fair Use/Dealing".

13.00 Lunch

2.15-16.00 One World is Not Enough: law and the virtual / game

  • Simon Bradshaw and Hugh Hancock, "Machinima: Game-Based Animation and the Law".
  • Ren Reynolds (& Melissa de Zwart), "Duty to Play".
  • Abbe Brown, "There is more than one world...."
  • Michael Dizon, "Connecting Lessig's dots: The network is the law".

Huge news - You Tube wins on safe harbor vs Viacom

YouTube wins case against Viacom

Today, the court granted our motion for summary judgment in Viacom’s lawsuit with YouTube. This means that the court has decided that YouTube is protected by the safe harbor of the Digital Millenium Copyright Act (DMCA) against claims of copyright infringement. The decision follows established judicial consensus that online services like YouTube are protected when they work cooperatively with copyright holders to help them manage their rights online.

This is an important victory not just for us, but also for the billions of people around the world who use the web to communicate and share experiences with each other. We’re excited about this decision and look forward to renewing our focus on supporting the incredible variety of ideas and expression that billions of people post and watch on YouTube every day around the world.

UPDATE: This decision also applies to other parties to the lawsuit, including the Premier League".

Commentary at TechDirt and hopefully, from me in next few days. This is big.

Thursday, June 17, 2010

A Day in Paris (Is Like a Year In Any Other Place.)

Pangloss just spent a very intense, very challenging day at the OECD Workshop on the Liability of 0nline Intermediaries, sadly curtailed by the need to rush off on a plane to Estonia (of which more anon). The idea was to kick off a major programme of work in this area and the great and good were assembled in force, with pithy comments and insights coming thick and fast.

Danny Weitzner, who was a fresh faced freedom fighter for the CDT when I first met him, transmogrified into a rising star at the WWW and MIT, and is now an adviser to Obama (ah, why doesn’t UK academe provide this kind of career path!) lead the forces favouring, by and large, US-style industry self regulation, but noted that even in 1731, Benjamin Franklin had recognised need for intermediary immunities by presenting an “apology for printers” (of the human, not inkjet, kind) lest they be persuaded by criticism to print only texts they were personally convinced by.

Peter Fleischer, chief privacy counsel for Google, made the political decidedly personal, by commencing his intervention on privacy and intermediaries with anecdotes about being a convicted criminal who could no longer enter Italy (prompting mildly irascible responses from various Italians trying to make it plain they were not exactly the new China). Gary Davis from Ireland, perhaps a tad controversially for a data protection deputy commissioner, noted that there seemed to be emerging agreement on trading personal data for free web 2.0 services, but the question was, how much data was too much data; and Bruce Schneier (no link needed!) created the biggest stir of the day (to Pangloss’s silent cheers) by mentioning almost casually that, at least in relation to security, he had never had much time for user education. An unnamed EU Commission person made the sign of the cross and quoted liberally from the EC’s Safer Social Networking principles. Lightning did not however smite the infidel Schneier.

Jean Bergevin, in charge of the EC Commission’s much delayed but upcoming review of the E-Commerce Directive (ECD) (expect a consultation soon) took ferocious notes and reminded those present that although copyright and criminal liability may steal the headlines, the exclusion of gambling from the ECD gives a case study of how these things pan out (clue: not well) when safe harbours for intermediaries are not in place. The response seemed to be for the actual gambling hosting websites to move safely offshore, leading to undue pressure from states against payment intermediaries, so as to starve the unauthorised gambling sites of funds; yet, on the whole, these strategies merely multiplied bureaucracy and were still unsuccessful, since the grey market found ways round them (as it did, I noted, when similar strategies were applied to stimey offshore illegal music sites like in Russia). Later Mr Bergevin finally enlightened me as to why the ECD excludes data protection and privacy from its remit, as famously was publicised during the Google Italy case; not some abstract academic justification, but just that “that belonged to another Directive”. Time to raise the issue of intermediary liability in the ongoing DPD reform process then, methinks?

My own main contribution came in the first scene-setting session, where Prof. Mark MacCarthy of Georgetown University kicked off discussion on whether the OECD (which is also soon to review its longstanding and much applauded privacy guidelines) could conceivably come up with similar global guidelines on intermediary liability acceptable to all states, all types of intermediaries (ISPs, search engines, social networking sites, domestic hosts, user generated content sites?) and all types of content related liability (copyright, trademark, porn, libel, privacy, security??)? Everyone agreed that once upon a time a rough global consensus on limited liability, based around the notice and takedown (NTD) paradigm, had been achieved c 2000, with the standout exception of the US’s CDA s 230(c), which provided total immunity to service providers in relation to publication torts, but which was seen in the EU at least as something of a historical accident.

Since then, however, twin pressures from both IP rightsholders seeking solutions to piracy, and states keen to get ISPs to police the incoming vices of online child pornography, pro-terror material and malware, had converged to drive some legislatures, and some courts, towards re-imposing liability on online intermediaries (graduated response laws and ISPs being one of the most obvious case studies) and even moving tentatively from a post factum NTD paradigm to an ex ante filtering duty (SABAM, some Continental eBay counterfeit goods cases, the projected Australian mandatory filtering scheme for adult content). While the “top end” of the market might sort its own house out in the negotiable world of IP without further regulation (see the protracted Viacom v YouTube saga, which could be seen as a very expensive game of blind negotiator’s bluff) other areas were (still) less amenable to self regulation.

Privacy was identified very early on as an outstanding example of this: getting sites like Facebook and Google, which live off the profits of selling their client’s personal data, to take the main responsibility for policing those clients’ privacy was, as one speaker said, like getting the wolf to guard the sheep. Ari Schwartz of the CDT interestingly noted the new-ish difficulty of getting businesses like Facebook to take responsibility vis a vis their own users for third party apps using their platform. Apple however were piloting a new model of responsibility by careful selection of apps allowed to use their platforms, while Google Android were doing it differently again (I want to come back to this fascinating discussion in a separate post).

My own points circled around the idea that increasingly, the current idea of “one size fits all” enshrined in the ECD does not really work; more in relation to types of liability though (copyright vs libel , for example, with very diifferent balances of rights and public policy at work) than in relation to types of intermediaries (did search engines really need a special regime, of the kind the DMCA has and the ECD doesn’t, I was asked? My answer, given the fact that the two most troublesome EC Google cases – Italy and Adwords – have actually related to hosting not linking – was probably no (though that still leaves Copiepresse to sort out).)

However there was also room for thinking about different regimes for different sizes of intermediaries – small ISPs and hosts, eg, will simply crumble under the weight of any potential monitoring obligations, jeopardising both freedom of expression and innovation, while in a similar bind, Google can afford to build a Content ID system for YouTube which lets filtering become, effectively, a monetising opportunity. All this of course still avoided the main problem, of how complicit or “non neutral” (in the words of the ECJ Adwords case) an intermediary has to be in relation to illegal or infringing behaviour or content (cf eBay, YouTube, Google etc) before it should lose any special immunities. On that point, even the EU let alone the OECD is going to have to work very, very hard to find consensus.

Security provided the best example (and the best panel) of the day on how market-driven self regulation cannot always provide an optimum solution in the Internet intermediary world, given the prevalence of what became known by shorthand as “misaligned incentives”. Put simply, this refers to the situation where A causes harm to B (or to everyone) but does not suffer the costs of those harms themselves and so has no or few incentives to correct/avoid them. So one of the most obvious ways to reduce malware spread, botnet threats, etc would be to ask ISPs to monitor users on their networks, isolate them if they became apparently infected by malware, and refuse to allow them to rejoin the Internet until they had submitted to “decontamination” and perhaps mandatory reloading of anti-virus protection plus automatic patching. In fact however ISPs mostly don’t do this; partly because there’s no extra money in it for them, but rather a possibility of years of wearying customer care; partly because many ISPs still think (probably wrongly, the Prodigy years are over) that taking any active steps may lead to them being held legally liable to the customer or for bad content. The bad effects meanwhile are felt by (a) society and (b) sometimes though not always, the customer: so misaligned incentives all round. Notwithstanding this, we heard heartening tales of newly launched voluntary initiatives in Germany and Australia for local ISP industry to take part in isolation and decontamination – so hurrah for that, and let us hope the OECD takes this on board as an important if not “traditional” part of the intermediary liability issue.

(This was where the Bruce Schneier quote on user education came in – and I have to say I absolutely agree. If you want a safer Internet for all – a societal aggregate good of security - you do not leave complex choices to be made by domestic users, who not only don’t understand either the risks or the options, but will never be interested enough, or continually educated enough, to do so. But this is not the same as when you talk about privacy; which is primarily an individual not a social good, and where society views the individual making an informed choice as a key element of their autonomy as a subject of human rights. But talking about consent to giving up personal data on SNSs took us into the world of age verification for kids and its impact on privacy, an even nastier can of worms, and no-one’s going to convince me you can get kids to use anonymous digital signatures when it’s hard enough to persuade lawyers to do this).

In short, a day with so much to chew on, my jaw ached by the end. Very sorry I had to miss the last two sessions: if anyone reading has notes on any preliminary conclusions reached, I’d be pleased to see them. Thanks to Karine Perset of the OECD especially for organising the day. Meanwhile I hope myself to stay involved both with this OECD work, and the revision of the ECD; as I often say, watch this space.

Tuesday, June 08, 2010

The European Digital Agenda

Pangloss has finished her marking so things may now get back to some semblance of normal:)

It's a hard time, as ever, for the hardworking EU Internet lawyer to keep on top of developments. With the proposal for reform of the DPD due for the end of 2010 (which I have been very pleased to play a small part in lately as an international expert on the Impact report) and the moves towards ACTA have been hogging the headlines, less attention has been paid to the EU's new Digital Agenda programme: but on a quick look it is chock full of goodies. Pangloss's interest fell particularly on the Trust and Security section which promises:

  • in 2010 measures aiming at a reinforced and high level Network and Information Security Policy, including legislative initiatives such as a modernised European Network and Information Security Agency (ENISA), and measures allowing faster reactions in the event of cyber attacks, including a CERT for the EU institutions;
  • measures, including legislative initiatives, to combat cyberattacks against information systems by 2010, and related rules on jurisdiction in cyberspace at European and international levels by 2013;
  • Establish a European cybercrime platform by 2012;
  • Examine the feasibility by 2011 to create a European cybercrime centre;
  • Work with global stakeholders notably to strengthen global risk management in the digital and in the physical sphere and conduct internationally coordinated targeted actions against computer-based crime and securityattacks;
  • Support EU-wide cyber-security preparedness exercises,from 2010;
  • As part of the modernisation of the EU personal data protection regulatory framework to make it more coherent and legally certain, explore the extension of security breach notification provisions;
  • Give guidance by 2011 for the implementation of new Telecoms Framework with regard to the protection of individuals' privacy and personal data;
  • Support reporting points for illegal content online (hotlines) and awareness campaigns on online safety for children run at national level and enhance pan-European cooperation and sharing of best practice in this field;
  • Foster multi-stakeholder dialogue and self-regulation of European and global service providers (e.g. social networking platforms, mobile communications providers), especially as regards use of their services by minors.
More than these named action items though, what is heartening is that after the usual litany of threats to the information society, of crime, spam, child protection issues, fraud and even cyber attacks, comes this:

The right to privacy and to the protection of personal data are fundamental rights in the EU which must be – also online - effectively enforced using the widest range of means: from the wide application of the principle of "Privacy by Design" in the relevant ICT technologies, to dissuasive sanctions wherever necessary.
It is good to see privacy given the same attention as security in a document of thus kind, and it's something I'll be reporting to the the CCDCOE Conference on Cyber Conflict in Tallinn next week when I speak of what law can and can't (or shouldn't) do in the fight against cyber attacks in Europe.

If you want to have your say in the Digital Agenda programme by the way, go here: the form appears to be open to all.

Friday, June 04, 2010

My Inugural, encore

For those who wish, the audio recording plus slides of "Anti Social Networking" are now available.

Normal service will resume when the exam marking season is over :-)

ps I hope to sneak in an assessment of the new draft Ofcom Code on the DEA.