Monday, July 30, 2007

Computer generated evidence and defence access to source code

Today's Irish Times reports on an interesting clash between the rights of an accused person to a fair trial and what breathalyser manufacturers see as their commercial interests:
A solicitor from Co. Louth is seeking a judicial review of a drink driving conviction...

Paul Moore, a solicitor in Monaghan, is arguing that because the manufacturers of the Lion Intoxilyzer breath testing machine did not provide him with a hard copy of the software it uses that a conviction was made in the absence of full disclosure and therefore the constitutional rights of the accused person were not upheld...

At an earlier court hearing Judge Flann Brennan had made an order of disclosure. When pressed on why the software was not disclosed pursuant to that order, Mr. Blythe [a senior manager with the manufacturers] told Alan Doherty, defending, that "the company is adamant that it does not disclose software documentation". He also said he believed that this was for commercial reasons.
This is the first Irish case that I'm aware of where disclosure of source code has been sought in the context of a criminal prosecution, though there has been a good deal of litigation on this point in the United States, where companies have also refused to turn over source code with the result that many cases have been dismissed.

This is certainly the correct result - if a person may lose their liberty based on a number generated by a machine, they must be able to challenge the accuracy of that number - which they cannot do unless they know how that machine operates. The manufacturer's failure to comply with a court order on the basis of "commercial reasons" is astonishing - if they believe that their commercial interests are superior to the right of an accused person to a fair trial and are unwilling to comply with the order of the court then they should not be manufacturing this equipment nor should our justice system be purchasing it.

Ethan Zimmerman of the EFF has some insightful comments on the US cases, and draws an analogy with electronic voting:
Matt Zimmerman, a staff attorney for the Electronic Frontier Foundation (EFF), said it is just as important for people to know that products like breathalyzers or voting machines work correctly as it is for companies to protect their trade secrets.

"It's one of the few cases that we've seen recently where a court has come out and said it really is appropriate, if you're going to be making important decisions that affect someone's liberty, then you should be able to understand what's going on with these technologies that are helping make these decisions," Zimmerman said.

He said that in addition to various fears over losing proprietary advantages, companies may also fear that public examination of software would let the public know "there may be some flaws in the design, in the coding, that otherwise they wouldn't have to reveal."

"The government is outsourcing a governmental process," Zimmerman said of both e-voting and the breathalyzer questions. "It's not a case where you're alleging that a certain harm has been done to a specific person. You're making the allegation that the technology doesn't do its work quite as well as it could."

The key to both concerns is the potential for these devices to affect people's liberty and freedom, while the manufacturers do not provide the public with the information to know what is going on, Zimmerman said. Both cases, he said, should tell the government that the public has a right to know how technologies actually work when they have to do with individual liberty.
Update (10/8/07): Declan McCullagh has details of a recent Minnesota decision ordering disclosure.
Update (5/9/07): The code of one US breathalyser has now been analysed and found to be extremely sloppy:

1. The Alcotest Software Would Not Pass U.S. Industry Standards for Software Development and Testing: The program presented shows ample evidence of incomplete design, incomplete verification of design, and incomplete “white box” and “black box” testing. Therefore the software has to be considered unreliable and untested, and in several cases it does not meet stated requirements. The planning and documentation of the design is haphazard. Sections of the original code and modified code show evidence of using an experimental approach to coding, or use what is best described as the “trial and error” method. Several sections are marked as “temporary, for now”. Other sections were added to existing modules or inserted in a code stream, leading to a patchwork design and coding style…

It is clear that, as submitted, the Alcotest software would not pass development standards and testing for the U.S. Government or Military. It would fail software standards for the Federal Aviation Administration (FAA) and Food and Drug Administration (FDA), as well as commercial standards used in devices for public safety…If the FAA imposed mandatory alcohol testing for all commercial pilots, the Alcotest would be rejected based upon the FAA safety and software standards…

4. Catastrophic Error Detection Is Disabled: An interrupt that detects that the microprocessor is trying to execute an illegal instruction is disabled, meaning that the Alcotest software could appear to run correctly while executing wild branches or invalid code for a period of time. Other interrupts ignored are the Computer Operating Property (a watchdog timer), and the Software Interrupt.

6. Diagnostics Adjust/Substitute Data Readings: The diagnostic routines for the Analog to Digital (A/D) Converters will substitute arbitrary, favorable readings for the measured device if the measurement is out of range, either too high or too low. The values will be forced to a high or low limit, respectively. This error condition is suppressed unless it occurs frequently enough…

7. Flow Measurements Adjusted/Substituted: The software takes an airflow measurement at power-up, and presumes this value is the “zero line” or baseline measurement for subsequent calculations. No quality check or reasonableness test is done on this measurement…

10. Error Detection Logic: The software design detects measurement errors, but ignores these errors unless they occur a consecutive total number of times. For example, in the airflow measuring logic, if a flow measurement is above the prescribed maximum value, it is called an error, but this error must occur 32 consecutive times for the error to be handled and displayed. This means that the error could occur 31 times, then appear within range once, then appear 31 times, etc., and never be reported…

Data protection roundup

New guidance on meaning of "personal data"

The Article 29 Working Group has given a very comprehensive and helpful opinion on the meaning of personal data. It goes much further than the narrow approach in Durant v. Financial Services Authority, and specifically rejects the view that information must "have the data subject as its focus" before it can constitute personal data.

Data Retention Directive implemented in UK - but only for telephone data

The UK has now implemented the Data Retention Directive in respect of telephone records, choosing a one year retention period. The implementation of the Directive in respect of internet activity has been deferred pending further consultation.

Manual data to be treated in the same way as computerised data

The Data Protection Acts will apply in full to manual data from 24 October 2007. When the 2003 Act extended the data protection principles from computerised data to include manual data (such as paper files) it provided for a four year transitional period in which existing manual data would be exempt from sections 2, 2A and 2B of the Acts (dealing with the collection, processing, keeping and use of personal data and sensitive personal data). That transitional period ends on 24 October, which may cause problems for organisations which have older files which are not compliant with the new law.

Tuesday, July 24, 2007

Australian judges - uncut

The Australian outlines what some of Australia's most senior judges said about their roles when promised anonymity:
[S]ome judges are committed activists who believe those who criticise their approach are "vociferous red-neck people"...

"Perhaps it's illegitimate to pull the rabbit out of the hat, but it's nice to see it emerging," said one High Court judge...

While some judges see judicial activism as their duty, others are still seething over what they see as the High Court's illegitimate law-making under former chief justice Anthony Mason.

"Madness let loose," is how one judge described the Mason court. The Mason court, which recognised Aboriginal native title and implied constitutional rights, was also denounced for cooking up "some pretty funny menus".

Its decisions on implied rights were "silly", "sneaky" and "the worst single feature of Australian constitutional law in the last 20 years", the judge said.

The court's Mabo decision on native title received particular criticism. Another judge said the Mason court's development of implied constitutional rights had created a "looseleaf constitution". "We've said bugger the constitution. We'll tell you what should be there. It's very distressing," one judge said.
The story is based on research carried out by political scientist Jason L. Pierce for his PhD, which was ultimately published as Inside the Mason Court Revolution: The High Court of Australia Transformed. [The full PhD thesis is available online.] The central theme is summarised in this review:
Orthodoxy expects certainty in judicial decisions that narrowly apply the law to the resolution of disputes between private parties. Politics and the law occupy separate realms where judges serve as caretakers guarding the boundaries between the two. Without a bill of rights and given the federal structure of Australia, orthodoxy presumed the High Court’s responsibility dealt almost exclusively with the division of powers between the states and federal government. Legal reasoning was declaratory in nature, closely bound by the text of the law, and governed by precedent. Evolution in legal rules occurred interstitially according to common law tradition as existing rules were applied to novel situations. The “politicized” role turned orthodoxy on its head. Uncertainty was acknowledged. New rationales for decisions besides text and precedent were put forward. A “public model” of High Court litigation encouraging a wider range of participants emerged. The High Court stretched its jurisprudential horizons to include public policy questions of justice and personal rights that parliament had failed to address. MABO and implied rights naturally followed. And so did political challenges and eventually the High Court’s retreat from this politicized role.
I'll be reading this with interest, bearing in mind possible parallels with what Keane CJ described as Ireland's own "tide of judicial lawmaking", albeit one that has "receded somewhat in recent years". And, I confess, I'll also be enjoying the candour of the Australian judges:
Q: What impact did the retirement of Justices Brennan, Dawson, and Toohey have on the High Court?
Judge: A slight swing to the right. Toohey was a terrible communist. Brennan wasn’t much better.
Q: What do you mean by ‘communist’?
Judge: [Toohey] is always dripping with sympathy for the underdog, whether it was deserved or not. He always thought that the employee should win against the employers. He was a ghastly mistake.
Q: What impact will the retirement of Chief Justice Brennan and appointment of Chief Justice Gleeson have, in your mind?
Judge: Well, we’ll get back to law and not sociology. Gleeson’s a very good lawyer and since he hasn’t got a heart, there’s no danger of him being sort of over muffling to anyone. He’ll just apply strict rules. Bang, bang, bang. That’s it. [p.73 of the Thesis PDF]

Monday, July 23, 2007

Mobile phone registration: Of limited benefit, will not solve problems and not practical

The Independent reports:
ALL mobile phones will have to be registered as part of a Government plan to improve surveillance on drug dealers.

Currently, any person can buy a pay-as-you-go mobile phone anonymously, which makes it harder for the gardai to track those involved in the drugs trade.

In an interview with the Irish Independent, new Drugs Minister Pat Carey said registry would help to tackle the "rampant use" of mobile phones in prisons, as well as small-time dealers working in the "shopping-centre carpark, the church car park or the local football field".

"If you've nothing to hide, you've nothing to fear. There may well be confidentiality or civil liberties issues but there are lives of people at stake as well, which I believe overrides any of those."
This policy is a nonsense. But don't take my word for it. Here's an email which Antoin received from the Department of Communications, Marine and Natural Resources in January of this year:
The idea for a Register of mobile phones was extensively reviewed by officials in the Department. There were many complex legal, technical, data protection and practical issues to be considered. In theory, a Register of mobile phones might seem like a good idea. However, having looked at the situation in other administrations, considered the ease with which an unregistered foreign or stolen SIM card can be used and the difficulties that would be posed in verifying identity in the absence of a national identification card system, and having consulted with the Office of the Attorney General and other interested parties, it was concluded that the proposal would be of limited benefit, in that it would not solve the illegal and inappropriate use of pre-paid mobile phones and was not practical.
Incidentally, I'd be intrigued to know how this will stop the "rampant use of mobile phones in prisons". Perhaps Pat Carey might think about preventing prisoners from having mobile phones in the first place?

Wednesday, July 18, 2007

Can ISPs be required to block file-sharing?

EDRI has a very good summary of the remarkable decision in SABAM vs SA Scarlet which requires a Belgian ISP to monitor its network so as to block the sharing of copyrighted files over peer to peer networks:
In an unprecedented decision, the Court of First Instance in Bruxelles has ordered Scarlet, a Belgium ISP, to implement technical measures in order to prohibit its users to illegally download music files.

The decision comes after a complaint initiated in 2004 by Sabam (Belgian Society of Authors, Composers and Publishers) against the Belgium ISP Tiscali, now renamed as Scarlet. A first intermediary ruling of 26 November 2004 accepted the possibility for an ISP to disconnect customers if they violate copyrights, and block the access for all customers to websites offering file-sharing programs. But further technical clarifications were needed, so an expert was appointed in order to present its opinions.

In a report published on 3 January 2007, the expert presented 11 solutions that could be applied in order to block or filter the file-sharing, and seven of them could be applied by Scarlet.

The court has decided that Scarlet need now to implement one or more technical measures in order to stop the copyright infringement, by making it impossible for its subscribers to send or receive music files from the repertoire of Sabam via p2p software. Scarlet also needs to inform Sabam on the technical measures that will be implemented. The decision needs to be implemented in 6 months, or the ISP must pay 2 500 euros /day as damages for non-compliance.

The decision did not consider the issues regarding privacy, freedom of expression or the right to the secrecy of the correspondence. Scarlet also claimed that the duty imposed by the court is a general obligation to monitor the network, that is contrary to the EU E-commerce Directive. But the court stated that the decision was not an obligation to monitor the network and that the solutions identified by the expert were just technical measures allowing blocking or filtering certain information sent through the Scarlet's network.
There is a tension here between different aspects of European law. Copyright law requires member states to give copyright holders effective remedies against infringement - including injunctions against intermediaries who facilitate infringement. On the other hand, the E-Commerce Directive recognises that it would be impossible to operate a regime where ISPs were responsible for the activities of their users, and establishes protections for ISPs including a provision which prevents member states from imposing a general duty on ISPs to monitor their networks for illegal activity. This decision appears to privilege copyright law over the safeguards of the E-Commerce Directive, privacy of users, and freedom of expression and, if upheld, will result in ISPs become privatised censors (at their own cost, no less). Once the technology is put in place to prevent one type of material being distributed, we can expect function creep as other interest groups seek to censor other material also.

Tuesday, July 17, 2007

Australian challenge to Google advertising practices - implications for Ireland?

Silicon Republic reports that the Australian Competition and Consumer Commission has launched a challenge to how Google (and, by implication, other search engines) serve up advertising with search results:
Search giant Google, including named subsidiaries in Ireland and Australia, is being taken to court by the Australian Competition and Consumer Commission over the way it sells and displays its sponsored links.

Google is being sued by an Australian body over the practice of buying adverts next to search terms.

The Australian Competition and Consumer Commission (ACCC) is alleging that Google and one of its advertisers, the Australian shopping portal Trading Post, purchased ads next to the search terms “Kloster Ford” and “Charlestown Toyota”, two of its leading competitors.

The nub of the issue is that Google failed to make it clear that these words were not “organic” search results.

“This is the first action of its type globally,” the ACCC said in a statement. “Whilst Google has faced court action overseas, particularly in the United States, France and Belgium, this generally has been in relation to trademark use.

“Although the US anti-trust authority the Federal Trade Commission has examined similar issues, the ACCC understands that it is the first regulatory body to seek legal clarification of Google's conduct from a trade practices perspective.”

The ACCC says it has instituted legal proceedings in the Federal Court, Sydney, against Trading Post Australia Pty Ltd, Google Inc, Google Ireland Limited and Google Australia Pty Ltd alleging misleading and deceptive conduct in relation to sponsored links that appeared on the Google website.

“The ACCC is alleging that Trading Post contravened sections 52 and 53(d) of the Trade Practices Act 1974 in 2005 when the business names ‘Kloster Ford’ and ‘Charlestown Toyota’ appeared in the title of Google-sponsored links to Trading Post's website. Kloster Ford and Charlestown Toyota are Newcastle car dealerships who compete against Trading Post in automotive sales.”

The ACCC is alleging that Google, by causing the Kloster Ford and Charlestown Toyota links to be published on its website, engaged in misleading and deceptive conduct in breach of section 52 of the Act.

It is also alleging that Google, by failing to adequately distinguish sponsored links from “organic” search results has engaged and continues to engage in misleading and deceptive conduct that breaches Australian law.

Google Australia has described the lawsuit as an attack on all search engines and vowed to defend itself.

Google has won similar cases in the US courts brought by car insurance company Geico and IT support company Rescue.com.

The search giant lost a case in France whereby a fashion company accused the company of running links to counterfeit goods alongside legitimate results.

A US home furniture company, American Blind & Wallpaper Factory, is currently embroiled in a legal battle with Google alleging searches for the company brought up sponsored links brought by competitors.
While the ACCC press release and the stories about it aren't entirely clear, it seems that three separate issues are involved - (a) the use of competitors' names / trademarks as keywords to trigger advertising; (b) the use of those names / trademarks in the advertisement itself; and (c) whether the search results make clear the distinction between paid advertisements and "organic" search results.

How significant is this challenge from an Irish law perspective? Issues (a) and (b) have already been heavily litigated elsewhere, and I've discussed them in an article on keywords and metatags (with Paul Lambert). In that article we point out that in Europe the courts have leaned against the use of competitors' trademarks in the text of advertisements and have generally prohibited the use of competitors' trademarks as keywords. Consequently search engine policies here already refuse to allow the use of competitors' trademarks in the text of advertisements, and either refuse to sell trademarks as keywords or impose restrictions on so doing. To that extent it's unlikely that this ACCC action will have any great effect here. It is true that the majority of cases to date have been taken from a different legal perspective (trademark infringement or passing off rather than trade practices) but the issue is essentially the same regardless of the legal theory - have consumers been deceived as to the affiliation of the result?

Issue (c) may be more interesting. What does a search engine have to do to distinguish paid from organic search results? As the ACCC points out, the industry norm is developed from a 2002 recommendation of the US Federal Trade Commission which arose from this complaint against Altavista and others. That recommendation has led to most search engines using terms such as "sponsored results" or "sponsor results" to distinguish advertising from organic results, usually with either a different colour background or a line separating the advertising from the results. However, it's frequently said that consumers still have difficulty distinguishing between them. (Although one English judge has asserted that "The web-using member of the public knows that all sorts of banners appear when he or she does a search and they are or may be triggered by something in the search. He or she also knows that searches produce fuzzy results – results with much rubbish thrown in.")

If the ACCC can establish consumer confusion between results and advertising, the outcome is likely to be that search engines will be required to take steps to further segregate advertising from results, potentially reducing click through rates and revenue substantially - and this may have knock on effects for other jurisdictions, including Ireland.

Thursday, July 12, 2007

Your private information is for sale: Telephone Records ctd.

From the Sunday Independent, still more evidence that your telephone records are for sale to the highest bidder:
IRELAND has become a centre for commercial espionage with Dublin "like Berlin in the Cold War", according to a former top CIA operative.

The claims were made by Robert Baer who began his career as a spy when he became case officer with the CIA Directorate of Operations.

During a 20-year career as a covert operative, he had field assignments in India, Beirut, Tajikstan and northern Iraq .

"Let's say I wanted to know about you. The first thing I want is cell-phone records. Let's say I've got your landline number. From your landline I can do a data search and I can get your cell phone number in Ireland very easily," he said.

Mr Baer claimed that if he wanted to find a list of calls made from any mobile phone in the last six months, he could buy that information from a Dublin-based firm.

Monday, July 02, 2007

Defamation, search engines and the E-Commerce Directive

I'm quoted in the Sunday Tribune on the impact of Irish defamation laws on search engines. Unfortunately I have to quibble slightly with how the law is described in the article, which may be due to a breakdown in communications between myself and the author. Full text and my comments follow:
GOOGLE is facing a landmark defamation suit in Britain that could have repercussions for Ireland's attractiveness as a destination for online businesses.

The search giant has been sued by London businessman Brian Retkin, who claims the US company is responsible for providing links to inaccurate or malicious information about him and his business posted anonymously on the internet.

Irish legal observers, and Google's Dublin based legal eagles at its European headquarters, are watching the case unfold as defamation laws in the Republic are significantly less up-to-date than English laws on online libel.

The main difference is that internet service providers and online product providers such as Google have specific legal devices available to them under British defamation law and the EU's e-commerce directive, whereas in Ireland the laws have not been updated to take account of the information revolution.

"It's ridiculous because we're advertising ourselves as a knowledge economy and aiming to attract more companies like Google and Ebay here, but we're not giving them the legal protection they need in terms of defamation, " says barrister and digital rights campaigner TJ McIntyre.

The law lecturer claims there is a danger of Dublin courts attracting "libel tourism", much as London attracts so-called divorce tourism because of the reputation of English judges in awarding large pay-outs.

"Ireland's defamation laws are rooted in the middle of the last century, and even if [Michael] McDowell's proposed reforms in his defamation bill went through there would still be no mention of specific defences for online publishers."

The Retkin allegations are believed to have originated in America, where it is much more difficult to succeed in a libel claim because US judges have ruled that search engines and other internet service providers are immune from defamation lawsuits.

In Ireland, an online publisher could be treated as a disseminator of libel in much the same way as a newsagent can theoretically be sued for distributing newspapers containing defamatory content.

With Google linking to 11.5 billion web pages, potential financial damages in an Irish court could be staggering.

A spokesman for Google would not comment on the specifics of the case. "The company would reiterate that is has no connection or ability to direct or influence the content of web pages which may be shown as links within any given set of search results."
My quibble is with this passage:
[D]efamation laws in the Republic are significantly less up-to-date than English laws on online libel.

The main difference is that internet service providers and online product providers such as Google have specific legal devices available to them under British defamation law and the EU's e-commerce directive, whereas in Ireland the laws have not been updated to take account of the information revolution.
In fact, Irish and UK laws on intermediary liability are quite similar - both the Irish and UK Regulations adopt a minimalist approach to implementing the E-Commerce Directive (which has been transposed into Irish law, contrary to what the article might suggest). The problem for search engines and other intermediaries is that the E-Commerce Directive does not go far enough. Under the Directive a limited immunity is given to three classes of intermediaries - caches, hosts, and mere conduits. This, however, leaves other internet intermediaries out in the cold. Search engines, providers of hyperlinks and content aggregators are analogous to hosts or mere conduits (they facilitate access to material but do not control it or have knowledge of its content) - but they do not enjoy comparable protection under the Directive.

Several European countries have decided that the Directive is too narrow - Austria, Hungary, Portugal and Spain, amongst others, have created additional protections for search engines. The European Commission has also encouraged Member States to extend protection to other internet intermediaries. The risk for Ireland is that we may become less attractive as a destination for these businesses if Irish law does not follow suit. The Defamation Bill 2006 should have provided an opportunity to consider this issue - but that Bill would not have changed the law in this area had it been enacted.

On the libel tourism point, possibly the best Irish example is USA Rugby Football Union Limited v. Ivan Calhoun. In that case, although the plaintiffs ultimately failed to have the Irish courts accept their case, they succeeded in subjecting the defendant to two years of litigation (in both the Circuit Court and High Court) despite the lack of any real connection to Ireland, and despite the fact that the material published would not have been actionable in the United States.