Monday, December 28, 2009

Reform of search warrants must take electronic searches into account

The Law Reform Commission has just published a consultation paper on search warrants and bench warrants. In relation to search warrants it points out there is currently a bewildering array of statutory provisions (over 100 different Acts and Regulations) which deal with searches, with different procedures to be followed and different powers of search and seizure in each case. The consultation paper aims, amongst other things, to rationalise the law in this area, and seeks to put in place a single statutory framework.

Surprisingly, though, the consultation paper has almost nothing to say about searches of computers and data. In fairness, it does note that there are some existing (rather patchy) provisions which specifically deal with computer searches - such as the power to require passwords in s.48 of the Criminal Justice (Theft and Fraud Offences) Act 2001. It also makes a very brief reference to the need for specialist forensic examination of seized computers. However it fails to consider any of the difficulties which have emerged when traditional norms are applied to data, much less current proposals which would fundamentally rewrite the law in this area.

To take just a few examples: there is no recognition of the vast quantities of personal data which are often stored on computers, making searches particularly privacy invasive in a way which is not generally true elsewhere. On a similar note, the consultation paper fails to recognise that the effect of seizing a computer and data can often be to shut down a business or to seriously disrupt an individual's life, and that this can often be mitigated by returning a copy of the seized data. There's no analysis of how extensive searches of data should be - if, for example, a computer is seized on suspicion of fraud offences should it be permissible to automatically scan the hard drive to detect possible child pornography images? (These and many other issues have been extensively analysed by Orin Kerr in several excellent articles, including Search Warrants in an Era of Digital Evidence and Searches and Seizures in a Digital World.) Similarly, there's no mention of so-called remote searches (police hacking into computers at a distance), despite the fact that these have been the subject of recent EU proposals.

These and other issues will have to be addressed if the Law Reform Commission analysis is to deal with computer searches adequately in a way which protects privacy - if you're interested in bringing any of these issues to their attention, you can email them at info@lawreform.ie or make a submission via snail mail using the details on this page.

Sunday, December 27, 2009

Temple Street Hospital holding a de facto national DNA database?

Today's Sunday Times reports that the Temple Street Children's Hospital has kept blood samples of almost every newborn in the country since 1984 - without the consent or knowledge of their parents - and has kept those samples indefinitely. The details are remarkable:
A DUBLIN hospital has built a database containing the DNA of almost every person born in the country since 1984 without their knowledge in an apparent breach of data protection laws.

The Children’s University hospital in Temple Street is under investigation by the Data Protection Commissioner (DPC) since The Sunday Times discovered it has a policy of indefinitely keeping blood samples taken to screen newborn babies for diseases.

Unknown to the DPC, the hospital has amassed 1,548,300 blood samples from “heel prick tests” on newborns which are sent to it for screening, creating, in effect, a secret national DNA database. The majority of hospitals act on implied or verbal consent and do not inform parents what happens to their child’s sample.

The blood samples are stored at room temperature on cards with information including the baby’s name, address, date of birth, hospital of birth and test result. The DPC said it was shocked at the discovery.

On four occasions the hospital has allowed scientists from a university and other hospitals to access the Newborn Screening Cards (NSCs) for research purposes. This was done on the basis of anonymity but without the consent of parents and followed approval by the hospital’s ethics committee.

The DPC is now engaged in urgent discussions with the hospital, the Health Service Executive (HSE) and the Department of Health to force the hospital to comply with data protection legislation by January. The DPC could order the destruction of the records if it is not satisfied the hospital is taking the necessary actions.

“Clearly it is a matter of significant concern to us that holding data of this nature containing sensitive health details of such a significant portion of the population appears to have operated without taking account of data protection requirements,” said Billy Hawkes, the DPC commissioner.

“The issue of the justification for the holding of the blood samples for any period beyond that which is necessary to perform the initial blood test will have to be considered as part of this office’s investigation of this matter. At present the position would appear to be that there is no consent from parents for the information to be held at all.”
Similar de facto databases have been created in this accidental manner in other jurisdictions - in Australia and New Zealand for example - where they have been extremely controversial and have had safeguards imposed. In Western Australia, police began to use these databases without consent in criminal investigations, causing hospitals to destroy existing databases and to change medical practice to store samples for a two year period only. In New Zealand, meanwhile, the practice is that parents are fully informed as to the purpose for which samples are taken and stored, and have the right to have the sample returned to them once the testing is completed, and the privacy implications of this database are currently under review.

In light of these controversies elsewhere, the lack of informed consent and the fact that there is no legal basis for the heel prick tests (a point confirmed in North Western Health Board v. HW and CW) it's hard to see how Temple Street could have believed that it was entitled to hold onto these samples indefinitely - and it is remarkable that this point appears to have been missed by the ethics committee on four separate occasions.

Thursday, December 10, 2009

Consultation Paper on Electronic Evidence to be published today

The Law Reform Commission will be publishing a Consultation Paper on Documentary and Electronic Evidence today. The Irish Times has a summary of the contents:
The LRC states that in general there be no difference between the rules concerning manual or computer-generated documents and records; all business records, whether manual or computer-generated, should in general be presumed to be admissible and that the Bankers’ Books Evidence Act 1879, which allows banking records to be admitted as evidence in court, should be updated and extended to apply to records from all financial institutions.

For mechanically generated recordings, such as videos or CCTV, it should be clarified that any defects in their quality should not rule them inadmissible but should be simply a question of the weight given to the recording.

It also recommends that an expert group be established to develop standards and guidelines for the verification of electronic and digital signatures, and that the existing law which presumes that “public documents” are admissible should be updated, because much of the relevant legislation predates the foundation of the State.

Tuesday, December 08, 2009

Hosting defence applies to user comments: English High Court

In a significant decision, Karim v. Newsquest Media Group, Eady J. has accepted that online newspapers can rely on the E-Commerce Directive hosting defence in respect of user comments, meaning that they should generally be exempt from liability in respect of those comments provided that they take them down when notified that they are potentially defamatory.

The plaintiff in this case was a solicitor who had been struck off following mishandling of client funds. The defendant's websites reported the proceedings before the Disciplinary Tribunal in an article titled "Crooked solicitors spent client money on a Rolex, loose women and drink", and a number of users made further allegations about the plaintiff in the comments attached to the article. The defendant took exception to both the article itself and the user comments and issued proceedings against the defendant without prior notice. On receiving the proceedings, the defendant took down the articles and comments the same day.

The plaintiff's case comprised two components - the article and the attached user comments - and the defendant applied for summary judgment in respect of both.

As regards the article, the court had no difficulty in finding that it was covered by absolute privilege as a fair, accurate and contemporaneous report of legal proceedings under s.14 of the Defamation Act 1996, and that portion of the claim was struck out.

As regards the user comments, the defendant argued that it was protected by the hosting defence, as transposed into UK law by Regulation 19 of the Electronic Commerce (EC Directive) Regulations of 2002. This provides:
Where an information society service is provided which consists of the storage of information provided by a recipient of the service, the service provider (if he otherwise would) shall not be liable for damages or for any other pecuniary remedy or for any criminal sanction as a result of that storage where -

(a) the service provider -

(i) does not have actual knowledge of unlawful activity or information and, where a claim for damages is made, is not aware of facts or circumstances from which it would have been apparent to the service provider that the activity or information was unlawful; or

(ii) upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information, and

(b) the recipient of the service was not acting under the authority or the control of the service provider.
Although no authority was cited on this point, Eady J. stated that he was "quite satisfied" that the defendants could rely on this defence, going on to hold that the users were not acting under the "authority or control" of the defendant. This portion of the claim was therefore struck out also.

This appears to be the first time that an English court has dealt with this question, though it reaches the same result as the Irish decision in Mulvaney v. Betfair (t/a The Sporting Exchange).

As with that decision, it is good news for online publishers dealing with user-generated content, suggesting that the courts will adopt a wide interpretation of the hosting defence. But as with Mulvany v. Betfair, it might be unwise to celebrate yet. This is a first instance decision (albeit a decision of one of the most prominent judges in this field) and was based on the arguments of one side only. It does not consider the arguments which might be put forward to limit the hosting defence, and rather glosses over the question of whether posters in a moderated forum could be said to be acting under the authority or control of the host.

Experience from the US has shown that online immunities tend to be extensively challenged as plaintiffs seek to work around them. Section 230 of the Communications Decency Act has, in particular, been repeatedly litigated and occasionally evaded by plaintiffs. (Eric Goldman analyses some of the approaches taken by plaintiffs: 1|2|3.) It's safe to say that similar challenges to the hosting immunity are likely in Europe until such time as the European Court of Justice issues a definitive interpretation of its scope.

(Via The Register)

EU guidance on unfair commercial practices - confirms rules apply to social networking, blogs

The Commission has just published a lengthy working document (PDF) with guidance on the application of the Unfair Commercial Practices Directive. This confirms that the Directive applies to blogs and social networking sites and gives some examples of banned practices - such as the use of fake comments or "astroturfing":
Social media, which include blogs, social networking sites, have become important avenues for commercial practices, especially hidden ones. They are sometimes used by traders to promote and advertise their products.

For example, several Member States have reported that cosmetic companies have paid bloggers to promote and advertise their products on a blog aimed at teenagers, unbeknownst to other users. In such cases, the authorities considered that the bloggers concerned were engaging in hidden commercial practices.

Unfair commercial practices may also occur on price comparison websites. An obvious case is when an online price comparison service belongs or is linked to a trader and is used to advertise its products. For example, the site "quiestlemoinscher.com" (literally "whoisthecheapest.com"), a grocery price comparison service created by a French major supermarket company, was considered by French courts to be a trader's website and a tool for comparative advertising...

[T]he Directive tackles the particular situation of "hidden" traders or traders representing themselves as consumers. Under Annex I of the Directive (the "black list"), the following practice is prohibited in all circumstances: Falsely claiming or creating the impression that the trader is not acting for purposes relating to his trade, business, craft or profession, or falsely representing oneself as a consumer.

For example, "hidden" traders may be:
– a hotel website including flattering comments supposedly by consumers which are actually drafted by the hotel owner;
– a bookshop advertising its "customers' choice" books where customers have never been consulted and the choice is made by the bookseller.
Of course, none of this should come as any suprise to Irish readers. The Directive was implemented in Ireland by the Consumer Protection Act 2007, and both Daithi and Damien had good posts around that time pointing out that the Act would prohibit businesses from posing as consumers or (covertly) paying bloggers to post about them.

Responsibility for enforcing the Consumer Protection Act lies with the National Consumer Authority. Given how common fake comments have become, I'm surprised that they haven't put out any guidance on this topic. It may be that it will take a complaint from an annoyed blogger (is there any other type?) or forum moderator before they take any action in this area.

Incidentally, it must be said that the approach taken by the Directive and national law (which is limited to paid posts or "advertorials") is much more sensible than the approach which the FTC has taken in the United States, where it now requires bloggers and twitterers to post details of any supposed conflict of interest - even a review copy of a book! - on pain of a $11,000 fine. Jack Shafer has more on the FTC rules (PDF).

Monday, December 07, 2009

Time for national steps to tackle cybercrime

The Irish Times has a good report of the recent IRISS Conference on Cybercrime. The comments of Paul Gillen were particularly interesting:
Det Insp Paul Gillen, head of the Garda computer crime investigation unit, said he was very concerned about the possibility of distributed denial-of-service attacks against Irish sites.

"I’m scared that Ireland will suffer what Estonia suffered," he said, referring to incidents in April and May 2007 when many Estonian government websites and critical systems were taken offline. "Ireland’s capability to react to something like that would worry me," said Det Insp Gillen...

Despite newspaper reports and regular warnings from banks, the phishing problem has got worse, added Det Insp Gillen. "We still have people who are willing to sit down and give their user name and password and are willing to write 100 PIN numbers from a code card that the bank gave them – and then they’ll go back to check they’re the right ones," he said. "Somewhere along the way, we’re obviously failing at getting the information out to the general public to make them more aware of hi-tech crime."

According to Det Insp Gillen, phishing scams usually happen in four stages: the hack is performed to infiltrate a person’s PC and steal their login details, or else the victim is tricked into revealing their pass codes by an e-mail that seems to have been sent by their bank. Criminals then gain access to the person’s bank account over the internet and use the codes to transfer money to an account in another part of the country.

Gangs then use "money mules" – other people who withdraw funds from ATMs. "The money mule is the first person to raise their head above the trench to have the back of their collar grabbed,” said Det Insp Gillen, who said gardaĆ­ have had some success stopping this.

"Everyone in this structure receives a percentage of the take in the crime," he said. "We’re dealing with highly organised crime here. The only way we’re in a position to deal with it is if IT security professionals, academics, law enforcement and a Cert join into a community to develop a task force, because everyone has information that could be a piece of evidence."
So what is currently being done to deal with the problems identified at the conference?

One promising development took place in August when the Minister for Communications announced that a report outlining a national cyber security strategy would be in place by the end of the year. (According to the Press Office in Communications, the report is currently being finalised.)

On the legislative front, however, the picture is gloomier. Irish law still has no general offence to deal with denial of service attacks (PDF) or online interception and implementation of the Cybercrime Convention and the Framework Decision on Attacks Against Information Systems is long overdue.

There is a Criminal Justice (Cybercrime and Attacks against Information Systems) Bill on the legislative agenda - but there's no date given for when we might see a draft. Given that we were initially promised implementing legislation in 2003 (PDF, p.25) and again in 2006, one might be forgiven for being sceptical as to whether any reform of the law relating to cybercrime will take place in the lifetime of this Government.

Wednesday, December 02, 2009

Software development agreement did not transfer copyright

OUT-Law have a report of an interesting recent English case - Infection Control Enterprises Limited v Virrage Industries Limited and Aidan Cartwright [2009] EWHC 2602 (QB) - concerning ownership of commissioned software which was intended for resale by the client. As is increasingly the trend, the client didn't succeed in their claim that there was an implied term that they would acquire the copyright.

I discussed the legal issues involved in these types of cases in a 2007 article in the Journal of Intellectual Property Law & Practice - "Copyright in Custom Code: Who Owns Commissioned Software?" Fortunately this decision doesn't appear to have proved me wrong.