Sunday, December 04, 2011

Revenue officials accessing your private data - yet again

Now that the Sunday Times is behind a paywall it's all too easy for important stories to get less attention than they merit. Here's one from Mark Tighe, originally published on 2 October 2011, which deserves to be highlighted. The focus of the story is on fraudulent claims and other financial abuses, but there's also evidence of continued snooping by Revenue staff on the private finances of others. Excerpt:
THREE Revenue officials have resigned and another two have been dismissed after being caught committing fraud using the tax office's computer system. The cases are among 24 in which tax officials have been disciplined for abuse of access to internal records since 2009.
Disciplinary files show three tax officials extracted €57,514 in fraudulent rebates from the Revenue before being uncovered by internal investigators. They also show Revenue had to apologise to a man after his ex-wife, a former official, organised for another staff member to change his tax status leaving him with no pay on two occasions.
In one case, a female clerical officer who organised fraudulent tax refunds totalling €32,500 for herself, her family and friends, resigned in July last year before Revenue could terminate her employment...
Another female clerical officer had her pay reduced by two increments after she removed an allowance from a man on the word of his ex-wife, a former colleague of hers in Revenue.
The man wrote a letter of complaint to Revenue saying the removal of a certain child allowance had led to him receiving two consecutive pay cheques with zero net pay. The man, who has joint custody of his children with his ex-wife, said the incident was "humiliating, embarrassing and deeply puzzling". He was forced to approach the St Vincent De Paul Society and his community welfare officer for assistance.
Revenue managers said the incident had serious implications for its reputation. They issued the complainant an "unreserved apology". Investigators found the Revenue staff member had transferred the man's allowance to his ex-wife after she said she needed the money for a holiday.
The official, who was a "close confidante" of the woman, was also found to have made alterations to her own and her family's tax profiles. A CPSU official said "everyone does it" when the alteration of her tax records was being discussed in the woman's disciplinary interview. The official complained about being "singled out", saying others did what she did.
In another case a male clerical officer had his pay reduced by four points for three years after he arranged for his exwife's tax record to be labelled "crank/prank" when she tried to register for a single person's tax credits. The woman in question said her former husband told her about the salary details of men she dated after they separated. The man admitted altering his wife's file through a colleague, and accessing other files and giving the information to his ex-wife. He said he had believed his wife was having an affair, and looked up the men's details for his own "sanity".
 This story follows a similar piece in the Irish Independent earlier this year, which revealed that:
A female official... snooped on politicians and a former Revenue chairman. The same woman improperly faxed information to a financial institution about customers who were setting up SSIAs...
Most staff caught snooping on taxpayers' details are dealt with internally and are given a one or two-year pay cut for their indiscretions, as well as being barred from promotion for the same period...
One file quotes a union official as saying there was a "culture" of snooping within the department.. And even the chairman of the Revenue Commissioners is not immune, with one low-ranking civil servant found to be snooping on former Revenue chairman Frank Daly's records in 2006 and 2007.
Notable from that Irish Independent piece is the fact that none of the snooping cases were referred to GardaĆ­. This reflects a significant legislative gap, which has been partially filled since s.77 of the Finance Act 2011 introduced a new offence of improper disclosure of taxpayer information. Hopefully this new offence will act as a genuine deterrent to further snooping.

Previously on this blog:

Monday, November 21, 2011

Will the ECJ stymie attempts to identify internet users?

PHILIPS SHP1900 Headphones


This time last year I blogged about Bonnier Audio v. Perfect Communication, the Swedish case which questioned whether data retained under the Data Retention Directive could be used in litigation to identify users accused of infringing copyright. In that case five audiobook companies brought an action against Perfect Communication, an ISP, seeking the details of a user who was said to be sharing many popular audiobooks. The ISP, however, resisted the application and argued (in essence) that data retained under the Data Retention Directive could only be used for the purposes of that Directive and not for unrelated purposes such as civil litigation. In a preliminary reference, the Swedish court asked the ECJ the following questions:
* Whether the Data Retention Directive prevents the application of a national rule based on the EU IP Rights Enforcement Directive (2004/48/EC), which provides that an ISP in a civil case can be ordered to provide a copyright owner or a rights holder with information on which subscriber holds a specific IP address assigned by the ISP, from which address the infringement is alleged to have taken place.

* Whether the answer to the first question is affected by the fact that the state has not yet implemented the Data Retention Directive, although the deadline for implementation has passed.
As I said at the time, this has the potential to be a very important case - one in which a ruling against the copyright plaintiffs might well force a revision of the entire approach which Irish and English law takes to identifying internet users. I am surprised therefore that there hasn't yet been much reaction to the Advocate General's opinion, issued last Thursday, which comes down largely on the side of the ISP.

While there's no official English translation yet, the key part of the decision appears to be in paragraphs 60-62 which build on Promusicae to hold that (irrespective of the Data Retention Directive) the disclosure of information about internet users in civil proceedings is only permissible in accordance with the provisions of Article 15 of the e-Privacy Directive - that is, only where there are "legislative measures" in place which are "necessary, appropriate and proportionate... within a democratic society". Pending the official translation, the following is an auto-translated version, tidied up slightly by myself:
60. EU law requires that before the disclosure of personal data is possible, a retention obligation must be provided for by national legislation which sets out the categories of data to be kept, the purpose for which it may be kept, the retention period and those who can access the data. It would contradict the rules governing personal data protection principles to draw on data sets that have been collected for purposes other than those set by the legislature.

61. Therefore, for the preservation and transmission of personal data to be consistent with Article 15 of Directive 2002/58, in a situation such as that described in the main proceedings, national legislation should include, at advance and in detail, the limitations on the scope of rights and obligations under Articles 5, 6, 8, paragraphs 1 to 4, and 9 of the Directive (20). A limitation so established must be a necessary, appropriate and proportionate. However, a disclosure obligation, imposed on Internet service provider and relating to personal data kept for another purpose, is not sufficient to meet these requirements.

62. In conclusion, it should be noted that the human rights protection of personal data and privacy on the one hand, as well as protection of intellectual property on the other, shall enjoy equal protection. There is no reason to favor the owners of intellectual property rights by allowing them to use personal data that have been lawfully obtained or retained for purposes unrelated to the protection of their rights. The collection and use such data for such purposes in compliance with EU law on the protection of personal data would require the prior adoption by the national legislature, of detailed provisions, in accordance with Article 15 of Directive 2002/58. (Emphasis added.)
The Advocate General's approach, if followed by the ECJ, will undoubtedly be extremely significant on a number of fronts. From my perspective, the most significant aspect would be the requirement that identification of users requires "legislative measures". Under the existing Norwich Pharmacal jurisdiction as applied to the internet in Ireland (EMI v. Eircom) and England and Wales (Totalise v. Motley Fool) there are no such legislative measures - instead the courts are relying on an inherent equitable jurisdiction which has been developed through caselaw. This would be thrown into disarray by the Bonnier Audio reasoning. Some litigants might not be too badly affected - for example, many intellectual property litigants could fall back on their rights under the various implementations of the IPR Enforcement Directive (e.g. SI 360/2006 in Ireland) - but this result would be fatal to other cases such as online defamation claims. (One example being the current litigation against RateYourSolicitor.)

I'll be watching with interest to see whether the ECJ follows the AG's opinion - if it does, expect the cat to be put among the pigeons at national level.

Friday, November 18, 2011

Is illegally obtained CCTV footage admissible in evidence?

CCTV


Every now and then media reports reveal an employer who has engaged in illegal CCTV monitoring of staff and today's example is Dunnes Stores which was shown in an unfair dismissal claim to have secretly used CCTV to view employees in a restaurant in Galway:
DUNNES STORES monitored workers on CCTV at a restaurant in one of its stores for 77 days without telling them. A security man monitored the behaviour of staff at the restaurant almost exclusively and reported his findings daily to the store manager. As a result of the monitoring, two members of staff at the Dunnes outlet in Terryland, Galway, were dismissed. Two others quit, an Employment Appeals Tribunal was told yesterday... Dunnes Stores security officer Peter Zatorski said the women at the restaurant were not told they were being monitored.
It's not clear from the media reports whether the camera was hidden, or whether staff were aware of its presence but unaware that it would be used to monitor them. Either way, however, it is clear that this use of CCTV recording would breach the fair obtaining principle in data protection law which requires (even in the case of visible cameras) that individuals should be informed of the purpose for which recordings may be used. Guidance from the Data Protection Commissioner is unequivocal on this point:

If the purpose or purposes is not  obvious, there is a duty on the data controller to make this clear.  A CCTV camera in a premises is often assumed to be used for security purposes. Use for monitoring staff performance or conduct is not an obvious purpose and staff must be informed before any data are recorded for this purpose. Similarly, if the purpose of CCTV is also for health and safety reasons, this should be clearly stated and made known.
In the Dunnes Stores case, therefore, it seems likely that the CCTV footage was obtained illegally. If so, should Dunnes be able to rely on it before the Employment Appeals Tribunal to justify the dismissal? Surprisingly, the issue doesn't seem to have been raised before the EAT but as this is a relatively common issue it might be worth considering generally.

There is a general rule in Irish law that illegally (not unconstitutionally) obtained evidence may be excluded at the discretion of the court. Yvonne Daly provides a very good summary of this rule in this article (PDF), where she points out that in practice this discretion is very seldom used to exclude evidence on the basis of mere illegality. I have been unable to find any reported decisions of the Irish courts dealing specifically with evidence obtained in breach of data protection law - however, in light of the discretionary nature of the exclusionary rule and the general tendency towards admitting illegally obtained evidence there is no guarantee that the courts will prevent this evidence from being used.

This is not, however, an end to the matter, as an employee may be able to achieve the same result indirectly by going to the Data Protection Commissioner. This happened in Case Study 10 of 2008, where employees succeeded in stopping an internal disciplinary inquiry based on improperly obtained CCTV footage:

In this case, the employer had used CCTV images to compile a log that recorded the employees’ pattern of entry and exit from their place of work.  The employer then notified a trade union representative that this log would be used at a disciplinary meeting.  It also supplied a copy of the log to the union representative.  The employer sent letters to each employee requesting that they attend a disciplinary meeting to discuss potential irregularities in their attendance.  The letters indicated that this was a very serious matter of potential gross misconduct and that it could result in disciplinary action, up to and including dismissal.

The employees immediately lodged complaints with my Office.  They stated that they had never been informed of the purpose of the CCTV cameras on the campus where they were employed.  They pointed out that there were no signs visible about the operation of CCTV.  On receipt of the complaints, my Office contacted the employer and we outlined the data protection implications of using CCTV footage without having an appropriate basis for doing so.  We informed the company that, to satisfy the fair obtaining principle of the Data Protection Acts with regard to the use of CCTV cameras, those people whose images are captured on camera must be informed about the identity of the data controller and the purpose(s) of processing the data.  This can be achieved by placing easily read signs in prominent positions.  A sign at all entrances will normally suffice.  If an employer intends to use cameras to identify disciplinary (or other) issues relating to staff, as in this instance, staff must be informed of this before the cameras are used for these purposes.

The employer accepted the views of my Office.  It informed the two employees that it was not in a position to pursue the matter of potential irregularities in attendance as it could not rely on CCTV evidence obtained in contravention of the Data Protection Acts.
That case related to an internal disciplinary matter only. Consequently an interesting question arises where a matter makes it to the Employment Appeals Tribunal or a court: would those bodies be willing to accept into evidence material which the Data Protection Commissioner had found to be illegally obtained and may have directed not to be used for disciplinary purposes? Would an employer be bound by a ruling of the Data Protection Commissioner from tendering such evidence? What would happen in the event of such a clash?

There has been one case which illustrates the type of issues that might arise - in Case Study 2 of 2007 (Baxter Healthcare) the Data Protection Commissioner found that an employer had breached the fair obtaining principle by using a medical report of an employee (obtained in the context of a personal injury action brought by the employee) to defend a later unfair dismissal claim before the Labour Relations Commission. However, in that case the data protection ruling was made only after the unfair dismissal claim was concluded, leaving the issue open as to how the Labour Relations Commission would have handled the report if the ruling was made before it heard the matter.

It is unlikely that there will be any clarity until this issue is the subject of a written decision by the High Court. In the meantime, however, it's surprising that more litigants don't appear to be relying on data protection arguments to challenge the admissibility of evidence.

For more on this topic see Clark, “Data Protection and Litigation” (2009) 16(8) Commercial Law Practitioner 167 (no free link available).

Update (23.2.12) - The High Court has recently ruled against a prison officer seeking to prevent CCTV footage from being used in disciplinary proceedings against him on the basis that it was obtained in breach of his data protection rights. However there's no written judgment in this case making it difficult to determine the precise basis of the decision.

Monday, October 17, 2011

Innovation, Information and the Internet: Modernising Copyright Law

I'm delighted to be chairing a conference on copyright reform this Friday (21st October) and would encourage anyone with an interest in the topic to attend. The event is free and you can register online at http://www.dublincopyrightconference.com/. Full details:
Innovation, Information and the Internet: Modernising Copyright Law

When: Friday 21st October 2011, 1.00pm - 5.00pm (a sandwich lunch will be served at 12.00)

Where: Presidents' Hall, Law Society of Ireland, Blackhall Place, Dublin 7, Ireland

The current review of copyright law in Ireland presents significant challenges for rightsholders, copyright users and the legal profession alike. This conference will consider areas where Irish law is in need of reform and in particular will look at the role of copyright in the digital economy, the development of fair dealing exceptions, the role which fair use plays in the United States, and the experience of reform in the United Kingdom.

Speakers will include prominent national and international experts from private practice, academia and government, including:

Prof Dr Martin Senftleben - Faculty of Law, Vrije Universiteit Amsterdam
Ms. Helen Sheehy, Commercial & Copyright Department, Sheehy Donnelly Solicitors
Prof Lionel Bently - Faculty of Law, University of Cambridge
Mr Stephen Rowan - Deputy Director, Copyright and IP Enforcement Directorate, UK Intellectual Property Office
Prof Peter Jaszi - College of Law, American University Washington
Ms. Linda Scales, Solicitor and co-founder of the Copyright Association of Ireland

Sunday, September 18, 2011

Internet blocking in schools: not such a good idea, it turns out

Despite being published in 2010, I somehow managed to miss until now these remarkably sensible research findings from Ofsted on internet blocking in schools:
Restricting pupils’ access to websites may actually impair their judgement, making them more “vulnerable” to paedophiles on-line, said Ofsted. The claims come despite an admission that teachers had problems stopping young people logging on to “inappropriate” websites at school. In a report, Ofsted said there were widespread incidents of pupils accessing social networking websites and instant chat rooms – where they can be targeted with abuse. But inspectors said "locked down" systems that barred access to websites were actually "less effective" in keeping children safe overall.
In a particularly good analogy, Ofsted also points out that:
Children who hold a parent’s hand every time they cross the road are safe. However, unless they are taught to cross the road by themselves, they might not learn to do this independently. A child whose use of the internet is closely monitored at school will not necessarily develop the level of understanding required to use new technologies responsibly in other contexts.
There's a lesson here in relation to internet blocking as applied to adults also.

Daily Telegraph story
Full text of Ofsted report

(h/t Joe McNamee, EDRI)

Monday, August 08, 2011

Data protection: subject access rights not affected by litigation

The Circuit Court recently gave a significant judgment in Dublin Bus v. Data Protection Commissioner, holding that subject access rights in Ireland are not affected by the fact that civil proceedings are contemplated or ongoing.

In this case Dublin Bus attempted to withhold CCTV footage of an accident from a subject access request, making a number of rather weak arguments which claimed alternatively that the footage was subject to legal professional privilege and/or that the access request constituted some form of interference by the DPC with pending litigation. In the Circuit Court Judge Linnane gave short shrift to these claims, holding that the footage was not privileged, the Data Protection Acts did not contain any exemption in respect of contemplated or pending legal proceedings, and (unlike UK law) the Irish legislation does not permit the court any discretion as to whether to order access.

None of these rulings are surprising (it would have been very surprising indeed if the court had found otherwise) but it is nevertheless useful to have a decision confirming these points. I've placed a copy of the full judgment on Scribd in the hope that it might prove useful for other subject access requests:Dublin Bus v. Data Protection Commissioner

Wednesday, August 03, 2011

Site Blocking: What the UK Government would prefer you not to see

It's well known that internet blocking is easy to circumvent. Ofcom in today's report "Site Blocking" to reduce online copyright infringement admits as much, saying that:
For all blocking methods circumvention by site operators and internet users is technically possible and would be relatively straightforward by determined users. (p.5)
Despite this, however, one branch of the UK Government still appears determined to keep its head in the sand, and according to that report:
The Department for Culture, Media and Sport has redacted some parts of this document where it refers to techniques that could be used to circumvent website blocks.
Unfortunately, the technical competence of the DCMS appears to be somewhat limited, and the redaction was (ironically?) also easily circumvented, by measures as simple as copy/paste. Needless to say, a department which is unable to censor a single PDF does not exactly inspire confidence when it proposes to introduce blocking for the entire UK internet, and it is just as well that the UK government has today announced plans to abandon the blocking provisions of the Digital Economy Act.

[Updated - 1.15pm]

The full, unredacted version now appears on Scribd. As can be seen from that document, the material which was redacted was all improperly removed. The tactics discussed to circumvent blocking are all well-known, even to a mere lawyer such as myself, and the redactions appear to be motivated more by considerations of security theatre than anything else.Ofcom Site Blocking Report With Redactions Removed

[Previously]

Here are the individual portions of the report which the DCMS attempted to quash. Text in italics was not redacted but appears for context:

pp.28-29
Robustness

Bypassing IP address blocking is technically straightforward for those who have an incentive to do so.
The blocked site operator may:

• change IP address but stay on the same network (i.e. on the same hosting provider);
• move to an entirely new network (to a previously unobserved IP address);
• offer encrypted network services which obscure the true network address/destination such as Virtual Private Networking;26,27 or
• server operators may institute a Fast Flux network (where users run software on behalf of blocked site which hides the true network address of the blocked site).

There are other methods available to site operators. When moving to a new IP address a site operator may register multiple IP addresses for a given site in order to maintain service in the event that some of those individual IP addresses are blocked. This approach has legitimate purposes also.28 Furthermore, by setting a low “Time to Live” (TTL) Domain Name System (DNS) record value, determining the length of time that the IP address for a particular domain (expressed in seconds) remains in remote name server caches, it is easier for a site operator to move IP addresses without end users losing access. Where a low TTL is expressed the ISP DNS name server resolution cache is purged quickly thereby ensuring that newly assigned site IP addresses are retrieved from the authoritative name server and site accessibility is maintained. Figure 13 below shows that the TTL value for "kickasstorrents" is one hour, demonstrating that any changes to IP address to DNS name are refreshed and propagated within ISP DNS servers in just over an hour.

Figure 13: Kickasstorrents DNS record Time to Live (1 hour) Name TTL Class Record Address
www.kickasstorrents.com. 3600 IN A 95.215.60.37
www.kickasstorrents.com. 3600 IN A 93.114.40.112
www.kickasstorrents.com. 3600 IN A 193.105.134.81
www.kickasstorrents.com. 3600 IN A 95.143.195.138
www.kickasstorrents.com. 3600 IN A 76.76.107.90

26 Ipredator - Surf anonymously with VPN and proxy https://www.ipredator.se/?lang=en
27 UK based VPN services facilitating access to copyright infringed material may be subject to site blocking injunctions. UK VPN operators may institute site blocking at the VPN egress point. NB: we are not aware of any UK based VPN service marketed or positioned for such activity. Such services are likely to be non-UK based.
pp.33-34
DNS blocking robustness

For site operators and end users with a sufficient incentive to engage in circumvention DNS blocking is technically relatively straightforward to bypass:


• the blocked site may offer services such as Virtual Private Networking, which is where encryption and other security measures are deployed to ensure that the data cannot be viewed by third parties (DNS name resolution may occur within the VPN providers network thereby bypassing the ISP based DNS site-blocking);
• the end-user can change their DNS name servers to 3rd party DNS name servers;32,33
• users may use anonymous web proxy or other anonymising services which are not reliant on the ISP DNS servers; or
• name resolution may be performed locally by adding an entry to a hosts file (IP address resolution information can be obtained from websites running a web-enabled equivalent of “nslookup” command).

32 Google Public DNS - http://code.google.com/speed/public-dns/
33 OpenDNS Store > Sign up for OpenDNS Basic: - https://store.opendns.com/get/basic/

For end users who want to bypass blocks there are several options. For instance, there are many legitimate alternative DNS providers to ISP DNS registries. Examples include OpenDNS and Google DNS. We consider the changing of DNS servers to alternative providers to require low technical skills, as the providers offer clear instructions using plain English. For instance, switching to Google DNS requires 11 steps for Windows users and only 8 for those using MAC OS.

With a modest understanding of internet technologies it is possible to access a site by entering the site IP address (if multiple websites are hosted at the same IP address the user will be displayed the default web site or page for that web server/IP address). Site operators can draw attention to online web based and alternative sources of DNS name resolution within emails to their user base or via online forums.

Other channels that site operators could use to widely distribute advice on how best to circumvent DNS blocking could include posting to online forums, Really Simple Syndication (RSS) or updates via micro blogging sites such as Twitter ®. The advice could include changing to unblocked DNS name servers, Virtual Private Networks and proxy services or other anonymising systems. Similarly, site operators may quickly mirror or make copies of a blocked site on new top level or country code domains pointing towards new IP addresses e.g. www.blockedsite.cc; www.blockedsite.ru; www.blockedsite.vn; www.blockedsite.net.
p.38
Techniques that may undermine URL blocking include:

• web site operators providing encrypted access to their web sites via Secure Sockets Layer/ Transport Layer Security i.e. https connectivity https://www.example.com/downloads/pirate.zip;
• a site operator may run a website on a network port other than port 80;
• the site operator changing the IP address and bypassing the network routing announcements;
• a site operator registering a new domain name e.g. www.example.net or www.example.org;
• the blocked site offering services such as Virtual Private Networking;
• the use of anonymous web proxy or other anonymising services;
• the site operator reorganising the site structure if the blocking is conducted against specific URLs; and
• the site operator or end user encoding URLs to bypass blocking.
p.40
Packet inspection blocking robustness

Both shallow and deep packet inspection can be bypassed by site operators using the following means:


• changing the IP address but staying on the same network;
• moving to an entirely new network (to a previously unobserved IP address);
• the site may use network encryption techniques such as Virtual Private Networking to render scrutiny of the IP packet‟s payload or real IP address destination impossible, given the technology available today; or
• the site operator may add or remove site IP addresses from a pool of IP addresses.

End users who wish to circumvent packet inspection may opt to use anonymous web proxies or other anonymsing services.
p.41
As with the deployment of any of the single primary techniques, the hybrid approach is also susceptible to circumvention by the use of anonymising tools such as The Onion Router, VPNs or anonymous proxy services.
p.44 (Column marked "Difficulty of circumvention" originally redacted)


p.45 (Column marked "Difficulty of circumvention" originally redacted)




p.52
Technical Glossary

Anonymous Web Proxy Service that allows users to place web requests via an intermediary server. The proxy server makes the connection on behalf of the user thereby hiding originating IP address and bypassing blocking network techniques.

The Onion Router (ToR) Anonymity network originally developed by the United States Navy. Used in many countries to bypass state censorship.

Monday, August 01, 2011

Judicial committee to consider internet use by juries and live tweeting of trials

According to Kieron Wood in the Sunday Business Post Mr Justice John Murray is to chair a committee to consider the contempt risks posed by jurors' use of the internet and social media, and which may also consider the issues associated with courtroom reporting via twitter or liveblogging. There doesn't seem to be anything on the Courts Service website about this yet, but hopefully the committee will follow the UK practice by holding a full public consultation and (if there is a need for urgent action) issuing interim guidance only in the meantime. Given the importance of the constitutional guarantee of open justice it would be wrong to make any final decision without giving those affected the opportunity to be heard.

Kieron Wood also writes about the wider problems the internet poses for the justice system in a longer piece in the Business of Law supplement.

Friday, July 29, 2011

Newzbin2: Did BT shoot itself in the foot - and will Irish ISPs do the same?

Yesterday's decision in Twentieth Century Fox v. BT (PDF) introduces mandatory web blocking for the first time in the UK and unsurprisingly has already received a great deal of attention (BBC|Guardian|IPKat).

Lilian Edwards has provided a comprehensive legal analysis, while Richard Clayton tackles the technical implications of the judgment, so I won't attempt to duplicate their work. But a separate blog post might be useful on one point which has received less attention - the significance of the fact that BT had already voluntarily adopted a system - Cleanfeed - to block child abuse images.

In 2004 - when BT initially adopted Cleanfeed - it was even then obvious that there was a risk of function creep and in particular that copyright holders would seek to use the system. In a briefing to LINX at the time (link now broken), however, BT appeared to believe that it was unlikely to be sued and could mitigate this risk by discontinuing the use of Cleanfeed if scope creep became a reality. According to the then Director of Internet Services for BT Retail: "if the pressure to extend the scope of Cleanfeed became too great [BT] would simply cancel the project" and "BT is unlikely to be the defendent of choice for a copyright holder or other party attempting to hold an ISP legally responsible for Internet traffic".

Yesterday's ruling has shown the limits of this reasoning. Once Cleanfeed provided a proof of concept then function creep was inevitable and the idea that BT could unilaterally turn off the blocking system unrealistic. Instead, it painted a target on its back. According to a representative for the movie industry "BT was chosen because it's the largest and already has the technology in place, through its Cleanfeed system, to block the site".

The use of Cleanfeed also prevented BT from asserting two defences that might otherwise have applied - that there was no clear legal basis for imposing a blocking system and that their obligations would be unclear. Instead, according to the High Court:
the order sought by the Studios is clear and precise; it merely requires BT to implement an existing technical solution which BT already employs for a different purpose; implementing that solution is accepted by BT to be technically feasible; the cost is not suggested by BT to be excessive. (para. 177)
In light of this, therefore, it's hard not to conclude that BT shot itself in the foot by adopting a blocking system which could easily be repurposed for the benefit of Hollywood.

"No good deed goes unpunished" - this case proves the truth of this statement, and will undermine other voluntary initiatives to block child pornography by showing how easily those initiatives can be coopted by the movie industry or music industry. There's also a lesson here for Irish ISPs who are coming under police pressure to introduce similar blocking systems. Will they now do so, knowing that these systems will make them a happy hunting ground for the content companies, defamation plaintiffs, and others who may wish to block access to the web in Ireland?

Sunday, July 24, 2011

Irish mobile phone companies act on voicemail hacking - but why the delay and have they gone far enough?

Yesterday's Irish Times has a story detailing what Irish mobile providers are doing about voicemail security, in light of the UK phone-hacking scandal. There is more detail on the Data Protection Commissioner's website, which indicates that the DPC has abandoned earlier plans to make remote access to voicemail a user option. Instead, according to the DPC:
[The networks] have now all put in place or have committed to put in place in the coming days additional measures to assist their customers to protect the data on their phones. It is now important that the public follow the advice of their mobile provider and where they have not already done so take steps to either secure their voicemail and phones generally or improve upon the measures they may have already taken. At the end of this process it will no longer be possible to access a person’s voicemail using a default password.
The state of play is now as follows:
Meteor and eMobile
No default security PIN is applied and every customer is required to choose their own secure PIN when enabling voicemail. In an effort to encourage customers to take proactive steps to secure their voicemail service they have enhanced the information contained on both websites (www.eMobile.ie or www.meteor.ie) with additional details and guidance on how to secure voicemail services. Additionally, an educational SMS will be sent to all voicemail users in the coming days. Customers can strengthen their password today by dialing 171 (both Meteor and eMobile) and follow the instructions.

O2
O2 has commenced a programme of communications with customers to advise on how they can keep access to their voicemail secure at all times. The communications will include text messages to customers and a pre-recorded advisory when customers dial in to their voicemail service to retrieve messages. O2 has also updated its website with a range of security tips, available at www.o2.ie in the "Can we help you today?" section on the homepage. Customers can change their password today by dialling 173 from their handset and follow the instructions.

Three
Three is communicating to its customers the importance of securing their voice mail with a unique PIN known only to the customer. The communications will include text messages to customers with advice on setting up a voicemail PIN. There will also be an Online Help & Support update to the section on Voicemail to advise customers on the level of security they should use when setting up their PIN. Customers can change their password today by dialling 171 (in Ireland) or +353 83 333 3171 from abroad from their handset and follow the instructions.

Vodafone
From tomorrow Vodafone Ireland customers will hear information when they dial 171 on how they can change their voicemail password at any time. Voicemail and password information is also available today on Vodafone.ie. Vodafone will continue to inform its customers in the coming weeks on new enhanced security options available to its customers. Customers can change their password today by dialling 173 from their handset and follow the instructions.
At first glance this might seem like a step forward, but it leaves many questions unanswered.

First - why has it taken the Irish networks so long to act? Wrongful access to voicemail messages was well known long before now - and I blogged about it here back in 2006. There is simply no excuse for the delay that most networks have shown.

Second - will the networks continue to issue new phones with default voicemail passcodes? Credit must go to Meteor/eMobile who don't do so, but it isn't clear from the DPC's statement - "At the end of this process it will no longer be possible to access a person’s voicemail using a default password" - whether the other networks will be required to abandon their ongoing use of default passcodes. If not, however, then it's hard to see how they would not be in breach of Regulation 4 of the new ePrivacy Regulations, which provides that:
(1) With respect to network security and, in particular, the requirements of paragraph (2), an undertaking providing a publicly available electronic communications network or service shall take appropriate technical and organisational measures to safeguard the security of its services, if necessary, in conjunction with undertakings upon whose networks such services are transmitted. These measures shall ensure the level of security appropriate to the risk
presented having regard to the state of the art and the cost of their implementation.
(2) Without prejudice to the Data Protection Acts, the measures referred to in paragraph (1) shall at least—
(a) ensure that personal data can be accessed only by authorised personnel for legally authorised purposes,
(b) protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure, and
(c) ensure the implementation of a security policy with respect to the processing of personal data.

(Daragh O'Brien has more on the ePrivacy Regulations and their impact on voicemail hacking.)

Third - have the Irish networks taken steps to secure against other methods of voicemail hacking such as Caller ID spoofing? This is a well known problem in the US and at least some European countries - as Brian Krebs puts it:
For years, it has been a poorly-kept secret that some of the world’s largest wireless providers rely on caller ID information to verify that a call to check voicemail is made from the account holder’s mobile phone. Unfortunately, this means that... your messages may be vulnerable to snooping by anyone who has access to caller ID "spoofing" technology. Several companies offer caller ID spoofing services, and the tools needed to start your own spoofing operation are freely available online.
The recent statement from the DPC doesn't address this particular attack, and the track record of most Irish networks doesn't fill me with confidence that they are on top of this issue either.

Tuesday, July 19, 2011

The Internet of Elsewhere

I've just finished reading a review copy of Cyrus Farivar's impressive new book The Internet of Elsewhere. Like many books, it traces the development and mass takeup of the internet - unlike most, however, it is not US-centric and instead gives equal space to case studies from four countries: South Korea, Senegal, Estonia and Iran. In doing so, it provides a wealth of detail for many developments (the 2003 Iranian crackdown on bloggers, the Seoul "Dog Poop Girl", the Estonian takeup of wifi) which are often cited but seldom put into their wider social context. The author makes a particular point of describing the factors such as demographics, literacy and cost which have driven the use of the internet in each country - or, in the case of Senegal, have kept much of the population offline. A particular highlight for anyone interested in civil liberties online is the description of Iranian control of the internet, which goes back to early measures in 2000 and describes the various state tactics since then which have resulted in many prominent bloggers being forced to leave the country. The book also succeeds in being an easy read - while it is well researched and sourced it is also journalistic in its tone and describes each country through the stories of individuals. I would recommend this to anyone with an interest in the takeup of the internet and the social changes it prompts.

Tuesday, July 05, 2011

Virtual execution of documents under Irish law

There's been quite a bit written about the electronic signature of contracts, and under Irish law there are specific statutory rules in place under Part 2 of the Electronic Commerce Act 2000 which allow such signatures to be used. Curiously, however, there's been much less attention paid to a more traditional form of "virtual signing" - where one or more parties to a transaction are not physically present at the meeting where a particular document is executed.

In these situations the practice had developed of either executing signature pages in advance or signing a document remotely and subsequently distributing signature pages by fax or email. This practice, however, hit a road bump with the decision of the High Court of England and Wales in Mercury Tax Group v. HMRC which held that a signature given in respect of an incomplete draft deed could not be transferred to an amended final deed, as s. 1(3) of the Law of Property (Miscellaneous Provisions) Act 1989 requires that "the signature and attestation must form part of the same physical document... which constitutes the deed".

Although obiter, this finding had obvious wider implications for virtual signatures generally in any situation where statutory requirements for signatures must be met. Consequently, it was followed by a practice note from the Law Society of England and Wales (January 2010) and now by a practice note from the Law Society of Ireland (June 2011, PDF, pp. 52-53).

The whole Law Society guidance note is very useful and must be read, but it helpfully summarises the options as follows:
Option
Steps
Documents
Option 1 (return the entire PDF/ Word document and a PDF of the signed signature page)
• Once the documents have been agreed, final execution versions are emailed to the parties and/or their lawyers.
• For convenience, a separate extracted signature page may also be attached to the email, but this is not necessary.
• Each authorised signatory prints and signs the signature page. If appropriate, the signing may need to take place in the presence of a witness.
 • The signature page is then scanned and returned by email together with the whole document previously emailed to the signatory. (For a deed, make it clear when delivery is to occur.)
• See suggested wording for covering email (panel, p53)
Option 1 may be used for any document or deed, i.e. including:
• A deed,
• A real estate contract,
• A guarantee (whether a deed or in simple contract form),
• A simple contract.
Option 2 (return the entire PDF/ Word document and a PDF of the signed signature page)
• Once the documents have been agreed, final execution versions are emailed to the parties and/or their lawyers.
• For convenience, a separate extracted signature page may also be attached to the email, but this is not necessary.
 • Each authorised signatory prints and signs the signature page.
• The signature page is then scanned and returned by email, together with authority for it to be attached to the final approved version of the document. (The degree of formality required for this authority will depend on the circumstances.)
Option 2 may be used for:
• A guarantee (in simple contract form only),
• A simple contract
 • A real estate contract.

Option 2 may not be used for a deed (of any type).
Option 3 (return the entire PDF/ Word document and a PDF of the signed signature page)
• Once the documents have been agreed, final execution versions are emailed to the parties and/or their lawyers.
• For convenience, a separate extracted signature page may also be attached to the email, but this is not necessary.
 • Each authorised signatory prints and signs the signature page.
• The signature page is then scanned and returned by email, together with authority for it to be attached to the final approved version of the document. (The degree of formality required for this authority will depend on the circumstances.)
Option 3 may be used for:
• A guarantee (in simple contract form only),
• A simple contract,
• A real estate contract.

Option 3 may not be used for a deed (of any type).

There is also an important caveat that for registration purposes "wet ink" versions of all signatures may be required - if so, the guidance note points out that appropriate undertakings must be included that these will be provided following execution.

Friday, June 24, 2011

Irish documents on interception of communications and surveillance

I've uploaded a few documents recently which might be useful to anyone interested in issues of surveillance and interception of communications in Ireland.

First is the 2009/10 report of the Designated Judge responsible for monitoring the interception of communications and data retention:
Interception and Data Retention Annual Report 2009/10

Second is the 2009/10 report of the (different) Designated Judge responsible for monitoring covert surveillance:
Covert Surveillance Report 2009-10

Third is the Revenue manual setting out their understanding of their powers and duties in relation to covert surveillance, following the enactment of the Criminal Justice (Surveillance) Act 2009:
Revenue Surveillance Manual

(Many thanks to Mark Tighe for copies of the two judges' reports.)