Monday, December 22, 2008

Some thoughts on the IWF / Wikipedia debacle

One of the highest profile internet stories of December came when the Internet Watch Foundation placed a Wikipedia page on its black list of child pornography URLs, causing the page itself to be blocked by most UK ISPs and (more significantly) causing substantial collateral damage by preventing many UK users from being able to edit Wikipedia pages.

Now, after heavy criticism from internet users, the IWF has executed a hasty about turn, backing down after just five days. Though it still claims that the image in question is "potentially in breach of the Protection of Children Act 1978", nevertheless it has stated that given the "contextual issues involved in this specific case" and "in light of the length of time the image has existed and its wide availability, the decision has been taken to remove this webpage from our list".

While it's too soon to say what the long term implications of this might be, in the short term it has certainly damaged the reputation of the IWF, perhaps irreparably. As John Ozimek has pointed out, other actions of the IWF must now come into question:
So the scene was set for the IWF to take a fall. Gone is its record for 100 per cent undisputed blocking. Gone, too, is its reputation for being the undisputed good guy. Many people have looked at the image in question and have taken the view that it is not porn, or indecent, or abuse. Having made that judgement, they have started to ask questions about other imagery that the IWF has sought to block.

The absolute certainties that underpin a view that claims indecency is always porn is always abuse are shaken. Not least by reports that the child - now an adult - whose image lies at the heart of this controversy, is reported to have no regrets at all in respect of the photo.
It has also tarnished the IWF's legitimacy. In large part this rests on claims that it operates a formal mechanism for identifying material to be blocked, along with a (semi-) independent appeals procedure. But the ad hoc nature of the decision making in this case - where the IWF board ignored the results of its own appeals procedure - suggests that there are different rules in place for high profile sites with vocal supporters. Lilian Edwards puts the point well:
Non-accountable: the IWF`applied their own appeals procedure to the decision, after media pressure, and reversed it. Effectively they changed their mind. This is not how true courts and tribunals work, where an appeal must be heard by a seperate body with an account of what factors lead to a different legal decision. The IWF may have truely reconsidered their opinion as to the law (although their own press release rather speaks against this), but they may equally well have simply bent to public pressure, or practical enforcement problems. For those who truly want an objective system which responsibly cracks down on child porn, this is surely unacceptable. Justice is a system, not an arbitrary private discretion.
The incident has also compromised claims for the technical efficiency of UK internet filtering. While at least one UK ISP has resorted to a crude form of IP blocking, the two stage filtering process pioneered by BT (as its "Cleanfeed" system) has been sold on the basis that it can effectively block specific URLs without degrading network performance and with no collateral damage to legitimate content. That has been shown not to be the case. As Richard Clayton points out in a comprehensive post on the technical aspects of the system:
To sum up the key technical matters: the IWF chose to filter text pages on Wikipedia rather than just the images they were concerned about; the use of proxies by ISPs broke Wikipedia’s security model that prevents vandalism; the previous controversy about the Virgin Killers album cover meant that IWF’s URLs were quickly identified; however different capitalisations of URLs, the different blocking technologies, and the different implementation timescales led to considerable confusion as to who blocked what and when.

Some of these matters could be described as "human error" and might be done better in any re-run of these events with any of the other questionable images hosted on Wikipedia (and many other mainstream sites). However, most of the differences in the effectiveness of the attempted censorship stem directly from diverse blocking system designs — and we can expect to see them recur in future incidents. The bottom line is that these blocking systems are fragile, easy to evade (even unintentionally), and little more than a fig leaf to save the IWF’s blushes in being so ineffective at getting child abuse image websites removed in a timely manner.
The case has also thrown up issues of selective enforcement and parity of treatment between offline and online content. The IWF blacklisted this image only when hosted by Wikipeda - despite the fact that the same image was hosted by online retailers (and, indeed, has appeared on the cover of albums in your local record shop for the last thirty years). This disparity was bound to cause criticism, and the IWF's response - that it only acts on complaints received by it - has been felt by many to be inadequate.

Many users - when made aware of the blocking - also questioned the deceptive error messages used by most ISPs. Although some (notably Demon Internet) show pages indicating that content has been blocked, most ISPs appeared to be using fake 404 pages. It is far from clear why this is done, particularly when the practice in many jurisdictions using similar systems is to use block pages telling users why content has been blocked and what they can do if they feel that this is a mistake. (E.g. Sweden | Finland.)

The approach taken by the IWF to borderline images and fair procedures also comes into question. On their own admission they blocked the image on the basis that it was "potentially illegal" - and did so without notifying Wikipedia much less offering a right to be heard. One Wikipedia admin board sums up this point well:
The image is not certain to be illegal. In the IWFs own words the image was judged to be "potentially illegal indecent image of a child under the age of 18, but hosted outside the UK". The album has been for sale in many countries with this cover for over 30 years. No one has ever been prosecuted over the image as far as is known. The FBI investigated a report of this album cover in spring 2008 and decided to take no action. The Wikimedia Foundation has not been requested by the FBI or any other law enforcement agency to remove the image and has certainly not been charged over it. The ultimate arbiter of whether an image is illegal is a court of law, in particular a jury, and not a self-selecting group, however well-intentioned their motives.

The IWF blocked access to a page on one of the world's most-visited websites without informing its owners. We understand that their policy is not to contact any of the hosts they block, but commonsense should have told them that blocking such a website might have unforeseen consequences. In particular, they failed to understand that whereas a block of the article itself may well amount to restraint on the guaranteed freedom to receive and impart information, the image itself is uploaded from a different URL which could have been separately blocked by the ISPs with whom they are in partnership; in this way, they demonstrate a complete lack of understanding of how websites work, which is chilling in the extreme for a supposed Internet Watchdog.
Taking a longer term view, this incident means that any widening of the IWF's remit is now likely to be put on hold. There have been suggestions in the past that the blacklist should be extended to e.g. websites which "glorify terrorism", while the police and Ministry of Justice have already been advising individuals to refer alleged "extreme pornography" images to the IWF for assessment - however, in light of the considerable reputational damage caused by the Wikipedia ban the IWF is likely to be more cautious before it takes on any new roles.

Of course, it's not just in the UK that these debates are taking place - in the United States for example there are striking parallels about the way in which an private body (the National Center for Missing and Exploited Children) has become an "unofficial internet regulator" carrying out internet censorship without any legislative basis, oversight or transparency. Chris Soghoian has an insightful editorial with more detail.

Increased criminal penalties for spammers

In good news for Irish internet and mobile phone users the sending of spam has for the first time become an indictable offence, carrying a possible maximum penalty of €250,000 or up to 10% of a company's turnover (Sunday Times, Silicon Republic). Most cases will presumably remain in the District Court, where the maximum penalty is increased to €3,000. The changes should substantially strengthen the hand of the Data Protection Commissioner in dealing with persistent offenders.

Update - 12 January 2009: The full text of the amending statutory instrument is now available. Other changes made by the SI include extending to two years the period in which summary prosecutions can be brought, providing that in prosecutions where consent is an issue the burden of proof rests on the defendant to show that a subscriber opted in, clarifying the scope of the soft opt-in provision in respect of similar goods or services, and providing that an officer of a company can be prosecuted without the need first to proceed against or convict the company of the offence.

Wednesday, December 17, 2008

Mobile phone bullying - operators try to ward off regulation?

The Irish Times is reporting that the major mobile operators have launched a new pamphlet aimed at helping parents deal with issues such as mobile phone bullying. A response to recent political demands that the industry be required to implement (rather ill conceived) technological solutions?

It's probably worth mentioning that this is taking place against the backdrop of European initiatives on safer mobile use under which the industry has agreed to implement national self-regulation.

HEAnet Conference - video and slides now available


The HEAnet National Networking Conference took place last month in Kilkenny and the organisers have now put up video and slides for all presenters. I'm obviously biased in recommending my own presentation "Here come the Internet cops" (final keynote) but other highlights for me included Aidan Carty and Anthony Keane's "Honeypots and Darknets - What are they good for?" and Cathal McCauley and Peter Clarke's "Second Life - Brave New Frontier or Fleeting Gimmick?".

Monday, December 08, 2008

Internet Watch Foundation blocks Wikipedia

The internet - and more significantly the mainstream media - is abuzz with the news that the hitherto low profile Internet Watch Foundation has blacklisted a Wikipedia page. The IWF blacklist - more formally the Child Sexual Abuse Content URL List - is a list of URLs alleged to contain child pornography, which UK ISPs have "voluntarily" agreed to block (that is, they volunteered when the government indicated that if they did not legislation would be introduced compelling them to do so).

This presents all sorts of interesting problems for the law and civil liberties. There is no legislation underpinning the IWF, which is a purely private body. There is no judicial control of its activities, and the process by which it blocks sites is particularly opaque (it does not notify site owners either before or after sites are blocked, nor does it offer a right to be heard). It does claim to offer a right of appeal against blocking, but that is not an appeal to an independent body but to a division of the Metropolitan Police. In short, it has (with government backing) implemented a remarkable system of censorship which departs from almost every traditional understanding of freedom of expression in the UK.

I've been following the development of this system for some time now, and I spoke about some of these issues in this paper at the 2008 BILETA Conference in Glasgow:

Friday, December 05, 2008

UK DNA database held to be in breach of European Convention on Human Rights

Good news from the European Court of Human Rights, which has held that the UK DNA database - the largest in the world, containing the DNA of hundreds of thousands of innocent people (amongst them forty thousand children) - is in breach of Article 8 of the ECHR on private and family life. Here are some highlights from the decision:
The Court observes that the protection afforded by Article 8 of the Convention would be unacceptably weakened if the use of modern scientific techniques in the criminal-justice system were allowed at any cost and without carefully balancing the potential benefits of the extensive use of such techniques against important private-life interests. In the Court's view, the strong consensus existing among the Contracting States in this respect is of considerable importance and narrows the margin of appreciation left to the respondent State in the assessment of the permissible limits of the interference with private life in this sphere. The Court considers that any State claiming a pioneer role in the development of new technologies bears special responsibility for striking the right balance in this regard.
...
The Court acknowledges that the level of interference with the applicants' right to private life may be different for each of the three different categories of personal data retained. The retention of cellular samples is particularly intrusive given the wealth of genetic and health information contained therein. However, such an indiscriminate and open-ended retention regime as the one in issue calls for careful scrutiny regardless of these differences.
...
Of particular concern in the present context is the risk of stigmatisation, stemming from the fact that persons in the position of the applicants, who have not been convicted of any offence and are entitled to the presumption of innocence, are treated in the same way as convicted persons. In this respect, the Court must bear in mind that the right of every person under the Convention to be presumed innocent includes the general rule that no suspicion regarding an accused's innocence may be voiced after his acquittal (see Asan Rushiti v. Austria, no. 28389/95, § 31, 21 March 2000, with further references). It is true that the retention of the applicants' private data cannot be equated with the voicing of suspicions. Nonetheless, their perception that they are not being treated as innocent is heightened by the fact that their data are retained indefinitely in the same way as the data of convicted persons, while the data of those who have never been suspected of an offence are required to be destroyed.
...
The Court further considers that the retention of the unconvicted persons' data may be especially harmful in the case of minors such as the first applicant, given their special situation and the importance of their development and integration in society. The Court has already emphasised, drawing on the provisions of Article 40 of the UN Convention on the Rights of the Child of 1989, the special position of minors in the criminal-justice sphere and has noted in particular the need for the protection of their privacy at criminal trials (see T. v. the United Kingdom [GC], no. 24724/94, §§ 75 and 85, 16 December 1999). In the same way, the Court considers that particular attention should be paid to the protection of juveniles from any detriment that may result from the retention by the authorities of their private data following acquittals of a criminal offence. The Court shares the view of the Nuffield Council as to the impact on young persons of the indefinite retention of their DNA material and notes the Council's concerns that the policies applied have led to the over-representation in the database of young persons and ethnic minorities, who have not been convicted of any crime (see paragraphs 38-40 above).
...
In conclusion, the Court finds that the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the present applicants, fails to strike a fair balance between the competing public and private interests and that the respondent State has overstepped any acceptable margin of appreciation in this regard. Accordingly, the retention at issue constitutes a disproportionate interference with the applicants' right to respect for private life and cannot be regarded as necessary in a democratic society. This conclusion obviates the need for the Court to consider the applicants' criticism regarding the adequacy of certain particular safeguards, such as too broad an access to the personal data concerned and insufficient protection against the misuse or abuse of such data.
That last sentence is key - the court is holding that the principle of retention itself is unacceptable, irrespective of the procedural safeguards that might apply to access to or use of the genetic data.

Tuesday, December 02, 2008

Identifying Individuals in Internet Iniquity: ECHR rules on naming wrongdoers

The European Court of Human Rights gave an important decision today in KU v. Finland, dealing with the issue of whether states are obliged to have laws which allow for the identification of internet wrongdoers. In short, according to the court the answer is yes - national laws must "provide the framework for reconciling the various claims which compete for protection in this context" and a national law which gives an absolute guarantee of anonymity and confidentiality of communication may breach the rights of persons who are affected by online wrongdoing.

In this case the applicant, who was then aged 12, was the victim of a fake personal ad giving his name, phone number, date of birth and his picture and claiming that he was looking for a homosexual relationship. The applicant learned of this when he received a phone call from an older man. Although that man was eventually identified and charged with an offence the person who placed the ad remained unidentified. The police sought to find out (from the ISP) the name of the subscriber behind the dynamic IP address used to place the ad. The service provider however was advised that it was bound by the duty of the confidentiality of telecommunications and could not reveal the user's identity. The Finnish courts ultimately agreed, holding that the law as it stood provided for this information to be revealed only in respect of specified criminal offences - and although defamation ("calumny") was a criminal offence, it was not a sufficiently serious offence to fall within the scope of the legislation.

The applicant applied to the European Court of Human Rights, claiming that the fake ad constituted a violation of his right to a private life under Art. 8 of the ECHR, and that as he could not identify the person responsible he had been denied an effective remedy for that violation under Art. 13 ECHR.

The court held that Finland was in breach of its obligations under Article 8, in that it had not provided an effective criminal sanction for the violation of the applicant's rights. The fact that a remedy was available against a third party - the service provider - was not sufficient. This did not mean that the identity of the person responsible would have to be revealed in every case - but national law must provide a framework within which a decision could be made balancing the rights of a victim with the considerations of freedom of expression and confidentiality of communications. As the national law at the relevant time failed to do this (prohibiting disclosure except in a narrow class of cases) it was in breach of Article 8. Consequently the court did not go on to consider the issue under Article 13. The relevant passages are worth quoting in full:
45. The Court considers that, while this case might not attain the seriousness of X and Y v. the Netherlands, where a breach of Article 8 arose from the lack of an effective criminal sanction for the rape of a handicapped girl, it cannot be treated as trivial. The act was criminal, involved a minor and made him a target for approaches by paedophiles...
46. The Government conceded that at the time the operator of the server could not be ordered to provide information identifying the offender. They argued that protection was provided by the mere existence of the criminal offence of calumny and by the possibility of bringing criminal charges or an action for damages against the server operator. As to the former, the Court notes that the existence of an offence has limited deterrent effects if there is no means to identify the actual offender and to bring him to justice...
47. As to the Government's argument that the applicant had the possibility to obtain damages from a third party, namely the service provider, the Court considers that it was not sufficient in the circumstances of this case. It is plain that both the public interest and the protection of the interests of victims of crimes committed against their physical or psychological well-being require the availability of a remedy enabling the actual offender to be identified and brought to justice, in the instant case the person who placed the advertisement in the applicant's name, and the victim to obtain financial reparation from him.
48. The Court accepts that in view of the difficulties involved in policing modern societies, a positive obligation must be interpreted in a way which does not impose an impossible or disproportionate burden on the authorities or, as in this case, the legislator. Another relevant consideration is the need to ensure that powers to control, prevent and investigate crime are exercised in a manner which fully respects the due process and other guarantees which legitimately place restraints on crime investigation and bringing offenders to justice, including the guarantees contained in Articles 8 and 10 of the Convention, guarantees which offenders themselves can rely on. The Court is sensitive to the Government's argument that any legislative shortcoming should be seen in its social context at the time. The Court notes at the same time that the relevant incident took place in 1999, that is, at a time when it was well-known that the Internet, precisely because of its anonymous character, could be used for criminal purposes (see paragraphs 22 and 24 above). Also the widespread problem of child sexual abuse had become well-known over the preceding decade. Therefore, it cannot be said that the respondent Government did not have the opportunity to put in place a system to protect child victims from being exposed as targets for paedophiliac approaches via the Internet.
49. The Court considers that practical and effective protection of the applicant required that effective steps be taken to identify and prosecute the perpetrator, that is, the person who placed the advertisement. In the instant case such protection was not afforded. An effective investigation could never be launched because of an overriding requirement of confidentiality. Although freedom of expression and confidentiality of communications are primary considerations and users of telecommunications and Internet services must have a guarantee that their own privacy and freedom of expression will be respected, such guarantee cannot be absolute and must yield on occasion to other legitimate imperatives, such as the prevention of disorder or crime or the protection of the rights and freedoms of others. Without prejudice to the question whether the conduct of the person who placed the offending advertisement on the Internet can attract the protection of Articles 8 and 10, having regard to its reprehensible nature, it is nonetheless the task of the legislator to provide the framework for reconciling the various claims which compete for protection in this context. Such framework was not however in place at the material time, with the result that Finland's positive obligation with respect to the applicant could not be discharged.
When I blogged about this case before, I mentioned concerns that it might require states to introduce much wider rules to identify internet users. Is it likely to have this effect? While it's difficult to make an immediate assessment, there are factors in the judgment which could go either way. The court points out that it is dealing with a "grave" criminal offence, which leaves open the question of whether the reasoning would apply to less serious offences or to civil matters only. It also limits itself to requiring a national balancing framework between the rights of an alleged victim and the general rights of privacy in communications and freedom of expression - presumably within that framework states will enjoy a significant margin of appreciation. On the other hand, it rejects the argument that other systems (such as notice and takedown or intermediary liability) can suffice, insisting instead on requiring identification of users. It also focuses on the "ability of the victim to obtain financial reparation", which seems to extend the reasoning to civil matters also. On the whole, the judgment raises more questions than it answers, and these issues will need to be addressed in future cases.

Monday, December 01, 2008

James Boyle - The Public Domain

James Boyle is one of the most interesting people working in the area of intellectual property. His 1996 book Shamans, Software, and Spleens was an early and engaging look at whether intellectual property law had become tilted too heavily in favour of rights-holders. In Bound by Law he collaborated with Keith Aoki and Jennifer Jenkins to produce something other than "grey lawyerly prose" - an entertaining comic book guide to the way in which IP law is crippling documentary film-makers. He's chair of the Creative Commons board. Oh, and he also writes novels.

In his latest book - The Public Domain: Enclosing the Commons of the Mind - he has produced another fascinating read. Starting by asking just why the US government issued a patent on making peanut butter and jelly sandwiches(!) he argues that we have allowed IP law to grow in an almost unfettered way and that this "New Enclosure Movement" has created an environment which stifles creativity and jeopardises the notion of the public domain.

Best of all, he's practising what he preaches by making the book available in its entirety for free under a Creative Commons licence.

Monday, November 24, 2008

Has the Internet Governance Forum really been a success?

In the run up to the third Internet Governance Forum (IGF) in Hyderabad it's worth asking how successful the IGF has been since its establishment. "Not very" is the view of Jeremy Malcolm, who has argued that the IGF is compromised by the fact that many issues (such as copyright enforcement and the oversight of ICANN) have been essentially excluded from its consideration, with the result that policy is being made in other fora which privilege the views of particular vested interests:
Internet-related public policy issues continue to be addressed primarily in an ad hoc, isolated manner in individual stakeholder silos, outside the IGF, rather than in collaboration between stakeholder groups through the IGF...

Across a number of jurisdictions, organisations representing copyright owners have been privately negotiating with Internet Service Providers (ISPs) to limit or terminate the Internet access of customers suspected of illegally sharing copyright material online, without such alleged infringements having been proved to a court or other authority. Such negotiations take place in the shadow of the threat of government regulation, for which these organisations have also been strongly lobbying (so far with success in France). However because such discussions have taken place outside a multistakeholder policy body such as the IGF, they have been dominated by the voices of intellectual property holders, without the opportunity for Internet consumers to interject with balancing perspectives...

As another example of parallel initiatives in multistakeholder Internet governance that have bypassed the IGF, ICANN, although notionally an institution with a purely technical mandate, has continued to attempt to determine issues of public policy such as the balancing of privacy interests in the WHOIS service that identifies the ownership of Internet domains, and in setting non-technical specifications for the introduction of new top-level generic domain names (gTLDs).
The full paper, with suggestions for reform, is well worth reading. It's based in part on his PhD thesis - "Multi-Stakeholder Public Policy Governance and its Application to the Internet Governance Forum" - which is now also available online.

(Via the Internet Governance Project blog)

Tuesday, November 11, 2008

Computer surveillance - now available in your local corner shop


Despite knowing that computer surveillance is going mainstream I was still surprised to see this flyer in my local Spar. I wonder whether the installer will mention to employers the extensive law on surveillance of employees in the workplace.

Sunday, October 26, 2008

SABAM v. Scarlet: Belgian ISP released from obligation to filter network for illegal downloads

Significant news from Belgium where it's being reported that ISP Scarlet has succeeded in overturning the injunction requiring it to monitor users and filter out illegal peer to peer filesharing of music. That injunction, granted in June 2007, was the first in a series of attempts by the music industry to oblige ISPs to police their users, and was granted on the basis of evidence by SABAM (representing the industry) that monitoring downloads and filtering infringing content was both technically feasible and cost effective. Since then, however, Scarlet has demonstrated to the court that even the system of filtering suggested by SABAM - produced by Audible Magic - was technically unworkable and that SABAM had deceived the court by falsely representing that the technology had been used elsewhere (automatic translation). On that basis the trial court has set aside the order against Scarlet.

This is far from an end of the matter - it seems (though the reports are unclear) that the trial court still proposes to require Scarlet to filter if an effective solution can be found, an appeal against the original decision remains scheduled for the Court of Appeal in Brussels next year (automatic translation) and ultimately it looks likely that the ECJ will have to decide whether in principle ISPs can be obliged to filter user connections in this way. In the meantime, though, it's a significant blow for the music industry insofar as it undermines their argument that filtering is a technically viable solution. It also couldn't come at a better time for Eircom who will be defending an Irish rerun of the SABAM v. Scarlet litigation in the High Court in Dublin in the near future.

Edited to add (8.02.10): The Belgian courts have now made a prelimary reference to the European Court of Justice, which promises to be one of the most important cases yet on the scope of the E-Commerce Directive.

Monday, October 06, 2008

National Identity Fraud Prevention Week


Normally I'm not a fan of press releases dressed up as news stories. You know the type - "163% of Irish adults are Vitamin X deficient" (survey sponsored by manufacturers of Vitamin X). But I had to make an exception for this story on National Identity Fraud Prevention Week as the sponsors Fellowes (who unsurprisingly make shredders) have produced a very good site with tips on identity fraud, phishing and more. While I'm sure the savvy readers of this blog wouldn't dream of replying to that plausible looking email from PayPal, there are more subtle risks which are pointed out in an accessible way. Recommended.

Friday, October 03, 2008

European Court of Human Rights to hear case on whether online victims have a right to identify internet users

In K.U. v. Finland the European Court of Human Rights has decided to hear a potentially very significant case considering whether victims of online activity may have a right to identify the internet users alleged to be responsible.

In this case the applicant, who was then aged 12, was the victim of a fake personal ad giving his name, phone number, date of birth and his picture and claiming that he was looking for a homosexual relationship. The applicant learned of this when he received a phone call from an older man. Although that man was eventually identified and charged with an offence the person who placed the ad remained unidentified. The police sought to find out (from the ISP) the name of the subscriber behind the dynamic IP address used to place the ad. The service provider however was advised that it was bound by the duty of the confidentiality of telecommunications and could not reveal the user's identity. The Finnish courts ultimately agreed, holding that the law as it stood provided for this information to be revealed only in respect of specified criminal offences - and although defamation ("calumny") was a criminal offence, it was not a sufficiently serious offence to fall within the scope of the legislation.

The applicant applied to the European Court of Human Rights, claiming simply that the fake ad constituted a violation of his right to a private life under Art. 8 of the ECHR, and that as he could not identify the person responsible he had been denied an effective remedy for that violation under Art. 13 ECHR. The case is currently pending.

So why does the case matter? Although the facts are narrow, the implications may be quite wide and may require states to introduce much more extensive rules for identifying internet users. In particular (and I'm obliged to Patrick Breyer for these points) the action presupposes that an effective remedy for a victim requires the identification of (alleged) wrongdoers. But this overlooks the fact that other effective remedies (such as notice and takedown procedures and host liability) already exist and were provided for in Finnish law. In addition, the claim that access to this information must be available even in respect of minor crimes ignores the principle of proportionality - respected even in the Data Retention Directive - under which access to communications data should generally be limited to cases of serious crime. Similarly, most national caselaw has required a showing of proportionality before courts will order users' identities to be disclosed. I've written before about the issues involved in identifying internet users.

Mandatory reporting of missing data considered

According to the Irish Times, the Minister for Justice is now considering introducing mandatory reporting of missing data in Ireland. I've written more about these proposals - and why they might be too narrow - on the Digital Rights Ireland blog.

Tuesday, September 23, 2008

How to be sued by space cadets - Regtel, text messages and "Ireland's first astronaut"

Tom Higgins is a space cadet. Literally. He has signed a contract with Virgin Galactic for their forthcoming space tourism service and claims the grandiloquent and somewhat premature title of Ireland's first astronaut.

He's also the owner of Realm Communications, a company which runs premium text and chatline services such as Irish Psychics Live and which has, to say the least, a patchy record when it comes to sending spam text messages. In fact, the Data Protection Commissioner (DPC) is currently prosecuting Realm for sending these messages, something which Realm is seeking to head off by claiming in the High Court that the DPC is "obliged to seek an amicable resolution" before prosecuting an offender.

Now Realm is also suing Regtel - the industry self-regulatory body for premium rate telecommunications services. Why? After multiple complaints (e.g. 1, 2, 3) about Realm's Foneclub / MobileMania services, RegTel decided that Realm was operating in breach of its Code of Practice and decided to impose a 12 month suspension during which it would be unable to send premium messages. From the Irish Times:
ONE OF Ireland's best-known premium mobile phone text providers claims that its business would be 'wiped out' if a 12-month suspension from sending messages is imposed by the independent regulator (RegTel).

Realm Communications Ltd, Castle Drive City West business Park, Dublin, has brought High Court proceedings arising out of a finding by the Regulator of Premium Rate Telecommunications Services (RegTel) that its mobile phone credit service, FoneClub/ Mobile Mania, had breached the terms of its code of practice.

Realm was founded by businessman Tom Higgins and provides other services such as Irish Psychics Live, WebTarot, Century Psychics and Great Irish Breaks, as well as a live weather forecasting service. It argues that the findings made by RegTel following alleged complaints are unlawful.

Realm is seeking to have RegTel's adjudication and proposed sanctions, including the suspension of its services, quashed.
This case will, if it proceeds, be the first time that this industry self-regulation has been examined in the courts. (Realm Communications has, apparently, sued RegTel before, but that action doesn't seem to have made it to trial.) Ironically, this dispute comes just after the Minister for Communications announced his belief that self-regulation has failed and promised to amend the Broadcasting Bill 2008 to have RegTel's functions transferred to Comreg. In light of its apparent imminent demise, how keen will RegTel be to fight this particular battle?

Eoin O'Dell has more on how RegTel and the Data Protection Commissioner have been cooperating to stop mobile phone spam.

Update (4.11.08): Imminent demise or otherwise, RegTel appear to be keen to have the matter determined and have had the case transferred to the Commercial Court in order to "fast track" it.

Monday, September 22, 2008

Back to the future? Applying the Press Code of Practice retrospectively to online archives

Eoin's post on the statistics for the first six months of operation of the Press Ombudsman prompted me to browse the summaries of each case on the Ombudsman's site. There are a variety of issues in those cases, but one interesting feature was the apparent willingness of the Ombudsman and newspapers to apply the Code of Practice retrospectively. When initially established, the Press Ombudsman indicated that complaints would not be accepted in respect of material published prior to November 2007 - and in any event, the complaint must be made within three months of the material being published. Despite this, however, in two cases resolved by the Ombudsman newspapers were willing to take down material published by them between 2001 and 2004 but still available on their websites. Is this significant in itself? Probably not. The cases were resolved by conciliation - the Ombudsman doesn't seem to be asserting any formal power to comb over the archives. But it is indicative of an ongoing problem for editors, who increasingly have to stand over not just what they publish but also (via the online archives) what their predecessors might have published.

Thursday, August 14, 2008

US court upholds free / open source licences

Great news for the free software / open source world - in Jacobsen v. Katzer the US Court of Appeals for the Federal Circuit (a leading US IP court) has upheld a free software licence in a way which makes it much easier for the authors of free software to prevent its misuse. (The particular licence is the Artistic licence, but the principles apply across the board).

This is hugely significant as it resolves what has, until now, been a major dispute as to the effect of free software licences in US law.

The mainstream view - that of the proponents of free software (1, 2) - has been that free software licences set conditions on the use of the software. Breach those conditions (e.g. by modifying and then distributing code under a proprietary licence, or by failing to attribute) and the licence evaporates so that you are then infringing the copyright of the author. The full force of copyright law can then come into play - you can, for example, have an interlocutory injunction awarded against you restraining you from using the code.

Some, though, have argued that a free software licence amounts to a general licence to copy, modify, etc. with mere contractual restrictions on what the licensee can do. (E.g.) If true, this would mean that breaching the terms of the licence would merely be a breach of contract, not a breach of copyright. This would, for example, make it more difficult for the author to obtain an injunction against the infringer. It might also cast doubt on the enforceability of free software licences, for example by requiring authors to show that the elements of a contract were present before they could enforce restrictions against infringers.

Jacobsen v. Katzer resolves this argument conclusively in favour of the mainstream view, and holds that while free software licences may also have a contractual element, the restrictions they impose are conditions and not merely contractual restrictions. It also contains a striking judicial endorsement of the objectives and legitimacy of open source / free software generally.

Lessig and Groklaw have more.

Friday, August 08, 2008

Judge: Bulletin board users "say the first things that come into their heads"

In Smith v. ADVFN Plc & Others Mr Justice Eady of the English High Court recently showed a keen insight into the world of bulletin boards by noting that users are prone to reacting in the heat of the moment, not thinking about what they are doing, and saying the first thing that comes into their heads. A statement of the blindingly obvious? Perhaps. But the underlying point is important.

A perennial problem with defamation on the internet has been that of tone. Casual conversations - on bulletin boards or blog post comments - can feel as though they are transient and ephemeral. People write in a way which they would never use in a more formal setting such as a newspaper's letters page. But this perceived informality may clash with the approach taken by libel lawyers and courts, who are used to parsing newspaper articles closely for any possible defamatory meaning and who may apply this approach to turn the loose language of a post into something defamatory.

Offline, casual conversations also benefit from the more relaxed rules of slander, where oral (as opposed to written) communications generally don't give a person a right to sue for defamation unless they have suffered actual damage as a result. Online, though, the distinction between slander and libel evaporates so that (in most jurisdictions) an internet posting - however casual - will be treated as libel rather than slander, giving a person a right to sue irrespective of whether they have suffered any actual harm.

Significantly, however, in Smith v. ADVFN Mr Justice Eady took the informal nature of bulletin boards into account in deciding whether a claimant had a chance of succeeding in a defamation action, holding that these cases should often be treated as closer to slander so that the casual nature of posts should be taken into account when interpreting them. His summary of "the nature of bulletin boards" is worth quoting in full:
13. It is necessary to have well in mind the nature of bulletin board communications, which are a relatively recent development. This is central to a proper consideration of all the matters now before the court.

14. This has been explained in the material before me and is, in any event, nowadays a matter of general knowledge. Particular characteristics which I should have in mind are that they are read by relatively few people, most of whom will share an interest in the subject-matter; they are rather like contributions to a casual conversation (the analogy sometimes being drawn with people chatting in a bar) which people simply note before moving on; they are often uninhibited, casual and ill thought out; those who participate know this and expect a certain amount of repartee or “give and take”.

15. The participants in these exchanges were mostly using pseudonyms (or “avatars”), so that their identities will often not be known to others. This is no doubt a disinhibiting factor affecting what people are prepared to say in this special environment.

16. When considered in the context of defamation law, therefore, communications of this kind are much more akin to slanders (this cause of action being nowadays relatively rare) than to the usual, more permanent kind of communications found in libel actions. People do not often take a “thread” and go through it as a whole like a newspaper article. They tend to read the remarks, make their own contributions if they feel inclined, and think no more about it.

17. It is this analogy with slander which led me in my ruling of 12 May to refer to “mere vulgar abuse”, which used to be discussed quite often in the heyday of slander actions. It is not so much a defence that is unique to slander as an aspect of interpreting the meaning of words. From the context of casual conversations, one can often tell that a remark is not to be taken literally or seriously and is rather to be construed merely as abuse. That is less common in the case of more permanent written communication, although it is by no means unknown. But in the case of a bulletin board thread it is often obvious to casual observers that people are just saying the first thing that comes into their heads and reacting in the heat of the moment. The remarks are often not intended, or to be taken, as serious.
More on this case - including the way in which the claimant attempted to use defamation actions to silence his critics - at The Register.

Fake Facebook profile case - Full decision now available

Remember the libel action brought by a businessman against a former friend who created a false Facebook profile under his name? The full text of that decision is now available on BAILII as Applause Store Productions Ltd and Firsht v. Raphael. The bulk of the decision is unremarkable and deals with the (unconvincing) attempts by the defendant to deny that he was responsible for creating the page, but there are some interesting comments showing how judges are putting a figure on damages where material is only available for a short period of time to a relatively small number of people:
Ultimately, I have to approach the question of damages in the same way as a jury would, giving a verdict without a reasoned judgment. I bear in mind, of course, that the profile and group were only available on Facebook between 19th/20th June and 6th July 2007, when Facebook appears to have taken the material down at Mr Firsht's request. Given the times when the material was put up and taken down, that is a period of 17 days (for the profile) and 16 days (for the group). I bear in mind also the limited extent of proved publication, but I accept that Facebook is a medium in which users do regularly search for the names of others whom they know, and anyone who searched for the name Mathew Firsht during those few days will have found the false group without difficulty. In my view, a not insubstantial number of people is likely to have done so. By that I have in mind a substantial two-figure, rather than a three-figure, number. I also accept that the Defendant has increased the hurt and upset of Mr Firsht by the allegations which he rashly made in his original Defence and by his persistence in a defence which I have founded to be built on lies, which has compelled Mr Firsht to give evidence and face lengthy cross-examination in a public trial.

The libel is, as Ms Skinner rightly said, not at the top end of the scale, although it is serious enough to say of a successful businessman that (as I have found the words to mean) he owes substantial sums of money which he has repeatedly avoided paying by lying and making implausible excuses, so that he is not to be trusted in the financial conduct of his business and represents a serious credit risk. I do take into account also the effect on Mr Firsht of the unpleasant allegations against him which the Defendant made in his original Defence, and the fact that the Defendant has persisted to trial in a case which I have found to be no more than a lie. It seems to me that a proper award for the libel of Mr Firsht, to include an element for aggravation of damage, is £15,000. The pleaded meaning in the case of the company - against which the allegations of debt and dishonest prevarication are not directly made - is just the consequential meaning, that as a result of Mr Firsht's conduct the company is not to be trusted in the financial conduct of its business and represents a serious credit risk. It seems to me that a substantially lower award should be made in respect of the company, and in my judgment the right figure is £5,000.

Friday, July 25, 2008

Funniest name for a firm of solicitors in Ireland?

When I read that an Irish firm of solicitors was named "Argue and Phibbs" I assumed that this was an urban legend. Apparently not:
Sligo Town on the Net has more on this wonderfully named firm.

Wednesday, July 23, 2008

Bebo, bullying and the law

The Irish Independent recently carried a story about what may be the first Irish case involving social networking to reach court:
A man has been prosecuted for putting offensive and obscene messages on social networking site Bebo in what is believed to be the first case of its kind to come before the Irish courts.

Paul Anthony Matthews (27) posted what a judge described as "outrageous" messages on a teenage girl's site on January 31 this year.

Matthews, of Carnbeg, Doylesfort Road, Dundalk, agreed to pay the victim €3,000 instead of going to jail.

The pioneering case was brought under Section 13 (1) of the Post Office Amendment Act 1951 for sending offensive or indecent material by means of telecommunication.

Matthews, a father of one, admitted posting explicit and abusive messages on the teenager's site. The victim cannot be identified because of a court order.

Dundalk District Court was told that Matthews had a previous disagreement with the then 16-year-old and posted the messages on her Bebo page. The teenager had made a complaint about Matthews to gardai regarding another matter and the Bebo messages were investigated.

Matthews was arrested and admitted when questioned that he had put up the messages on her site.
So what's the significance of this case? It's certainly not the first time that internet harassment has come before the courts in Ireland - as far back as 1999 a man was convicted of criminal libel for online postings (Mac Ruairí, “Man Jailed for Libel on the Internet”, Irish Examiner, December 21, 1999.) But it does seem to be the first time that this particular section has been applied to the internet, so it might be worth looking at it in more detail.

Section 13 has been heavily amended since it was enacted. (For the tortuous details see the Fourth Schedule of the Postal and Telecommunication Services Act 1983, section 7 of the Postal and Telecommunications Services Amendment Act 1999 and Regulation 4(8) of SI 306/2003.) The most recent change was brought about by the Communications Regulation (Amendment) Act 2007, which substitutes the following for section 13:
Offences in connection with telephones.
13.—(1) Any person who—
(a) sends by telephone any message that is grossly offensive, or is indecent, obscene or menacing

or

(b) for the purpose of causing annoyance, inconvenience, or needless anxiety to another person—
(i) sends by telephone any message that the sender knows to be false, or
(ii) persistently makes telephone calls to another person without reasonable cause,
commits an offence.

(2) A person found guilty of an offence under subsection (1) is liable on conviction—
(a) if tried on indictment, to a fine not exceeding €75,000 or to imprisonment for a term not exceeding 5 years, or to both, or (b) if tried summarily, to a fine not exceeding €5,000 or to imprisonment for a term not exceeding 12 months, or to both.
(3) A contravention of this section is an offence under the Post Office Act 1908.
(4) On convicting a person for an offence under subsection (1), the court may, in addition to any other penalty imposed for the offence, order any apparatus, equipment or other thing used in the course of committing the offence to be forfeited to the State.
(5) In this section, ‘message’ includes a text message sent by means of a short message service (SMS) facility.”.
This is, however, quite a narrow section. It is limited to messages sent by "telephone" (which, while it might be stretched to cover the use of dial up, probably excludes the use of e.g. cable modems). Although it includes text messages it does not mention email or other internet messages and wouldn't seem to be wide enough to include them (a point also made by Kelleher & Murray - Information Technology Law in Ireland (2nd ed.) at 690). In fact, the legislative history on this point indicates that "cyber bullying" was expressly excluded from its scope, with the Minister for State (John Browne) rejecting an amendment extending the section to cyber bullying, stating:
The purpose of amending the Post Office (Amendment) Act 1951 was to increase fines to deter nuisance calls to the emergency call answering service, ECAS. The change proposed by the Senators is a wider offence and I understand from the debate on Tuesday that they are particularly concerned about tackling cyber bullying. The issues were raised again today by the Senators. This type of regulation falls outside the remit of the Bill. The sole intention of this provision is to address nuisance calls to the emergency services. I have listened carefully as did the Minister, Deputy Noel Dempsey, to the points raised by the Senators. The purpose of the Bill is to deal with the regulation of a service. The areas raised by the Senators would be more appropriate to the Department of Justice, Equality and Law Reform.

To respond to Senator Terry, it is an offence under section 10 of the Non-Fatal Offences against the Person Act 1997 to harass a person by use of any means, including by use of a telephone. Therefore, the issue is already dealt with to a certain extent.
Consequently (though bearing in mind we only have media reports to go on) it's hard to see how this section was applied to the defendant's conduct in this case.

(It may be, however, that the prosecution mistakenly had in mind the previous version of section 13(1) which appeared to be substantially wider in that it prohibited the sending of any grossly offensive etc. message "by means of the telecommunications system operated by [any authorised undertaking]" - a formula which may have been wide enough to include internet connections.)

Instead, one would expect this type of situation should be dealt with (if criminal charges are necessary) by the offence of harassment under section 10 of the Non Fatal Offences Against the Person Act 1997, which explicitly includes communication with a victim "by any means".

At this point one might wonder - so what? Does it matter whether this conduct is dealt with under one of these offences rather than the other? I'd suggest that it does. Section 13 is designed to deal with nuisance telephone calls. These are peculiarly direct, immediate, personal and invasive of one's privacy. Consequently the law applies a low threshold - a single instance of gross offensiveness - before these become criminal. But this is very unusual. The law doesn't generally criminalise mere offensiveness, even gross offensiveness, nor should it. But if section 13 were extended to all internet communications then it would have just that effect - prohibiting a great deal of speech on the basis that some readers might find it grossly offensive. (Something which would, for example, make criminals of those who post the Danish cartoons portraying Mohammed.) Indeed, as Eoin O'Dell recently reiterated "It is precisely to allow the expression of offensive opinions that the right to freedom of expression is necessary."

Having said that, there may be a case for extending section 13 or a similar provision to some internet communications. For example, nuisance emails and instant messages share many of the characteristics of text messages, and in some circumstances messages left on a person's social networking page might be as invasive. But any extension of the law must be carefully limited to avoid damage to freedom of expression.

Update (10 May 2010): - I've now been informed that after being alerted to these issues the original trial judge accepted that there was a flaw in the proceedings, declared a mistrial and reentered the matter. Last week, on the matter again being listed in Dundalk Judge Hamill considered this point and ruled that the charge was inappropriate.

Tuesday, July 08, 2008

Free books on technology and the law - A reader's guide

A 19th Century Irish judge (Sir James Mathew) once said that "In England, justice is open to all – like the Ritz Hotel." Unfortunately, litigation has not become much cheaper in the meantime. But other aspects of the law have. In particular, there has been an explosion in the number of high quality books on law and technology available for free download - both free as in beer and free as in speech. Here are some of my favourites.

It's almost obligatory to start with Lawrence Lessig, who was one of the first lawyers to make his work freely available and was instrumental in setting up the Creative Commons movement to enable others to do likewise. Three of his books are available:
Free Culture is one of the more influential books on the use and abuse of intellectual property law and at the same time manages to be both readable and entertaining.

http://www.lessig.org/content/books/code2.gif
Code 2.0 scarcely needs an introduction. Lessig's analysis of how code can be used as a form of regulation, and the risks this presents, was an instant classic when first published in 2000 and this second edition confirms that many of his insights have become increasingly relevant in the meantime.


The Future of Ideas is another classic - covering much of the same ground as Code and Free Culture, it looks at what he calls the corruption of the values of the early internet, an internet counterrevolution which threatens to stifle creativity and innovation.

http://img.skitch.com/20080424-phm7tqu9m99sd9enkascq43w3p.preview.jpg
Building squarely on Lessig's work, Johnathan Zittrain's The Future of the Internet - And How to Stop It is a perceptive discussion of how the innovation and freedom permitted by an open internet is under threat from increasing restrictions both on the network itself and the devices which connect to it.


On a similar topic is Matthias Klang's doctoral dissertation, Disruptive Technology. He argues that new technologies "disrupt the, previously established, social norms that make large parts of our democratic social interaction" while simultaneously the regulation of new technologies may undermine democratic participation, for example by imposing contractual restrictions on speech online which would not apply offline.

http://www.lessig.org/blog/archives/0300110561.01._SCLZZZZZZZ_.jpg
The Wealth of Networks by Yochai Benkler covers some of the same ground, but has a different focus in arguing that a networked environment and a growth in the sharing of information (such as via Creative Commons licences) brings about deep, structural changes in society - notably a shift from markets to non-market social behaviour - which face resistance from a variety of entrenched incumbents who stand to lose out.

Turning specifically to privacy, Daniel Solove's The Future of Reputation is a superb look at the interaction of privacy, reputation and freedom of expression on the Internet, and takes a broad view of how social mechanisms such as shaming might develop online.

http://blog.lib.umn.edu/writ/dept/images/peerspiratespersuasion.jpg
John Logie's Peers, Pirates and Persuasion is an interesting and enjoyable look by a non-lawyer at the growth of a maximalist copyright system and specifically the rhetoric used by each side in the "filesharing wars". (That link appears to be unreliable, but the book is also available on Scribd.)

http://mitpress.mit.edu/images/products/books/0262062461-medium.jpg
Perspectives on Free and Open Source Software, edited by Joseph Feller and others, is a collection of essays covering a wide range of issues such as: the motivation of contributors to open source software, the security issues it presents, the business model underlying it, the challenge of open source for the legal system and the application of open source / free software principles in the world of science. This remains possibly the best introduction for anyone (lawyer or not) curious about free / open source software.


The OSCE Media Freedom Internet Cookbook is another must read. This collection of essays by various authors offers some very interesting perspectives on the challenges of reconciling individual and media freedom with regulation of the internet while also covering a variety of topics from "hate speech" to internet hotlines to education for media literacy. In particular, Gus Hosein's piece on the Open Society and the Internet is a perceptive look at the promises of and threats to internet freedom.

http://ecx.images-amazon.com/images/I/51NKFQVQCSL._SL500_AA240_.jpg
Last, but certainly not least, is a collection of essays by the individual who started many of these debates about opening software, knowledge and society. Free Software, Free Society: Selected Essays of Richard M. Stallman includes classic pieces such as "The right to read" and "Why software should be free".

Sunday, July 06, 2008

Ireland's first case on the legality of screen scraping?

The Sunday Business post reports that Ryanair has started proceedings in the High Court against Bravofly seeking to prevent it from screen-scraping the Ryanair site in order to provide users with a portal through which they can compare fares across airlines.

Ryanair have been trying to block screen scrapers for some time now. Most recently they were rapped on the knuckles by the ASA for placing advertisements telling consumers that:

"IF YOU BUY A RYANAIR TICKET THRU AN ONLINE AGENT YOU'RE BEING RIPPED OFF... *THEY OVERCHARGE BY 100% OR MORE *THEY DON'T PROVIDE CORRECT TERMS AND CONDITIONS *THEY DON'T NOTIFY SCHEDULE CHANGES *THEY DON'T PROVIDE WEB CHECK-IN OR PRIORITY BOARDING"
This seems to be the first time, though, that they have resorted to legal proceedings and the first time that the Irish courts will consider the legality of screen scraping. From the report in the Sunday Business Post it would seem that Ryanair is primarily relying on the restrictions imposed by its terms of use, but presumably we'll see argument as to whether screen scraping violates their rights under the Database Directive (though whether this claim will stand up in light of the British Horseracing Board caselaw is another matter). OUT-LAW have some analysis of the uncertain position under English law, while this article in the Loyola Consumer Law Review gives an up to date summary of the position under US law.

Update 8.07.08 - The Irish Independent and Irish Times have more details. From the Irish Times:
Ryanair has claimed the alleged "screen-scraping" activities of Bravofly breach provisions of the Trademarks Act and the Copyright and Related Rights Act, amount to "passing off" and also breach the conditions for accessing the Ryanair website.

It claims that Bravofly, without permission from Ryanair, has offered detailed information on Ryanair's flight services and had also used Ryanair's name and harp device logo in presenting that information.

It also claims that Bravofly has established and maintains hypertext links from its websites to the Ryanair website, without Ryanair's authorisation.

Ryanair claims it had written to Bravofly asking for undertakings that the screen-scraping activities would cease but no such undertakings had been received.

Ryanair is seeking court orders restraining the alleged activities and also wants damages, including exemplary damages, and/or an account of profits for alleged negligence and/or wrongful interference with Ryanair's economic interests and contractual relations.

The airline contends the matter is of real commercial significance as its website is at the heart of its marketing and sales strategy and some 98 per cent of its flight bookings are transacted via the website. Any action which wrongfully impinges on the effectiveness of the Ryanair website has an impact on sales and marketing activities and the attractiveness of the website as a platform for the advertising and sale of third-party goods and services, it says. It claims the activities of Bravofly are diverting potential business from Ryanair.

Wednesday, June 25, 2008

Symposium - Privacy v. Publicity in the Virtual World

The Darklight Film Festival is hosting what should be a very interesting symposium on Privacy v. Publicity in the Virtual World this Friday, June 27th in the Film Base, Curved Street, Temple Bar at 10am:
For a new generation of 'digital natives' privacy is no longer a requirement. Web 2.0 has brought with it a transformation in how we view the need for privacy and engage with the public realm - but at what cost? The discussion will be prefaced by a keynote address from Daniel J. Solove, Associate Professor of law at the George Washington University Law School, and author of The Digital Person: Technology and Privacy In the Information Age. Chaired by Irish Times writer Karlin Lillington, the panel will also feature Irish blogging guru Damien Mulley and solicitor/digital rights expert Caroline Campbell.

Issues to be considered include:

* Can bloggers say what they like?

* What's wrong with having nothing to hide?

* Who is really stalking you on Facebook? .. Does anyone care anymore?

* Is there a generation gap in approaches to online privacy?

Monday, June 23, 2008

Civil servants' illegal disclosure of personal information is "routine and very comprehensive"

The Independent has an update on the Data Protection Commissioner's investigation into the Department of Social and Family Affairs:
FOURTEEN employees of the Department of Social and Family Affairs are being investigated for allegedly passing comprehensive personal information to insurance companies on a regular basis.

The Irish Independent has learned that some of the alleged breaches -- which came to light in April 2007 -- involve "one of Ireland's largest insurance companies" and date back to 2006.

The allegations involve the passing of personal and sensitive information, contained on data systems within the Department of Social and Family Affairs (DSFA), to third parties for commercial benefit.

The DSFA carries all personal details on all individuals in the state including PPS numbers, dates of birth, addresses as well as earnings details.

Private investigators work for the insurance companies to compile cases against drivers. But there is concern about the level of information that the inspectors for the insurance companies are obtaining.

Protection Commissioner Billy Hawkes said in an email to the DSFA last June: "I inspected five investigator files yesterday during a planned call back to X (large insurance company).

"This revealed very-worrying levels of disclosure from the DSFA to private investigators. From what I could discern, such disclosures are routine and very comprehensive."
I've blogged before about other examples in this Department of disregard for citizens' privacy.

Thursday, June 19, 2008

Data protection and bulletin boards

John Breslin of (amongst other things) Boards.ie has an interesting post on a data protection complaint from a banned user. The complaint? After the banning, all the posts he had previously made appeared with the word "Banned" next to them (which is the default setting for many forum software packages). The view of the Data Protection Commissioner was that this was an unauthorised disclosure of personal information (i.e. the user's status on the site), apparently on the basis that the username was very close to his real name:

Quite apart from the narrow data protection aspect of this particular case, it raises an interesting issue about the social dynamics of social software and whether the law might hinder effective moderation.

One of the way in which moderators on forums discourage certain behaviour is by putting users into a sin bin or banning them. Going one step further by naming and shaming - i.e. publicising the sanction by labeling posts from those users - has a social effect in two ways. At a general level it may help to reinforce the norms of the site by publicly reinforcing the message that certain types of behaviour are unacceptable and at the individual level it may also act as a deterrent to the user who knows that any sanction against them will be publicised.

If this sounds familiar it's because this argument mirrors, on a much smaller scale, the role of publicity in the criminal justice system. It also mirrors the increasing tendency in other areas for public bodies to "name and shame", whether it be young offenders in England or the list of tax defaulters in Ireland who settle with the Revenue.

The broader issue this raises is whether naming and shaming is an acceptable option - and if acceptable in (e.g.) the context of tax defaulters, why not in the context of troublesome users? Should it matter whether it's a public or private body naming and shaming? Should it matter that the gravity of the "offence" is much greater in one case than the other? If bulletin boards / forums can't publicly reveal which users have been banned or sin-binned, will this make the life of moderators more difficult?

Tuesday, June 10, 2008

How not to protect a domain name - the D4hotels saga

Remember D4hotels.com - the low cost hotels site which completely failed to protect variants of its name against cybersquatters? Well it now transpires that the ownership of D4hotels.com itself is now contested:
A dispute over ownership of the D4hotels.com domain name and website has come before the Commercial Court.

MJBCH Ltd, the leaseholder of the former Berkeley Court Hotel and the former Jury's hotels in Ballsbridge and The Towers, claims exclusive entitlement to the operation and management of the domain name and website.

It has alleged it had a hotel operation and management agreement with the two defendant companies -- Cloud Nine Management Services Ltd and Beechside Company Ltd, trading as The Park Hotel, Kenmare -- to manage the hotels as the Ballsbridge Inn, Ballsbridge Towers and the Ballsbridge Court hotel, but that agreement was terminated in February.

In those circumstances, it claims the defendants have no entitlement to use the d4 domain name and website.

...

The defendant companies deny the claims and say they at no time abandoned their rights to or property in the domain name, website or business name.

They companies say that, under their agreement with MJBCH of October 2007, they were authorised to act as the exclusive operator and manager of the hotels and that the domain name D4hotels.com was registered by Beechside in September 2007.

They also say the management agreement was summarily terminated by MJBCH in February and that at no stage had it been agreed the D4 domain name and website would become the property of MJBCH.
While there's very little detail in this report, it suggests that there was no explicit agreement as to ownership of the intellectual property in the domain name and the site itself - which if true is one of the most fundamental mistakes one can make when establishing an online business. This, together with the failure to protect domain name variants, means that I will be using this case in class as a cautionary tale.

Update (27.1.09): It now seems that this case has been settled.

NY Attorney General forces ISPs to filter Internet

In another bad day for the end to end principle, the New York Times reports that the Attorney General of New York has succeeded in forcing ISPs to filter their users' internet connections. The expressed motivation is to prevent users from accessing child pornography, though this will be trivially easy to circumvent. There are many problems with internet filtering, and I've written a short summary of them (in a different context) for the Digital Rights Ireland blog. But the New York scenario raises one particular problem - whether this form of censorship, implemented and administered by private actors (who will face an incentive to overblock), can be reconciled with the rule of law. The issues raised are very similar to those presented by the UK Cleanfeed system, about which Colin Scott and myself had this to say at the inaugural TELOS Conference last year:
This presents a number of challenges for the rule of law. Even if an individual ISP’s actions can be described as voluntary, the effect is to subject users without their consent to a state mandated regime of internet filtering of which they may be unaware. The Internet Watch Foundation (IWF), which determines which URLs should be blocked, has a curious legal status, being a charitable incorporated body, funded by the EU and the internet industry, but working closely with the Home Office, the Ministry of Justice, the Association of Chief Police Officers and the Crown Prosecution Service. There is no provision for site owners to be notified that their sites have been blocked. While there is an internal system of appeal against the designation of a URL to be blocked, that mechanism does not provide for any appeal to a court – instead, the IWF will make a final determination on the legality of material in consultation with a specialist unit of the Metropolitan Police.

Consequently the effect of the UK policy is to put in place a system of censorship of internet content, without any legislative underpinning, which would appear (by virtue of the private nature of the actors) to be effectively insulated from judicial review. Though the take-up of the regime may be attributable to the steering actions of government, the way in which the regime is implemented and administered complies neither with the process or transparency expectations which would attach to legal instruments.

There is also cause for concern about the incentives which delegating filtering to intermediaries might create. From the point of view of the regulator, requiring intermediaries to filter may allow them to externalise the costs associated with monitoring and blocking, perhaps resulting in undesirably high levels of censorship. But perhaps more worrying are the incentives which filtering creates for intermediaries. Kreimer has argued that by targeting online intermediaries regulators can recruit “proxy censors”, whose “dominant incentive is to protect themselves from sanctions, rather than to protect the target from censorship”. As a result, there may be little incentive for intermediaries to engage in the costly tasks of distinguishing protected speech from illegal speech, or to carefully tailor their filtering to avoid collateral damage to unrelated content. Kreimer cites the US litigation in Centre for Democracy & Technology v. Pappert to illustrate this point. In that case more than 1,190,000 innocent web sites were blocked by ISPs even though they had been required to block fewer than 400 child pornography web sites.
Orin Kerr has more.

Edit (13.06.08): Richard Clayton indicates that the New York Times coverage may be inaccurate. He suggests that what the ISPs have agreed to is limited to removing certain newsgroups and taking down sites which they host - but does not include filtering of sites hosted elsewhere. There's also some confusion as to just what the effect on usenet will be, with Declan McCullagh reporting that in the case of Verizon all the newsgroups in the alt.* hierarchy will no longer be offered.

Sunday, June 08, 2008

The Future of the Internet and How to Stop It



Jonathan Zittrain's superb new book The Future of the Internet and How to Stop It is now available for free download. His central theme is that the freedom associated with general purpose PCs and an end-to-end internet is increasingly being threatened - a variety of forces (including a push by the content industry for DRM, security fears, and state regulation) are leading towards a growth in "tethered appliances" outside the control of their users, coupled with increased internet filtering and gatekeeping. The result is to dramatically shift the balance struck by the law and possibly to threaten traditional freedoms. From the synopsis:
IPods, iPhones, Xboxes, and TiVos represent the first wave of Internet-centered products that can’t be easily modified by anyone except their vendors or selected partners. These “tethered appliances” have already been used in remarkable but little-known ways: car GPS systems have been reconfigured at the demand of law enforcement to eavesdrop on the occupants at all times, and digital video recorders have been ordered to self-destruct thanks to a lawsuit against the manufacturer thousands of miles away. New Web 2.0 platforms like Google mash-ups and Facebook are rightly touted—but their applications can be similarly monitored and eliminated from a central source. As tethered appliances and applications eclipse the PC, the very nature of the Internet—its “generativity,” or innovative character—is at risk.
A must read.

Tuesday, May 27, 2008

Deutsche Telekom used call data to spy on reporters

From the New York Times:
Germany was engulfed in a national furor over threats to privacy on Monday, after an admission by Deutsche Telekom that it had surreptitiously tracked thousands of phone calls to identify the source of leaks to the news media about its internal affairs.

In a case that echoes the corporate spying scandal at Hewlett-Packard, Deutsche Telekom said there had been “severe and far-reaching” misuse of private data involving contacts between board members and reporters...
Spiegel Online has more:
The company itself, led by then CEO Kai-Uwe Ricke and monitored by a supervisory board headed up by then Deutsche Post CEO Klaus Zumwinkel, (more...) is accused of being behind the alleged spying. And the Berlin consulting firm, whose chief executive sent the April 28 fax, was hired to carry it out. The goal of the "Clipper" and "Rheingold" surveillance programs, as well as other "secondary projects," the fax makes clear, was to "analyze several hundred thousand landline and mobile connection data sets of key German journalists reporting on Telekom and their private contacts."

But that wasn't all. The same procedure, according to the memo, was repeated with "several supervisory board members on the employee side" -- "for a total period of one-and-a-half years.