Saturday, December 31, 2005

Garda Traffic Surveillance - Privacy Implications for Motorists?

The Irish Times reports that the police are proposing to bring Automatic Number Plate Recognition (ANPR) to Ireland:
The computer will be installed in Garda Traffic Corps vehicles and is due to be introduced in the coming months, The Irish Times has learned.

The computer and camera system will allow for the instant reading and analysis of registration plates of all traffic passing a Garda car. The system will be linked to the Garda's Pulse computer database.

It means any vehicles which are not taxed or insured or which have been reported stolen will trigger a warning notice on an in-car computer screen.

A warning will also be triggered for cars which have not passed the National Car Test (NCT) or which have any other outstanding infringement.

This will allow gardaí to give chase and issue a fine to the motorist. It will also allow gardaí to instantly identify repeat offenders who have ignored previous fines and other sanctions and to put them off the road.

Currently, if gardaí want to check on a vehicle they must call their local station via in-car radio and ask a colleague to manually check the registration on the Pulse system. This is time-consuming and means only a small number of checks can be carried out.

Under the new system, 50 Garda Traffic Corps vehicles will be fitted with two small in-car cameras. One camera will face to the front of the vehicle and the other to the rear.

The two cameras will allow for instant analysis of registration plates of all vehicles passing in both directions, whether a Garda vehicle is moving or parked by the roadside.
This scheme raises many questions. Will the Gardaí have access to the name and address of every motorist passing by? (In the US, where systems like this have been in place for some time, it's common for police to look up the details of an attractive woman in a passing car - known as "running a plate for a date".)

Given that the vast majority of motorists scanned will be entirely innocent, what happens to their data? Will it be retained? If so, for how long? What privacy safeguards have been built into the system? Has legal advice been taken on the data protection issues of ANPR? Will this be a precursor to a much wider system?

ANPR has already been controversial in other countries - notably England - so there is no excuse if it turns out that the Gardai and/or the Department of Justice have failed to consider these issues.

Friday, December 09, 2005

Last Chance to Fight EU Data Retention

Next Tuesday, the 13th of December, the European Parliament will vote on a Data Retention Directive. This proposes to extend data retention to the Internet, and will result in your ISPs logging every email you send, every web page you visit, and everything else you do online and storing that information for several years.

We urge you to email, fax or phone your MEPs as soon as possible to express your opposition to this measure, which will introduce mass surveillance of every man, woman and child in the EU.

As to what you should say, it is best if that comes directly from what you consider important. However, Privacy International and EDRI have adopted a position (which DRI has endorsed) setting out five key criticisms of the Directive. Feel free to copy and paste these if you wish.
1. This Directive invades the privacy of all Europeans. The Directive calls for the indiscriminate collection and retention of data on a wide range of Europeans’ activities. Never has a policy been introduced that mandates the mass storage of information for the mere eventuality that it may be of interest to the State at some point in the future.

2. The proposed Directive is illegal. It contravenes the European Convention on Human Rights by proposing the indiscriminate and disproportionate recording of sensitive personal information. Political, legal, medical, religious and press communications would be logged, exposing such information to use and abuse.

3. The Directive threatens consumer confidence. More than 58,000 Europeans have already signed a petition opposing the Directive. A German poll revealed that 78% of citizens were opposed to a retention policy. The Directive will have a chilling effect on communications activity as consumers may avoid participating in entirely legal transactions for fear that this will be logged for years.

4. The Directive burdens EU industry and harms global competitiveness. Retention of all this data creates additional costs of hundreds of millions of Euros every year. These burdens are placed on EU industry alone. The U.S., Canada and the Council of Europe have already rejected retention.

5. The Directive requires more invasive laws. Once adopted, this Directive will prove not to be the ultimate solution against serious crimes. There will be calls for additional draconian measures including:
* the prior identification of all those who communicate, thus requiring ID cards at cybercafes, public telephone booths, wireless hotspots, and identification of all pre-paid clients;
* the banning of all international communications services such as webmail (e.g. Hotmail and Gmail) and blocking the use of non-EU internet service providers and advanced corporate services.

Helpfully, we in Ireland are in a unique position to lobby our MEPs - because the Government has already stated it is so opposed to this particular draft that they will bring a case to the European Court of Justice to block it if the European Parliament approves it. Thus even MEPs from the Government Parties have no reason to support the proposed text in Tuesday’s vote.

It is not too late to stop this law: please join us by contacting your MEPs to say no to a surveillance society.

[Cross-posted from Digital Rights Ireland.]

Wednesday, November 30, 2005

Digital Rights Ireland Launches

Next Tuesday, December 6th sees the formal launch of Digital Rights Ireland, with a press conference in the Conference Room, Pearse St. Library, Dublin 2 at 11.00am. (Directions). We would like to formally invite to you to come along - we'd welcome your support, and the chance to chat with you about your concerns after the main conference. Please feel free to invite anyone else who you think would be interested in digital rights.

Monday, November 28, 2005

Your personal information is for sale - Motorists edition

The Mail on Sunday headline says it all: "DVLA sells your data to criminals"
The Government is selling the names and home addresses of motorists on its drivers' database to convicted criminals, a Mail on Sunday investigation has revealed.

The Driver and Vehicle Licensing Agency (DVLA) tells would-be wheel-clampers there is "no problem" with them buying drivers' home addresses - even if they have a criminal record.

Indeed, the two bosses of one clamping firm on the list of companies to whom the DVLA is happy to sell drivers' details are currently serving seven years' jail between them for extorting money from motorists.

The Mail on Sunday has now forced the DVLA to hand over its list of 157 firms which can buy personal information about drivers at £2.50 a time. All the companies need do is tap in a registration plate, and back comes the full name and address of the vehicle's owners.

The dossier shows that details of millions of drivers have been made available to bailiffs, credit control companies, debt collection agencies, property management firms, leisure centres, solicitors - and even one of the world's biggest loan and financial services companies.

A number of other companies on the list appear to be dissolved or simply not to exist.

The revelations, which suggest that the DVLA is in flagrant breach of data protection laws, last night caused a storm of protest, with MPs demanding an immediate end to the practice.
In Ireland the bodies which hold this information are the motor tax offices of each local authority. Queries have to be made by letter, and they charge somewhat more per query at €6. The legal basis for disclosure is Regulation 23 of the Road Vehicle (Licensing) Regulations, 2003:
A licensing authority shall, upon application, supply particulars from the licensing records or the joint licensing records:
(1) upon payment of the relevant amount specified in the Third Schedule to these Regulations, to any person who satisfies the licensing authority that he has reasonable cause therefor
The Regulations don't define "reasonable cause", leaving this up to the judgment of the manager in the relevant local authority. There doesn't appear to be any particular system in place to vet applications for release of these details. There may be scope for an enterprising journalist to put in a freedom of information request to see whether any similar abuses have taken place over here.

Sunday, November 27, 2005

Introducing Digital Rights Ireland

I've been involved recently in helping to set up Digital Rights Ireland, a civil rights group which will focus on issues such as privacy and freedom of expression online. We're now working towards a launch, and as part of the pre-launch publicity I recently did a podcast interview with Tom Raftery.

The interview covered how DRI came to form, what are our core beliefs and where we'll be taking the campaign for online civil and human rights. You can listen to the mp3 of the podcast here:
http://www.tomrafteryit.net/everything-you-blog-is-false/

Monday, October 24, 2005

Your personal information is for sale - private eye steals information to track down victim of domestic abuse

Via The Register
A private detective was fined this week for unlawfully obtaining information relating to 'vulnerable women' from medical centres. Ray Pearson, a director of North London-based Pearmac Ltd, was prosecuted by the Information Commissioner’s Office.

Pearson also persuaded an employee from Her Majesty’s Revenue and Customs (HMRC) to hand over his Employee Identity Number, and then misrepresented himself in order to find out about a customer of HMRC.

The Office of the Information Commissioner adds details on further offences also committed by Pearson.

Appalling as this report is, the full story behind it is worse. Two of the cases involved will show why.

One of the people whose information was stolen, Ms. X, was a victim of domestic abuse. She had left her husband, taking her daughter with her, to start a new life. The husband hired a private eye to track her down. He, in turn, subcontracted the work to Pearson. Pearson decided to track Ms. X via her father. Knowing that her father was a patient of a particular medical centre, Pearson rang the centre pretending to be from the local health authority and stating that he needed to contact the father in relation to a prescription. The medical centre gave him the father's telephone number, taking him one step closer to tracking down Ms. X on behalf of her abusive husband.

Another victim, Ms. Y, had recently been a prosecution witness in a criminal case. She discovered that her friends and associates were receiving suspicious telephone calls. Her utility company also received suspicious calls, as a result of which some of her personal information was revealed. British Telecom was also called in an attempt to obtain personal information. Most seriously, her GP was contacted by a person pretending to be a psychiatrist, seeking access to her medical file. Inquiries by the Office of the Information Commissioner revealed that these phone calls all came from Pearson's premises.

Why do these cases matter? When we express concern about issues such as data retention the official response is often that "the innocent have nothing to fear". These cases prove the contrary - you do not have to have done anything wrong to have your personal information stolen by unscrupulous criminals. The more information stored on you, the easier it will be for these abuses to take place, and the more risk you may be put in as a result.

(The information on the two cases above was supplied by the Office of the Information Commissioner and is redacted to protect the identities of the victims.)

Monday, September 26, 2005

Your personal information is for sale - Social Welfare edition

The Sunday Times reports that civil servants have been caught snooping through the social welfare files of lottery winner Dolores McNamara:
Officials at the Department of Social and Family Affairs have discovered there were up to 150 hits on McNamara’s welfare files after she scooped the EuroMillions prize. Departmental managers are now asking civil servants to explain why they opened her records.

While a small number of staff may have genuine reasons, it is believed the majority did not and could have broken data protection laws and department rules. Civil servants face disciplinary action or even criminal prosecution if they cannot show good cause for accessing the Limerick woman’s details.

The investigation was ordered after McNamara’s social welfare history was reported in detail by the media. The amount of social welfare payments she supposedly received, including specific dates, were published. The figures and dates, if correct, suggested the information could only have come from someone extremely close to her, or from someone with access to her social welfare records.
Presumably some civil servants were browsing her records for their own curiosity: but obviously some have realised that there's money to be made by selling information to the media. This isn't the first time that this has happened in Ireland, prompting the question: why should we trust the Government on data retention when they are incapable of protecting the personal information which they already have?

Thursday, July 14, 2005

Tackling spam - some freedom of expression problems

Wendy McElroy explains that new US anti-spam / child protection laws could criminalise perfectly ordinary email mailing lists, while attempting to comply with the laws will involve handing a list of recipients over to the government for vetting:
Both Utah and Michigan have created a 'child protection registry' for email addresses that belong to children or to which children have access. It functions like a 'no call list.' Spamfo.co explains, 'Once an email address is on the registry, commercial emailers are prohibited from sending it anything containing advertising, or even just linking to advertising, for a product or service that a minor is otherwise legally prohibited from accessing, such as alcohol, tobacco, gambling, prescription drugs, or adult-rated material.' In short, e-newsletters (such as ifeminists.net) are not permitted to send to registered email addresses if those newsletters include URLs to news sites that, in turn, link to child-inappropriate commerical information or products such as casino or viagra ads, tobacco or alcohol for sale.

Many credible news sources -- especially British ones, it seems -- offer links to adult-themed sites or products. These links can change constantly, which means that it is impossible to check a URL and 'clear' it of so-called objectionable links or ads.

Moreover, e-mailing to registered addresses is illegal even if the newsletter was requested, and the legal penalties for doing so are imposed without notifying the offender so that he/she can rectify the situation. What are those penalties? To quote Prof. Mitchell again, 'Under these laws...that email sender faces strict liability which can include up to 3 years in prison, and fines of $30,000 or more. In addition, ISPs and the individuals whose email addresses are on the registry have a right of action against the sender, as does the state attorney general.'

The only protection is for the emailer to make sure that a particular address is not 'illegal' by matching his/her mailing list against the registries. That process requires at least two things that I am unwilling to do: 1) turn my mailing list over to the government; and 2) pay a per-address fee.
There's more on these new laws from Declan McCullagh at News.com.

Linking as copyright infringement?

From ZDNet Australia:
It took almost two years but major record labels in Australia have finally won a legal battle against a Queensland man and his Internet Service Provider for alleged music piracy.

Stephen Cooper, operator of the mp3s4free Web site, was found guilty of copyright infringement by Federal Court Justice Brian Tamberlin.

Although Cooper didn't host pirated recordings per se, the court found he breached the law by creating hyperlinks to sites that had infringing sound recordings.
More analysis at The Register.

Saturday, July 09, 2005

Your personal information is for sale - Mobile phones edition

The Washington Post reports on the open sale of mobile phone (cell phone) records in the US. Excerpt:
Think your mate is cheating? For $110, Locatecell.com will provide you with the outgoing calls from his or her cell phone for the last billing cycle, up to 100 calls. All you need to supply is the name, address and the number for the phone you want to trace. Order online, and get results within hours.

Carlos F. Anderson, a licensed private investigator in Florida, offers a similar service for $165, for all major telephone carriers.

"This report provides all the calls with dates, times, and duration on the billing statement," according to Anderson's Web site, which adds, "Incoming Calls and Call Location are provided if available."

[...]

Such records could be used by criminals, such as stalkers or abusive spouses trying to find victims.

[...]

"Information security by carriers to protect customer records is practically nonexistent and is routinely defeated," said Robert Douglas, a former private investigator and now a privacy consultant who has tracked the issue for several years.

Experts say data brokers and private investigators who offer cell phone records for sale probably get them using one of three techniques.

They might have someone on the inside at the carrier who sells the data. Spokesmen for the telephone companies said strict rules prohibiting such activity make this unlikely. But Joel Winston, associate director of the Federal Trade Commission's Financial Practices Division, said other types of data-theft investigations have shown that "finding someone on the inside to bribe is not that difficult."

Another method is "pretexting," in which the data broker or investigator pretends to be the cell phone account holder and persuades the carrier's employees to release the information. The availability of Social Security numbers makes it easier to convince a customer service agent that the caller is the account holder.

Finally, someone seeking call data can try to get access to consumer accounts online.
I've written before about similar problems in Ireland.

Thursday, July 07, 2005

Your personal information is for sale - Russian edition

There's a fascinating story in the Globe and Mail about the sale of personal data in Moscow. Excerpt:
"What do you need?" he says. "We have everything."

In Moscow these days, among people who deal in stolen information, the category of everything is surprisingly broad.

This Gorbushka vendor offers a hard drive with cash transfer records from Russia's central bank for $1,500 (Canadian). The information was reportedly stolen by hackers earlier this year and purchased by companies looking for details about their competitors. Such information, the vendor admits, is fairly specialized. A more popular item is tax records, including home addresses and declared incomes. The vendor asks $215.

Russians routinely lie about their earnings to avoid taxes; nonetheless, an increasing number of criminals are relying on pirated tax information to help them choose wealthy targets.

When gunmen broke into the gated home of Mikhail Pogosyan, head of Russian aerospace giant Sukhoi, in a brazen robbery last week, the businessman immediately blamed the proliferation of his personal details on the black market.

"Before, robberies of such people happened very seldom, just by chance," says a Sukhoi spokesman, Alexei Poveschenko. "Criminals preferred not to deal with VIPs, but now it's different. On every corner you can buy a database with all kinds of information: income, telephones, cars, residence registration."

[...]

At the Gorbushka kiosk, sales are so brisk that the vendor excuses himself to help other customers while the foreigner considers his options: $43 for a mobile phone company's list of subscribers? Or $100 for a database of vehicles registered in the Moscow region?

The vehicle database proves irresistible. It appears to contain names, birthdays, passport numbers, addresses, telephone numbers, descriptions of vehicles, and vehicle identification (VIN) numbers for every driver in Moscow.
via Semantic Bits

Wednesday, July 06, 2005

High Court to hear application for disclosure of filesharer's identities

The application for disclosure will be held this Friday (8th July). The hearing is open to the public, so feel free to come along if you're interested in learning more about the privacy / online anonymity / data protection issues.

The case (2005 2014P EMI RECORDS IRELAND LIMITED V EIRCOM LTD) is in the Commercial List so it should be before Mr Justice Kelly in Court 9 (in the main Four Courts building) at 10.30.

From the Irish Times (subscription only):
The High Court was told yesterday that Eircom and BT are not opposing the "substantive" proceedings by four music companies aimed at securing the names of persons who have uploaded thousands of music tracks onto file-sharing networks.

The proceedings could lead to actions for damages being brought against those persons.

Yesterday, while not opposing the action, John Gordon SC for BT Communications Ireland Limited said he wanted to make submissions as to how the court should exercise its discretion regarding the form of order in the case. It is believed those submissions will relate to how the rights of the music companies should be balanced against consumers.

[...]

Mr Gordon said he proposed to file an affidavit by tomorrow for the purposes of assisting the court as to how its should exercise its discretion in the matter.

His client was not opposing the proceedings, but believed the submissions would assist the court in exercising its discretion in the correct manner in relation to how consumers were affected.
Edited to add: ENN reports on this story also.

Tuesday, June 28, 2005

Digital search and seizure

There's a grey area around police powers to compel intermediaries such as ISPs to hand over digital evidence. In both Ireland and the UK, though, the issue seldom arises because most ISPs seem to be happy to give voluntary cooperation, avoiding the need for the police to rely on their compulsory powers. However, this strategy falls down when an intermediary decides not to play ball, and the seizure of Bristol Indymedia servers illustrates the problems that result.

An Indymedia press release gives the background:
On Mon 20th June, Bristol Indymedia (IMC Bristol) received an email from the police asking to contact them with reference to a posting on the IMC Bristol newswire. IMC Bristol volunteers appointed a solicitor and started briefing them to contact the police on their behalf. On Tue 21st June, the police contacted an IMC Bristol volunteer asking for IP logs. The subject of the police enquiry was a posting claiming that damage had been done to either some cars on a train transport, the transport itself, or the railway line.

Bristol Indymedia volunteers hid the post (originally posted late in the evening of 17th June) from their main newswire within 24 hours of it being posted - as it violated IMC Bristol editorial policy - and well before the police made initial contact.

When the solicitor contacted CID on the 21st to inform them that they could not have the server, or access to it, the police said that they could go through data protection and legal moves to get the logs or get a search warrant, and that they may arrest somebody for obstructing the course of justice.

At this point, an IMC Bristol volunteer informed IMC UK about the events. IMC Bristol then contacted Liberty, whose legal advisor contacted the police to press them on the issue that this server was considered an item of journalistic equipment and so subject to special provision under the law. The police have yet to confirm this. NUJ and Privacy International have also been contacted.

As of 24th June 2005, IMC Bristol remain in possession of their server. Communications with the police, and between various legal and civil rights organisations continue while technical and legal issues surrounding the case are clarified. Bristol Indymedia is an independent news service. As part of our policy, we will not make non-public information we hold publicly available. We do not permanently store IP addresses. We do not intend to voluntarily hand over information to the police as they have requested, and have informed them of this.
The police response came shortly afterwards and on June 27th the server was seized. From the Register:
Police seized a server used by Indymedia, the independent newsgathering collective, from the Bristol home of a member of the group after issuing a search warrant on Monday. The raid is the second time within the last year that an Indymedia server has been seized in the UK.

Officers also took the unnamed Bristol collective member in for questioning, and seized a PC, in an incident that has already provoked a huge row. The action happened despite the intervention on Indymedia's behalf by justice group Liberty whose lawyers advised police that the server was "considered an item of journalistic equipment and so subject to special provision under the law".
Despite this reference to a person being "taken in for questioning" later reports indicate that the owner of the server has in fact been charged with incitement to criminal damage. Analysis and insightful comment at Spy Blog which points out that:
It is not unheard of for malicious people to post something illegal or controversial to an open discussion forum and then to complain to the authorities that the administrators of the discussion forum are doing something illegal [...] For the British Transport Police or any other UK Police force to ignore the National High Tech Crime Unit's guidlines on "minimal disruption" to multi-user networked computers during legal evidence gathering or investigations, is a disproportionate abuse of power [...] There is no justification for the "collateral damage" caused by the seizure of an onlime server in order to attempt to identify the IP address of a single poster.
It's hard to understand why the owner of the server was arrested, but this comment from Spy Blog seems about right:
Initially the Bristol IMC volunteer was a potential witness, either to incitement to criminal damage (the offending item argued that damaging cars was legitamate political protest), or to the statement made by the poster that they had committed the damage. Now the volunteer is a suspect. Maybe the BTP [British Transport Police] allege that the suspect incited criminal damage by failing to delete (it was hidden from the newswire but not deleted) the offending post when it came to their attention. Or maybe the arrest was an act of spite when Bristol IMC quite reasonably told the police to go away and get a warrant.
London Freelance discusses the journalistic privilege issues:
When the police contacted them. BIM called the NUJ and civil liberties organisation Liberty, who argued that demanding information from Indymedia requires a special warrant to obtain journalistic material under the Police and Criminal Evidence Act 1984. Asked about this, a British Transport Police spokesperson said "A warrant was obtained; I don't know the details. ... Website server - I don't know if you could describe it as journalistic material?" They later clarified that "We obtained a Section 8 [PACE] Warrant after discussing with the Crown Prosecution Service who said we didn't need a Section 9 / Schedule 1 [journalistic material] warrant." Section 8 warrants cover evidence-gathering except where privileged, excluded (that is, confidential or medical) or "special procedure" (that is, other journalistic) material is involved.
Two brief comments. First, there is a specific English law (the Regulation of Investigatory Powers Act - RIPA) on point and this situation seems to fall under Part I, Chapter II of that Act (access to communications data). Objectionable though RIPA might be, it does provide some safeguards. It becomes useless, though, when the police can evade those safeguards by falling back on an ordinary search warrant. Second, it's certainly true that Indymedia is being treated less favourably than other media organisations, perhaps in an attempt to harass or shut down its operations. As commenters on the Indymedia site note:
The point is whether or not the seizure of the server is justified. I really don't think that should a letter be written to the Times about such behaviour the police would seize all copies of the Times, or their computers.
The seizure of the Indymedia Bristol server illuminated deficits in the law. Law protecting journalists were drafted with mainstream news organisations in mind, so it cannot cope with media collectives. Whilst the police might well have had good reason to investigate the claims made on Indymedia Bristol's web site, by effectively shutting down the whole operation the police have acted insensitively and have used rather extreme methods, especially when Bristol IMC have been far from uncooperative.

Sunday, June 26, 2005

(Yet) Another argument against ID Cards

From the Independent:
Ministers plan to sell your ID card details to raise cash

Personal details of all 44 million adults living in Britain could be sold to private companies as part of government attempts to arrest spiralling costs for the new national identity card scheme, set to get the go-ahead this week.

The Independent on Sunday can today reveal that ministers have opened talks with private firms to pass on personal details of UK citizens for an initial cost of £750 each.

[...]

The opening of commercial talks contradicts a promise made when the Home Office launched a public consultation on ID cards in April last year, when officials pledged that "unlike electoral registers, the National Identity Register will not be open for any general access or inspection."

[...]

In addition, firms could be charged up to £750 for technology that would allow them instantly to verify customers' identity through iris scanning or finger-printing, according to official documents.
Update: Ministers are denying that personal information will be for sale, but admit that they will establish and charge for a system giving private companies access to the ID card system. From the Telegraph:
Ministers denied a report that personal details of all 44 million adults in the country could be sold to private companies as part of Government efforts to curb the cost.

But the Home Office admitted that there would be a "mechanism" for companies to check that an ID card was genuine and that people were who they said they were.

Officials said the details of the mechanism were still being worked out. There would be a fee but it would be "nowhere near" the £750 claimed by The Independent on Sunday.

Tony McNulty, the immigration minister, said it was nonsense to suggest that the Government intended to sell information on the ID cards register and had opened talks with private companies.

"The Government has no plans whatsoever to sell individuals' details to private companies," he said. "The legislation we have introduced to set up the scheme will ensure that the ID cards database will be secure and confidential. Private companies will not have access to the information held on it and any unauthorised disclosure will be a criminal offence."

Thursday, June 23, 2005

Your personal information is for sale - Indian edition

BBC News reports:
Police are investigating reports an Indian call centre worker sold the bank account details of 1,000 UK customers to an undercover reporter.

The Sun claims one of its journalists bought personal details including passwords, addresses and passport data from a Delhi IT worker for £4.25 each.

City of London Police is investigating after receiving files from the paper.

Tuesday, June 21, 2005

ISPs told "Hand over names if you want to license our content"

Constitutional Code (Rik Lambers) has an interesting post illustrating the incentives facing ISPs asked to disclose customer names:
During a seminar on "online piracy" in the Netherlands last week a representative of Warner Home Entertainment made it clear that Internet Service Providers won't get movie content licensed, unless they provide the identifying information of their customers on demand.

Data Retention Reaches the US - Or Does It?

Orin Kerr is skeptical about the reports that the US Department of Justice has decided to push data retention:
What is the evidence that times have changed, and that now DOJ is "quietly shopping around" this "explosive" idea? As best I can tell from Declan's story, it is this and only this: A few weeks ago, at a Holiday Inn in Alexandria, Virginia, unnamed Department of Justice employees, apparently from DOJ's Child Exploitation and Obscenity Section (CEOS), mentioned the possibility of mandatory data retention requirements in a meeting with some ISP representatives.

Who are these DOJ employees, though? CEOS does not have any high-level policy makers, as far as I know. It is a section consistening entirely of career prosecutors. No one at CEOS has the authority to opine on such a enormous and controversial question except entirely in his personal capacity. And the chances that DOJ would decide to "shop around" such a high-profile proposal using career lawyers meeting at a Holiday Inn seems a bit far-fetched.

If I had to guess, I would imagine all that happened in this meeting was that a random career lawyer at DOJ had been wondering about data retention, and decided to discuss it as a possibility in a meeting despite DOJ policy to the contrary. Or perhaps the lawyer foolishly tried to raise the possibility as a threat to push ISP representatives to think more seriously about voluntary data retention. Either way, DOJ has not changed its policy at all. Is it possible that there is more to the story than that? Yes, but on the whole it is quite unlikely.
He's certainly well placed to make this assessment. From his bio, he was a trial attorney in the Computer Crime and Intellectual Property Section of the Criminal Division at the U.S. Department of Justice, and his publications suggest that he still has good contacts with his former colleagues in the department. Having said that, the story is still of concern until there's an official denial on the table.

Saturday, June 18, 2005

Data Retention Reaches the US

Disturbing news from CNET , which reports that the US government has executed an about turn and decided to push data retention:
Justice Department officials endorsed the concept at a private meeting with Internet service providers and the National Center for Missing and Exploited Children, according to interviews with multiple people who were present. The meeting took place on April 27 at the Holiday Inn Select in Alexandria, Va.

'It was raised not once but several times in the meeting, very emphatically,' said Dave McClure, president of the U.S. Internet Industry Association, which represents small to midsize companies. 'We were told, 'You're going to have to start thinking about data retention if you don't want people to think you're soft on child porn.''

McClure said that while the Justice Department representatives argued that Internet service providers should cooperate voluntarily, they also raised the 'possibility that we should create by law a standard period of data retention.' McClure added that 'my sense was that this is something that they've been working on for a long time.'

This represents an abrupt shift in the Justice Department's long-held position that data retention is unnecessary and imposes an unacceptable burden on Internet providers. In 2001, the Bush administration expressed "serious reservations about broad mandatory data retention regimes."

The current proposal appears to originate with the Justice Department's Child Exploitation and Obscenity Section, which enforces federal child pornography laws. But once mandated by law, the logs likely would be mined during terrorism, copyright infringement and even routine criminal investigations. (The Justice Department did not respond to a request for comment on Wednesday.)
It's hard to know where to begin assessing this development. But a few points strike me immediately.

First, the reference to "voluntary" retention coupled with a standard period set by law echoes the UK proposals for voluntary retention, and is likely to be rejected in the industry in exactly the same manner. The UK response made it clear that ISPs shuddered at the commercial implications of voluntary retention, seeing it as hugely expensive and likely to lead to customers defecting to other, more privacy friendly ISPs.

Second, the data retention period sought by the Justice Department is two months. This immediately undercuts the claims by the Council of Justice and Home Affairs ministers that a period of up to three years is essential. Perhaps our representatives would now like to explain to us how they can seek such an extravagant period when the US apparently considers it unnecessary.

Third, the US already has a federal data preservation* law, which allows "a governmental entity" to require an ISP to preserve data in their possession for up to 90 days. To justify a data retention law, it would have to be shown that the data preservation rules were ineffective. Where's that evidence?

Fourth, note the distasteful threat from the DOJ: "You're going to have to start thinking about data retention if you don't want people to think you're soft on child porn". As with other data retention proposals, the justification is essentially emotive, with references to the headline grabbing subjects of child pornography and terrorism. But, as the article correctly points out "once mandated by law, the logs likely would be mined during ... even routine criminal investigations".

Fifth, as with data retention on this side of the Atlantic, policy is being made in secret with the public excluded. If the DOJ is confident in the merits of its proposals, perhaps it might try to sell them to the public rather than trying to strongarm ISPs in private.

Finally, the attempt to obtain "voluntary" cooperation represents a continuation of a worrying trend. The US government, amongst others, has noticed that it can evade pesky constitutional restrictions such as probable cause by "outsourcing" certain activities to private actors who aren't subject to the same restrictions. These data retention proposals have the same air about them. A federal data retention law would face public scrutiny and opposition, a stiff fight through Congress, judicial review, and would likely be found unconstitutional. Hence the attraction of cooperation from ISPs, which would enable the government to achieve indirectly that which it could not do directly, and all without any public fuss. This is good for the government, perhaps, but bad for democracy and the rule of law.

________________________________

*The distinction between data retention and data preservation is explained by the Canadian Department of Justice here:
What is data preservation and how is it different from data retention?

It is important to distinguish between data preservation and data retention. As proposed in the consultation paper, a data preservation order would require a service provider to keep existing data of a specific, identified individual who is identified by the courts as the subject of an investigation and not delete it for a specified period of time. This would ensure that information vital to an investigation is not deleted before the police can obtain a search warrant or production order to access the specific data.

Data retention, on the other hand, involves the collection of data from all users of a communication service - regardless of whether or not they are subject to an investigation.

Tuesday, June 14, 2005

The curious legal status of .uk and .ie

From The Register:
The company that runs the UK's Internet registry is not officially recognised by the government and as such has no right to decide what should be done with the millions of domains that it sells each year.

That at least is the claim of Ben Cohen, former owner of iTunes.co.uk, who lost ownership of the domain to Apple in March after a ruling by an independent expert hired through Nominet's domain resolution process.

Cohen has been decrying Nominet since the decision and made a variety of legal threats over the decision. However he recently discovered that he was not able to take the actual decision made against him to the High Court for Judicial Review because of Nominet's peculiar status.

Following questions made under the Freedom of Information Act, the government was forced to state that there is "no formal relationship or written agreement" between the UK government and Nominet. As such, it is not a public body and so is subject only to the usual laws covering UK companies.

Cohen argues that this status is misleading since representatives from government bodies have permanent seats on Nominet's Policy Advisory Board (PAB). The government also accepted that this situation does not exist for any other company.

[...]


"At no point has there ever been a statutory or official recognition by the Government of Nominet's position as a the sole issuer of .uk domain names to the public.

"The status of Nominet is important because their dispute resolution service acts in a quasi-Judicial manner in deciding who should lay claim to a domain name when a dispute arises. CyberBritain was planning on taking the decision made on the 10th March to the High Court for Judicial Review. However, this course of action is only open to review decisions made by public bodies.

"Nominet have always claimed to us that they are on the one hand officially recognised by the Government but not a public body, meaning that their decisions would not be subject to Judicial Review. In my mind, this is a paradox as an official or statutory recognition of an organisation to administer what is in effect a public service would generally be subject to Judicial Review. This certainly would be the case with decisions made by Ofcom who regulate telecommunications and television.

"If Nominet have no official recognition (despite civil servants being on their Policy Board) then all domain names issued by them are placed in jeopardy."

Nominet is not impressed with this logic.

"Mr Cohen has continued to threaten legal action in the press and in private, but no proceedings have ever been issued. Nominet has repeatedly explained to Mr Cohen that we believe that he has no basis for suing us and that the particular type of litigation he was threatening (called "Judicial Review") was totally inappropriate because Nominet is not a Government body.

"Nominet is not a Government body and has never claimed to be. We state on our website that we are 'officially recognised' and we explained the meaning of this to Mr Cohen previously.

"The Dispute Resolution Service forms part of the contract we have with registrants of .uk domain names and is enforced as a matter of contract law. We have told Mr Cohen this, and have never tried to suggest that Nominet's Dispute Resolution Service (DRS) is 'quasi-judcial', statutory (i.e. in an Act of Parliament or similar) or Government-backed."
Much the same problem exists in relation to the .ie domain registry which carries out a public function without any legislative or regulatory underpinning. Their FAQ addresses this point, but in a way which raises more questions than it answers:
6. What exactly is the IEDR - is it a statutory body, is it a semi-state, is it part of UCD, is it some kind of public service or is it just a monopoly like, say, the ESB?

6. The IEDR's origins are in UCD but since July 2000 it's been a private company, limited by guarantee. It has no shareholders, the company is owned by its members who are the directors. Surpluses are not distributed, they are added to opening reserves. Directors as per the company's constitution, do not receive fees or emoluments. Only the IEDR can administer .ie - which it does as a public service - but it is not a monopoly in the sense that anybody in Ireland, or elsewhere, can register from a choice of approximately 250 different national and generic TLD names. The IEDR works closely with national and international governments, governing bodies, trade associations and abides by Internet best practice principles while still operating as an independent private company.
The E-Commerce Act 2000 allows (in section 37) the government to regulate the .ie TLD - however this has yet to be done, despite Ministerial promises that the .ie domain will eventually be regulated by ComReg.

You might well ask - so what? As long as the .ie domain functions, why should lawyers nitpick about its legal foundations? The narrow answer is that there have been many complaints about the governance and transparency of the IEDR, including allegations that it is still dominated by UCD (from which it is an offshoot), all of which ultimately have their origins in the lack of a proper legal basis for the registry.

More widely, though, as a matter of principle where a body controls a public asset (the .ie domain), is exercising a public function, and has its origins in the public sector, it should be subject to rules of public oversight (such as the Freedom of Information Act and judicial review). Instead, the IEDR currently exercises a state-sanctioned monopoly without any real oversight.

Update (17/6/05): Ben Cohen has decided to proceed with the judicial review. Stay tuned to see whether the English courts will accept jurisdiction to judicially review decisions of Nominet.

Update (5/8/05): The judicial review application was rejected - but it's not clear whether the court considered whether Nominet was subject to judicial review. According to Out-Law:
the judge noted that the application was flawed in several respects, being both late and unnecessary given the right of appeal which forms part of Nominet's Dispute Resolution Service, which Mr Cohen had failed to use.

This suggests that the application was rejected on a procedural basis (delay and failure to exhaust remedies) rather than on the substantive ground that Nominet was not a public body.

Wednesday, June 08, 2005

Morris Tribunal learns pitfalls of security through obscurity

The Sunday Times (free reg. required) has an interesting story illustrating official ignorance of basic information security:
Tribunal hacker 'was in press agency building'
Stephen O’Brien

THE Press Association of Ireland was threatened with heavy fines and jail sentences by Justice Frederick Morris last week after revealing that it had gained access to his report on garda corruption in Co Donegal before the official launch.

The wire service, the Irish arm of the London-based Press Association (PA), was suspected of hacking into the tribunal’s website to obtain the report. Michael McDowell, the justice minister, claimed that more than 350 separate attempts were made to overcome internet security measures guarding a web version of the report, forcing the authorities to release it earlier than planned.

McDowell did not say who was responsible, but The Sunday Times has established that the “hacking” was traced to PA’s building in Harcourt Street, central Dublin.

Morris, a former High Court president, told journalists at the wire service that he would prosecute anyone who published his report before its official release for obstructing or hindering the work of the tribunal, an offence carrying up to €12,700 in fines and up to two years in prison.

The judge wrote personally to PA in an urgently faxed letter on Tuesday, after staff at the agency contacted the tribunal to verify the authenticity of the report they had found on the web. PA, Britain and Ireland’s largest news agency, immediately agreed to observe the embargo on publication.

PA declined to comment this weekend, but a source at the agency confirmed that the Dublin office got a phone call from a source who explained how to get the report from the website.

“Personally, I think it was a bit of a security cock-up by the tribunal,” the PA source said. “The web link was morristribunal.ie/ and then a series of numbers.”

A government source, however, said the computer used to attack the web security around the report was in the same Dublin building as the PA office. Rogue computer software known as spyware was attached to the server used to “air” the Morris tribunal website.

This spyware then uncovered the secret web link to the tribunal’s report when it was being stored in a supposedly secure location before the official government release.

The spyware notified the hacker when the report was put on the web at 10am on Tuesday, the source said. Over the 70 minutes, 350 attempts were made to access it.

The release of the report was brought forward several days by McDowell after discussions with the tribunal over the compromised security. No complaint has been made to gardai by the tribunal, although experts were able to trace the unique identification number of the computer used to hack into the tribunal site.
Strip away the breathless talk of "hacking", "internet security measures", "rogue computer software", "spyware" and "secret web links" and we have the mundane reality that somebody messed up by posting the report on a public web site, hoping that nobody would find it. An equivalent would be a person placing a book on the shelves in a library, but believing that it is "secret" because it does not appear in the library catalogue. The talk of "hacking" is a smokescreen.

So did reading the report amount to an offence? Unlikely. Under Irish law, the relevant offence would be access without lawful excuse. However, material published on the public web carries with it an implied permission to access that material. Where a publisher hasn't taken steps to limit that permission, then it will be difficult if not impossible to show, beyond a reasonable doubt, that (a) the reader acted without permission, and (b) the reader knew (or perhaps should have known) that they were acting without permission.

A similar issue arose three years ago when Reuters accessed an earnings report, posted on the public website of Swedish IT group Intentia, before its official release. Intentia filed a complaint with the Swedish police. The public prosecutor, however, found that no crime had been committed:
The prosecutor Mr Hakan Roswall chose to do nothing with Intentia's complaint. Mr Roswall concludes that it is illegal to access information stored in a computer that the proprietor deems to be secret and the proprietor protects. Mr Roswall states that Intentia did not clearly state that the information should be secret and did not protect the information. On the contrary it was very easy to access the information. Intentia stated that the report would be available at a certain time, and you only had to slightly change the URL (web address) from the report of the previous quarter in order to obtain the current report. Hence, Mr Roswall will not initiate proceedings against Reuters or any of its reporters.
Update: I've just found a post by Feargal McKay at the Sigla Blog which beats me to the punch on this issue.

Thursday, June 02, 2005

Online Anonymity - Canadian Edition

The Canadian Federal Court of Appeal recently handed down an important decision on online privacy. The case - BMG Canada v. Doe - unsurprisingly involves attempts by the music industry to identify alleged filesharers, using a Norwich Pharmacal analysis.

At first instance, disclosure was refused due to deficiencies in the plaintiffs' evidence, in what was seen as a strongly pro-privacy holding. The Court of Appeal, although it allowed the plaintiffs' appeal in part, accepted that the plaintiffs' evidence was insufficient to order disclosure, and adopted much of the trial judge's reasoning in relation to the privacy issues involved. The key paragraphs of the judgment are:
In cases where plaintiffs show that they have a bona fide claim that unknown persons are infringing their copyright, they have a right to have the identity revealed for the purpose of bringing action. However, caution must be exercised by the courts in ordering such disclosure, to make sure that privacy rights are invaded in the most minimal way.

If there is a lengthy delay between the time the request for the identities is made by the plaintiffs and the time the plaintiffs collect their information, there is a risk that the information as to identity may be inaccurate. Apparently this is because an IP address may not be associated with the same individual for long periods of time. Therefore it is possible that the privacy rights of innocent persons would be infringed and legal proceedings against such persons would be without justification. Thus the greatest care should be taken to avoid delay between the investigation and the request for information. Failure to take such care might well justify a court in refusing to make a disclosure order.

Also, as the intervener, Canadian Internet Policy and Public Interest Clinic, pointed out, plaintiffs should be careful not to extract private information unrelated to copyright infringement, in their investigation. If private information irrelevant to the copyright issues is extracted, and disclosure of the user’s identity is made, the recipient of the information may then be in possession of highly confidential information about the user. If this information is unrelated to copyright infringement, this would be an unjustified intrusion into the rights of the user and might well amount to a breach of PIPEDA by the ISPs, leaving them open to prosecution. Thus in situations where the plaintiffs have failed in their investigation to limit the acquisition of information to the copyright infringement issues, a court might well be justified in declining to grant an order for disclosure of the user’s identity.

In any event, if a disclosure order is granted, specific directions should be given as to the type of information disclosed and the manner in which it can be used. In addition, it must be said that where there exists evidence of copyright infringement, privacy concerns may be met if the court orders that the user only be identified by initials, or makes a confidentiality order.
The court also indicated that disclosure should not be granted if there was some "other improper purpose for seeking the identity of these persons".

Consequently, while the Canadian courts are prepared to grant disclosure on the basis of Norwich Pharmacal, it seems that they will (a) demand a higher standard of evidence before granting a disclosure order; (b) take greater steps to minimise the privacy consequences of a disclosure order; and (c) examine the request to see whether it is pretextual.

Michael Geist has an informative analysis of the decision on his (always interesting) website. He includes a summary, prepared by Alex Cameron (who argued the case), of the test which ISPs must now meet in order to seek disclosure:
Courts shall not order ISPs to disclose the identities of their customers unless the Plaintiff meets its burden of showing each of the following factors. If the Plaintiff fails to show any of the following, then disclosure shall not be made:

1. Plaintiff must show that it has:

(a) targeted the correct IP address by providing clear admissible evidence that it has correctly linked online activities to a specific IP address at a particular time. There should be no risk that innocent people will have their privacy invaded or named as defendants where it is not warranted (para 21); and

(b) "a bona fide claim that unknown persons are infringing their copyright" (para 42), including "i.e., that they really do intend to being an action based on the information they obtain, and that there is no other improper purpose for seeking the identity of these persons". (para.34)

(Note: Even if the plaintiff meets its burden under 1(a), disclosure may be refused where the ISP advises the court that there is a risk of an innocent person having their privacy invaded or named as a defendant where it is not warranted. This might arise if, for example, the ISPs records are incomplete or suggest that the risk is present for another reason)

2. "There should be clear evidence to the effect that the information cannot be obtained from another source such as the operators of the named websites." (para.35)

3. "The public interest in disclosure must outweigh the legitimate privacy concerns of the person sought to be identified if a disclosure order is made" (para.36)

a) the information on which a request for identification is made (eg, IP address) must be timely; no undue delay between investigation and motion for disclosure (para 43)

b) in their investigation, plaintiffs must "limit the acquisition of information to the copyright infringement issue" (para.44)

In cases where the plaintiff has met each of the factors above, "caution must be exercised by the courts in ordering such disclosure, to make sure that privacy rights are invaded in the most minimal way" (para 42). For example, specific directions should be given as to the type of information disclosed and the manner in which it can be used. In addition, the court should consider making a confidentiality order or identifying the defendant by initials only (para.45)

Tuesday, May 17, 2005

German Court Refuses to Order ISPs to Disclose User Identities

Heise has an article indicating that the Higher Regional Court in Hamburg has declined to order ISPs to disclose the identities of users alleged to be infringing copyright by running FTP servers. The court held that, as ISPs were not joint wrongdoers, their obligations were limited to blocking and removing infringing material:
In its highly detailed opinion the court concludes that the obligation in piracy cases to provide information on the creation and/or distribution of pirated items - created by the right to information specified by the Copyright Act - only applied to those parties themselves involved in the said illegal acts. The access provider was not a party of this kind, the court ruled, as it merely provided access to the Web. Contrary to the opinion of the District Court a provider could also not be held accountable as a so-called "Mitstörer" (co-troublemaker) in breach of the law on the grounds of having providing access to the Internet. The legislation of paragraph 8 subsection 2 of the Tele Services Act (TDG), according to which access providers in line with the laws in general and despite a certain privileged position as to liability are enjoined to "remove and block" illegal content, had not change this state of affairs, the Higher Regional Court concluded. After all, "remove" and "block" specifically did not imply the divulging of information, thus the OLG. With its decision the OLG Hamburg has taken the same line as the OLG in Frankfurt-on-the-Main. The judges in the federal state of Hesse hence also disputed that there was a right to demand information from access providers, as such a right to demand information served to discover and drain the sources and distribution channels of pirated items and only such parties as committed or participated in such violations of copyright were obliged to provide information, they concluded.
It'll be interesting to see whether this approach will survive the implementation of the IP Enforcement Directive. Article 8 of this draconian Directive creates a "right of information" - i.e. a right to compel third parties to disclose information, including the identity of an alleged infringer. (Effectively transplanting the Norwich Pharmacal order into EU law.) The Directive itself, after much lobbying, was amended to limit this to "acts carried out on a commercial scale" i.e. "those carried out for direct or indirect economic or commercial advantage; this would normally exclude acts carried out by end consumers acting in good faith" (see recital 14). However, this definition is opaque. What's meant by "indirect economic advantage"? Would it include savings made by downloading music from others? What's the significance of the reference to "acting in good faith"? If A has a large music collection, and shares that via a p2p network, is he acting on a commercial scale? Does it make a difference whether he knows that what he's doing is illegal?

Also, even if Article 8 itself doesn't cover this situation, nothing in the Directive precludes member states from choosing to extend it to non-commercial situations (see recital 14), and we can expect the music / film industry lobbies to push at national level for the directive to be extended to cover all alleged infringements - commercial or otherwise.

Via The Register

Monday, May 16, 2005

Google's Web Accelerator

Google's famous motto - "Don't be Evil" - has lost some of its shine lately. A prime target for critics is the new Web Accelerator: a browser add-in that runs all your web browsing - not just your searches - through Google's servers. The pay-off is faster browsing through technical wizardry including lots of caching by Google. The downsides? Privacy problems and dubious legality.

Jeff Jarvis doesn't like this from a copyright point of view:

It's one matter when the search engine caches a page you can't get anymore; that's a copyright violation but an all-in-all benign one in the sense that it's only giving you content you could not otherwise see (no different from, say, the web archive).

But it's quite another matter for Google to get in the way of serving current content. This means that the page is served from Google rather than from a publisher's server, which means that the publisher cannot count the traffic and serve targeted and dynamic advertising.

It also means that Google is copying content on its servers and serving it from there and thus is violating copyright.

And it means that Google is in a position to snoop on data on consumers' usage of sites that Google does not own: That is, Google will know what the consumers on my site are doing better than I will for these "accelerated" pages.

Karl-Friedrich Lenz doesn't like the data retention implications:
I have been opposed to any large-scale collection of Internet traffic data for years.

There is a heated battle going on about exactly this question right now in Europe. Enemies of freedom are gaining influence and want to turn the Internet into one big surveillance instrument. Under these circumstances, it is absolutely unacceptable to try building the world's largest Internet traffic data collection under the misleading excuse of speeding up web surfing. This calls for active resistance to Google, which deserves to be put completely out of business for this move.

He's also analysed the data protection, copyright and liability issues from an EU perspective, in a very interesting post that deserves to be quoted in full:
However, this "web accelerator" is clearly another new level of privacy violation, even if it only affects those who choose to live under the Google searchlights just to get a few downloads done faster.

Therefore, I will take a few minutes to look at whether it might be illegal under current European law.

There are three potential problems.

One is copyright. The service seems to be working, among other things, by using a "prefetch" command. That is, Google is downloading content the user might possibly require next in advance.

This downloading is a reproduction, just as the illegal cache of the whole Web Google is doing is a reproduction.

That means it needs an exception or limitation, since obviously Google has no licenses.

The only exception possible is Article 5 Number 1 a) of the 2001 Information Society Copyright Directive.

That exception requires that the "prefetch" is an "integral and essential part of a technological process whose sole purpose is to enable a transmission in a network between third parties in a network".

The "prefetch" does not enable a transmission in all cases where the user does not choose to actually use the prefetched file. In all those cases, it adds only unnecessary burdens to the whole Internet traffic load. Therefore, it seems to be open to doubt if the exception extends this far.

The next potential problem is data protection. Article 6 paragraph 1 of the 2002 Electronic Communications Data Protection Directive says:

"1. Traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication without prejudice to paragraphs 2, 3 and 5 of this Article and Article 15(1)."

Since Google "logs page requests" and does not seem to delete them when the communication is finished, all that keeps them from violating Article 6 is the anonymity of the user. However, since the pages logged may contain personally identifiable information, that defense is rather weak in most cases.

The third potential problem is that of liability for illegal content.

Under Article 13 of the 2000 Electronic Commerce Directive, an exception for liability is granted for "Caching".

However, in this case the exception is clearly restricted to cases where the cache is for the purpose of making more efficient the information's onward transmission to other recipients of the service upon their request. With "prefetched" pages there is no user request.

So if any of the billions of prefetched pages on some user's computer turns out to be illegal in that particular country, there is nothing to stop Google's liability for delivering that particular content.

Summing up, there seem to be some potential legal problems with the "web accelerator" service under European law, especially regarding the "prefetched" pages.

However, the moral repulsiveness of turning the searchlights on your users, as opposed to having them turned on the web content, depends in no way on the finer legal points mentioned above.

The Inside Google Blog, meanwhile, doesn't like the fact that the Web Accelerator is apparently serving up private information to the wrong people:
See, Google isn't serving web pages faster, its serving other people's versions of the web page faster. What does that mean? Try using Web Accelerator on a forum site, one with lots of geeks who love Google and probably already have Web Accelerator installed. Why, if you're lucky, you'll be logged in as someone else, as the folks at SomethingAwful.com discovered. The posters in that forum discovered that most of the times they refreshed the page, they were logged in as a different person, seeing their friend's control panel for the forums

[...]

Installing Accelerator will, at some point, let you into a private area you shouldn't be seeing. Maybe it'll be a control panel or options area for a logged in user. Maybe it'll be a porn site with password protection. Maybe it will be a private Microsoft message board where developers discuss trade secrets regarding the next version of Windows. It will happen, and when it does, I expect screenshots.

Friday, May 06, 2005

How much will Irish filesharers end up paying IRMA?

Let's assume, for the sake of argument, that Irish ISPs will eventually be ordered by the High Court to disclose users' identities to IRMA. If this happens, it's unlikely that any of the cases will proceed to trial - the pattern from the US and UK has been for the overwhelming majority of cases to settle out of court. What sort of payments is IRMA likely to demand?

The average settlement in the last round of UK cases was, according to the BPI, around £2,000. At the high end, two defendants paid over £4,000 each to settle their cases. The numbers of file involved varied from several hundred to several thousand, with the higher settlements presumably reflecting more files being shared.

In the US, settlements have on average been much the same, but in some cases have been much higher. In the first wave of litigation in 2003, it seems that the average settlement was about $3,000, with settlement demands starting at about $3,000-$4,000. Individual settlements, however, included several of $7,500, and at least one for $10,000. Since then there have been reports that the average settlement has gone up to $4,000. There have also been some unusual cases involving student filesharing networks where the settlements have come in at $12,000-$17,000.

Significantly, several of the US cases have involved people who arguably weren't guilty of any wrongdoing, but who nevertheless found it safer and cheaper to pay up. Leaving legal fees aside for the moment, the main reason for this is the draconian statutory damages US law provides for copyright infringement. Instead of requiring proof of actual damage, US law allows plaintiffs to recover $750 to $30,000 per copyrighted work, which can be increased to $150,000 for willful infringement. So, if you share 100 files, that's a statutory minimum of $750 x 100 = $75,000 in damages, irrespective of how often those files were in fact downloaded. Facing the risk of these (arguably unconstitutional) penalties, it's hardly surprising that the RIAA has substantial leverage over defendants.

Turning back to the Irish situation, presumably IRMA will initially be looking for settlements in line with the majority of US and UK settlements, which would put the demands in the region of €3,000-€5,000 or thereabouts. If they restrict themselves to these figures, it's unlikely to be worth a defendant's time seeking legal advice and contesting the action, particularly since a loss would involve paying that amount and more in legal fees (for both sides) alone. Factors which will influence the amount of any settlement will presumably include the number of files involved, the length of time for which the material was shared, and (possibly) any mitigating factors such as the sharing being unintentional or by a child.

If a filesharing case did go to trial, it's difficult to put a figure on what damages might be awarded (and possibly redundant, since the damages might well be dwarfed by legal fees). Irish law does not have statutory damages comparable to US law: the damages which can be awarded are generally limited to the actual loss suffered by the plaintiff (which will be difficult to prove in filesharing cases), though aggravated and exemplary damages can also be awarded in particularly serious cases. The only reported Irish decision discussing damages in this type of case seems to be Universal Studios v. Mulligan where the court awarded (in 1999 pounds) £75,000 damages to various film studios injured by the defendant's sale of several thousand pirated videos, of which £25,000 was compensatory and £50,000 aggravated. That case, though, involved a large scale commercial operation, over a period of years, which made the defendant substantial sums of money. It's very unlikely that an award of damages in a filesharing case would come anywhere near that benchmark - and judging from Universal Studios, it's also unlikely that aggravated damages would be awarded.

Update - The Register reports that eight Dutch filesharers have settled for approximately €2100 each. According to EDRI the filesharers were required to:
sign a unlimited binding agreement to never ever "directly or indirectly be involved in any way or have an interest in unlawfully distributing materials on the internet". If ever again caught in such a very broadly defined act, the signee agrees to pay a fine of 5.000 euro per day.

Friday, April 29, 2005

Online Anonymity - Ratemyteachers.ie edition

Two interesting articles in the Irish Times today (subscription only) discuss the implications of ratemyteachers.ie, which allows students to give anonymous ratings and comments on their teachers. Needless to say, teachers aren't happy with comments such as "Couldn't teach her way out of a brown paper bag" and "Poor guy couldn't teach. Had it all in his head but just couldn't relate it to the students."

John Downes reports that the Joint Managerial Body (representing Irish secondary schools) has sought legal advice with a view to shutting down the service, only to be told that as the site is US based there is little that can be done. He also reports that the JMB has raised the issue with the Data Protection Commissioner, who has "indicated that the site is outside of [his] jurisdiction".

In the Business supplement, Fergal Crehan addresses the libel issues raised by the site, and also discusses the question of whether posters to the site could be identified (Article also available here) :
Contrary to widespread belief, the internet does not afford absolute anonymity, and Operation Amethyst, the Garda child pornography investigation, has shown that there is an electronic trail which can be followed from a web server back to an individual computer.

In theory, therefore, a person posting content on a website can be identified via their internet service provider (ISP). ISPs are prevented both by data protection laws and their own privacy policies from giving out the details of their subscribers without their consent, but English courts have made orders in defamation cases compelling them to do so. In 2001, the business website www.motleyfool.com was compelled to hand over details of a pseudonymous poster who made defamatory statements regarding the company Totalise on the Motley Fool site. It was later held on appeal that the Motley Fool was not to be responsible for Totalise's costs for this application, thus avoiding the dilemma where a website has a choice between breaking data protection regulations and its own privacy policy where it hands over information voluntarily, and court costs where it does so only after a court order is granted.

Ratemyteachers states on its site that it complies with all court orders and subpoenas, but is it possible for an Irish teacher to get such a court order? If the principle established in the Motley Fool case is followed in Ireland, then the answer may be yes.

Whether Rate My Teachers would comply with an Irish rather than a US court order is unknown, and although there is provision for such an order to be enforced by a US court, the cost of such enforcement would seem to be prohibitive.

The Motley Fool ruling also suggested that in the interests of fair procedure, the person who is to be "unmasked" should be contacted by the web host or ISP and given an opportunity to give reasons why he should not have his details passed on, thus allowing a court to take a more balanced view in deciding the issue. A court may decline to give such an order, for example, in "whistleblower" situations, where the anonymity of a poster is of great importance.
I have to quibble with Fergal on two points here though.

First, he repeats the popular misconception that ISPs are prevented by the Data Protection Act / their own privacy policies from disclosing subscribers' identities in this type of situation. As I've explained, this is an oversimplification. The Data Protection Act permits voluntary disclosure to protect the "legitimate interests" of a third party to whom the data is disclosed, subject to a proportionality test. It might be that a particular ISP's privacy policy will prevent disclosure - but this is a difficult issue. Privacy policies may be regarded by the courts as mere policies - and won't necessarily have the status of contractual promises. In any event, many privacy policies will contain limitations which allow for disclosure to third parties in this type of situation.

Second, it's misleading to say that an Irish court order would be enforced by a US court. The US legal environment in relation to defamation is very different, since the First Amendment gives strong protection to speech in general and anonymous speech in particular. In several cases US courts have refused to enforce English libel decisions which they felt conflicted with the First Amendment's guarantee of freedom of speech. Consequently, to enforce any Irish order in the US, the plaintiff would have to show that the Irish decision was compatible with the First Amendment - which could be very difficult, given the differences between Irish and US libel laws.

Wednesday, April 27, 2005

Your personal information is for sale

From The Guardian:
Two national newspapers paid to receive confidential information from the police national computer, a court heard yesterday.

Articles from the Sunday Mirror and the Mail on Sunday were used in evidence against two former police employees and two private investigators charged with offences involving the sale of police information to the press.

The court was told that Stephen Whittamore, a 56-year-old private investigator with links to the national press, provided "very personal and confidential details" about a series of high-profile figures, including the EastEnders actors Charlie Brooks and Jessie Wallace; Bob Crow, general secretary of the Rail Maritime and Transport Union; and Clifton Tomlinson, son of the actor Ricky Tomlinson.

Riel Karmy-Jones, prosecuting, told Blackfriars crown court in central London that Mr Whittamore had received the information "through a chain" made up of the three other defendants: the private investigator John Boyall, 52; Alan King, a 59-year-old retired police officer; and Paul Marshall, 39, a former civilian communications officer who was based at Tooting police station in London.

Mr Marshall and Mr King both pleaded guilty to conspiracy to commit misconduct in a public office, while Mr Whittamore and Mr Boyall pleaded guilty to the lesser charge of breaching the Data Protection Act. All four were given a two-year conditional discharge.
This isn't unusual. Spy Blog points out that there have been many similar cases in England, including:
the breach of the Driver Vehicle Licensing Agency computer systems by animal extremist supporter Barry Saul Dickinson who only got 5 months in jail for the offence of "misconduct in a public office" and the Metroplitan Police spy Ghazi Kassim who only got two and a half years for "three charges of misconduct in a public office".
Why the reference to English cases? Is Ireland somehow immune? Hardly. We can be sure that similar cases are happening here. Although we have yet to convict somebody of selling information, there are periodic glimpses of things happening under the surface.

Two recent examples. The Minister for Justice has stated that some Gardaí are selling information to journalists. (The background to that statement includes alleged leaks by Gardaí to journalists about an assault on the Minister's son earlier that year.) Similarly, the Sunday Business Post recently printed (in relation to the Morris Tribunal) that:
Gardai have also been on the receiving end of phone bill enquiries. “I was able to access the phone records of 38 people, most of them guards,” said private investigator Billy Flynn, who helped expose the Donegal garda scandal. “You get a complete profile of the person - who they are contacting, how often and at what times."
There are other credible allegations out there - but our defamation laws don't encourage their repetition here.

Any system is open to insider attacks, and there will always be a risk of a dishonest user seeking to profit from their access. The key must be to minimise this risk by limiting the data which is available to the insider, tracking the data which they access and determining whether they have a reason to do so, and ultimately deterring abuse with a credible risk of detection, prosecution and conviction. I'm not sure that Irish law goes far enough to do this.

Monday, April 25, 2005

Hot Press on the IRMA litigation

May's Hot Press has an article (not available online, as far as I know) about the filesharing litigation, including an interview with Dick Doyle of IRMA. Some interesting snippets from that article:
"18 months ago we sent brochures to 800 companies. We sent brochures to every governmental department. We sent one to every third level educational institution in the country. They all came back to me with what firewalls they have, and showed us what they're doing to make sure their students or lecturers aren't involved in it. They gave me evidence to show that under their Codes of Conduct, students will be taken off Internet access, fined or suspended."

"In the last three months, we've sent 6 million instant messages", he continues. "When someone is filesharing, a pop-up message comes up and says, 'This is IRMA - What you're doing is illegal'."

[...]

In order to identify music uploaders, Doyle spent a number of months infiltrating filesharing communities online. With the cooperation of an unnamed 'specialist' company, 4,000 seed songs were planted in various filesharing outlets (among them, Doyle recalls, tracks by Keane, Radiohead, Eminem and ABBA).

[...]

When contacted by IRMA, the 17 targeted individuals will be faced with two options.

"Option one is that they will be snowed under by evidence, and I will ask them to settle straightaway. This will involve getting rid of illegal files, cleaning up their PCs, getting rid of filesharing software. They will also, under court order, be asked to pay damages."

"In the UK, in 26 actions taken four months ago, 25 took option 1 and paid £3,000 damages. I would presume that anyone with common sense would do that."

[...]

"On this particular wave we've hit KaZaA and Gnutella, on the next we'll hit Limewire and all the rest."

Tuesday, April 19, 2005

Spinning Plausible Stories

The 2004 Report of the Data Protection Commissioner (pdf - summary in word format) has a worrying case study:

I received a complaint about Eircom not respecting a Barring Order that had been granted to a wife against her husband. Though she had changed the telephone account details from his name to her name, he had still been able to contact Eircom and had the access codes for voicemail reset so that he could access her voicemail. Furthermore, on closing the account, the final account had been sent to him at his address rather than hers.

Eircom investigated this complaint thoroughly from a data protection perspective. They were not able to establish definitively how the matters complained of arose but accepted that either the estranged husband had the account number himself or perhaps had “spun a plausible story” to Eircom.
Barring orders are granted in circumstances where there is a risk of violence. In this type of situation, disclosing somebody's personal information can threaten their safety or even their life. Yet, despite the fact that "procedures are in place for protecting confidential information and ... staff are aware of the company’s data protection obligations", information is still vulnerable to someone who can "spin a plausible story".

This is familiar territory. The phenomenon is better known as social engineering. It won't come as a surprise to anyone who has glanced at computer security. So why even mention it? Well, if we allow the government to push its data retention agenda then all sorts of personal information (such as details of the websites you visit or the emails you send) will be stored for several years. But don't worry about your privacy. After all,
"procedures are in place for protecting confidential information and ... staff are aware of the company’s data protection obligations".

Unless, of course, someone can spin a plausible story.

Political Spam

The 2004 Report of the Data Protection Commissioner (pdf - summary in word format) has just been released. There are several interesting case studies - one of which confirms that political spam is alive and well in Ireland. Note the unrepentent attitude of the politician in question:
[A] complaint ... was received in late 2003 ... about an unsolicited email of a political nature which had been sent by a County Councillor, Jon Rainey, of Fingal County Council. It was alleged that in June 2003 he had “harvested” email addresses from the address line of an email sent by a third party – who was also a County Councillor but of another party. (“Harvesting” refers to the addition to one’s own mailing list of any email address received on the “to” or “cc” line of the email). This was in contravention of the provisions of S.I. No. 535 of 2003 (European Communities (Electronic Communications Networks and Services (Data Protection) Regulations 2003) which provides for prior consent for unsolicited emailing of individuals for direct marketing purposes, including political purposes. I only name Mr. Rainey in my Report as he failed to cooperate with my investigations and only acknowledged the facts of the complaint 6 months after I had first raised them and then only when I had to formally issue him with an Information Notice under sections 10 and 12 of the Acts. At that late stage, he confirmed that the details of email addresses “harvested” from another email had been deleted from his system and that no further details had been obtained in this manner. However, his attitude to my Office was that the matter was of little consequence and he complained that I had “pestered” him. It is important that public representatives and candidates for elective office realise the importance of their obligations under the Acts and that, in so far as responding to legitimate investigations from statutory office holders is concerned, in no sense should they consider themselves above the law.
Irish politicians have been active spammers in the past, with the 2002 election campaign seeing voters annoyed by automated recorded phone calls and sms text messages, which were ultimately stopped by the intervention of the Data Protection Commissioner.

(There are two uncertainties raised by this case though. First, how did the councillor breach the 2003 Regulations by his actions in June 2003, when those Regulations only came into force on 6 November 2003? Second, under Irish law there is now an exemption for "direct mailing ... in the course of political activities" (s.1 of the Data Protection Act 1988 as amended). Is the term "direct mailing" wide enough to cover email (allowing this type of spam), or would it be limited to snail mail?)