Cloud computing controversy won't clear

It seems as though the controversy caused by the Chief State Solicitor's advice about purchasing cloud computing just won't go away. John Collins has an update in today's Irish Times. Here's an excerpt:

ON A Thursday afternoon early last month an e-mail with the subject line "eTenders – Cloud Computing Warning" began to arrive in the inbox of public servants.

Sent by the National Public Procurement Operations Unit, which operates the Government’s electronic tendering website, eTenders, the brief communication said the Chief State Solicitor’s Office had advised "that issues such as data protection, confidentiality and security and liability are not necessarily dealt with in a manner that would be necessary for public-sector responsibilities" by cloud services.

The e-mail was quickly forwarded around Ireland’s technology industry. Not only are companies such as Microsoft, IBM and HP investing millions into research centres and data centres here to support the new model of delivering software and other services over the internet, but Minister for Communications Eamon Ryan last year identified cloud computing as one of six "pillars" that would drive the creation of a smart economy.

In fact, Ryan is understood to have been extremely annoyed at the message being sent out, and his advisers have moved to soothe the nerves of some of the major technology multinationals based here.

While not renowned for its technology expertise, one of the roles of the Chief State Solicitor’s Office is to review commercial agreements for public bodies before they sign them.

"They must have reviewed a contract which wasn’t up to scratch and now they have concluded all cloud contracts are like this," says Philip Nolan, a partner in legal firm Mason Hayes + Curran who specialises in technology contracts. "It’s a totally disproportionate reaction and the IT industry is recoiling in shock."

Nolan equates the advice given by the Chief State Solicitor’s Office to someone saying 12 years ago "don’t buy anything using e-commerce because it’s not secure".

Describing the e-mail as "damaging", Ed Byrne, general manager of Hosting365, a local firm that provides a platform to support cloud computing, says eTenders should have instead "outlined the questions that need to be asked before buying a cloud service".

According to Byrne, this would have included questions such as where is the service based, who is the supplier, how much money can it save and what levels of support can be expected.

Previously on this blog: 1|2

Ryanair v. Billefleuge.de - Full decision now available

I've just received a copy of the decision of Hanna J. in Ryanair v. Billefleuge.de and uploaded it to Scribd. At first glance it appears to represent a significant win for site owners who wish to control screenscraping, indexing and other uses of their content:

Ryanair v. Billefleuge.de

Ryanair screenscraping: Irish court accepts jurisdiction, rules on enforceability of website terms of use

You might have noticed that Ryanair has an ongoing legal campaign to stop sites from scraping its content and then reselling flights. (Blogged previously by me: 1|2|3.)

Until now, however, Ryanair found itself stymied by jurisdictional problems, and in two separate decisions the Irish High Court held that it did not have jurisdiction to hear its claims. (The first decision saw Ryanair thwarted by its own terms of use which provided for the English courts to have jurisdiction; the second involved prior Swiss proceedings which caused the Irish court to decline jurisdiction in favour of the Swiss court.)

In the most recent development in this saga, Ryanair has now amended its terms of use to provide for the exclusive jurisdiction of the Irish courts, and has succeeded in establishing jurisdiction in Dublin in an action against Billigfluege and Ticket Point. According to the Irish Times Hanna J. held as follows:

The exclusive jurisdiction clause contained in [Ryanair’s] website’s terms of use was binding on [Billigfuege and Ticket Point] in circumstances where those terms were at all times available for inspection by [Billigfuege and Ticket Point] as users of or visitors to the website, [Ryanair] having taken appropriate steps to ensure that the terms were brought to the user’s attention through their inclusion on the website via a clearly visible hyperlink.

If you use the site, you agree not to breach its terms and if you do so, the exclusive jurisdiction clause set out in the Terms of Use makes it clear that Ireland is the appropriate jurisdiction for the purposes of litigating any disputes that may arise as a result.

The full decision isn't available online yet, but from this excerpt it may be very significant indeed.

This appears to be the first time an Irish court has ruled on whether site terms of use are enforceable, and the passage quoted seems to adopt a very wide browsewrap theory whereby visitors to a website will be bound by terms of use without any positive act on their part, provided that a hyperlink to the terms is "clearly visible". I'm not entirely sure that this result is correct - as Andres Guadamuz notes in a similar context, there are issues of acceptance and consideration in these cases - and it will be interesting to read the full decision to see whether and how these issues are considered.

The potential implications of this decision are also important. If the broad approach above is followed it would appear to have the potential to eliminate screenscraping entirely, and to enable site owners to assert exclusivity over information which is not protected by copyright or database right - in effect creating a new quasi intellectual property right and upsetting the balance created by statute. (Just witness the Dublin Bikes iPhone app case.) Hopefully if this case goes to a full hearing we will see these points raised and considered in detail.

Government departments not up in the clouds

After last week's story about the Department of Finance issuing warnings about the use of cloud computing, Sean Sherlock TD followed up by asking whether the warnings stemmed from any particular incident; whether government departments are already using cloud computing; and if so what safeguards are in place. The results are interesting: the Finance warnings don't appear to be the result of any mishap in central government as not one department is yet using cloud computing. (Though the Minister for Communications, Eamon Ryan, did say that his Department is actively promoting its use.)

Alternative routes to identifying "anonymous" online users

David Robinson and Harlan Yu have posted a superb series of posts on Freedom to Tinker (1,2,3) about tactics which might be used to identify anonymous internet posters, even in cases where IP addresses might not have been logged by the site which hosts the comment. The key insight is that sites typically embed multiple external services (such as advertising, stats counters and video hosting) which may either individually or in combination enable the identity of particular users to be pinned down:

[P]laintiffs' lawyers in online defamation suits will typically issue a sequence of two "John Doe" subpoenas to try to unmask the identity of anonymous online speakers. The first subpoena goes to the website or content provider where the allegedly defamatory remarks were posted, and the second subpoena is sent to the speaker's ISP. Both entities—the content provider and the ISP—are natural targets for civil discovery. Their logs together will often contain enough information to trace the remarks back to the speaker's real identity. But when this isn't enough to identify the speaker, the discovery process traditionally fails.

Are plaintiffs in these cases out of luck? Not if their lawyers know where else to look.

There are numerous third party web services that may hold just enough clues to reidentify the speaker, even without the help of the content provider or the ISP. The vast majority of websites today depend on third parties to deliver valuable services that would otherwise be too expensive or time-consuming to develop in-house. Services such as online advertising, content distribution and web analytics are almost always handled by specialized servers from third party businesses. As such, a third party can embed its service into a wide variety of sites across the web, allowing it to track users across all the sites where it maintains a presence.

The traceability of any given site visitor will still depend on context: the number of third party services used by the site, the popularity of each third party service across the web, the types of identifying data that these parties collect and store, whether the speaker used any online anonymity tools, and many other site-specific factors.

Despite the variability in third party tracing capabilities, the nearly simultaneous connections to a few third party services means that the results of tracing can be combined. By sleuthing through information held in third party dossiers, logs and databases, plaintiffs in John Doe lawsuits will have many more discovery options than they had ever previously imagined.

Of course, these tactics are likely to be expensive. Also, in an Irish context the uncertainty as to whether a result will be achieved may mean that a court will be less willing to grant a Norwich Pharmacal order (which is a discretionary remedy (PDF) - not something which is available as of right). But nevertheless, the research is important - particularly as it illustrates that traditional methods of ensuring online anonymity (such as TOR routing) may be vulnerable to indirect attack.

Banned in Turkey: Turkish internet filtering and blocking

Yaman Akdeniz has recently published a superb report for the OSCE on Turkey and Internet Censorship (press release | full text pdf).
 
Ironically, Yaman Akdeniz and his co-author Kerem Altıparmak have themselves been the subject of legal threats aiming to silence their criticism of Turkish internet censorship. Fortunately their book Restricted Access: A Critical Assessment of Internet Content Regulation and Censorship in Turkey (2008) is still available.

The image above is from Richard Dawkins' website, which has been blocked in Turkey since September 2008.

(Via Chris Marsden.)

Home Office terrorist material reporting site - some thoughts

The Home Office launched a new Directgov site last week, which "provides members of the public with information about what they can do if they come across violent extremist, terrorist and hate content online" (press release). The site takes reports and forwards them to a specialist unit within Association of Chief Police Officers (ACPO), which will take action if the material is illegal. Unsurprisingly there has been a good deal of media coverage (e.g. The Register | The Inquirer | BBC News).  So far, though, there doesn't seem to have been any assessment of how this fits into the broader matrix of internet regulation in the UK. This post asks what effect it might have.
  
Reducing the role of the IWF?

One of the more significant aspects of this story is that it appears to be the first time that the UK government has set up a specific site to which internet content can be reported. Until now, the government has effectively devolved that function to the Internet Watch Foundation (IWF). Although this is a private body, official policy has been to designate the IWF as the first port of call for online content. The Surrey Police website is typical:

If you come across offensive or illegal material, please DO NOT contact Surrey Police directly.

Instead, you can make a report on the Internet Watch Foundation (IWF) web site.
If they decide any action is needed, they will contact the ISP or the police, who can take appropriate action. (It's worth remembering that evidence of illegal or offensive material can be detected even after it has been deleted from a computer.)

The Internet Watch Foundation are qualified to judge the illegality of material and will report matters to the relevant police force. They are the only authorised organisation in the UK that provides an Internet hotline for the public to report their exposure to illegal content online.

Despite this, however, the IWF has never had a remit to receive complaints in relation to all illegal material online. For example, while there have been proposals from the Home Office that the IWF's remit should be extended to cover extremist websites, these have never come to fruition. Similarly, when the Terrorism Act 2006 created a system of notifying ISPs to take down terrorist material, that system bypassed the IWF entirely and required that notices be given via the police.

Consequently, the setting up of this site may be significant - does it indicate a trend which moves away from government reliance on the IWF and towards the use of separate (and public) reporting mechanisms?

Content control as a means of protecting vulnerable people?

The rhetoric used in announcing the site is also interesting. According to Lord West:

We want to protect people who may be vulnerable to violent extremist content and will seek to remove any unlawful material.

If this sounds familiar, that's because it echoes the justifications for introducing the Cleanfeed child abuse image blocking system and later for criminalising extreme pornography - in each case, a central component was the argument that harm would be caused to the viewer (by simply viewing the material, or by predisposing them to commit crimes). Is this approach - focusing on harm to the viewer - becoming more common in controlling content in the UK?

Using consumer pressure as a regulatory tool?

Quite apart from illegal content, the site also sets out to encourage users to challenge content which is  legal. According to Lord West:

This is also about empowering individuals to tell them how they can make a civic challenge against material that they find offensive, even if it is not illegal.

The internet is not a lawless forum and should reflect the legal and accepted boundaries of society.

Consequently, the site provides information on how to make complaints:

What you can do about online hate or violence that is not illegal

Most hateful or violent website content is not illegal. While you may come across a lot of things on the internet that offend you, very little of it is actually illegal.

UK laws are written to make sure that people can speak, and write, freely without being sent to prison for their views.

To be illegal, the content must match the descriptions at the top of this page.

Still, even if what you’ve seen does not seem to be illegal, you can take the steps below to have it removed if it upsets, scares or offends you.

Report it to the website administrator

Most websites have rules known as ‘acceptable use policies’ that set out what cannot be put on their website. Most do not allow comments, videos and photos that offend or hurt people...

If what you’ve seen is on a site with a good complaints system, you should report it to the website’s owners. Look out for their ‘contact us’ page, which should be clearly linked...

Report it to the hosting company

If the website itself is hateful or supports violence or terrorism let the website’s hosting company know. Hosting companies provide a place where the website sits, and often have rules about what they are willing to host.

Let the hosting company know they are hosting a website that breaks their rules, and ask them to stop.

You can find out which company hosts a website by entering their web address on the ‘Who is hosting this?’ website.

This approach - by encouraging community pressure to force ISPs to change their behaviour - matches policy in relation to blocking, where the Home Office has abandoned plans to legislate and has instead stated its intention to rely on public pressure instead:

For the first time the IWF will publish the list of ISPs who are certified as having implemented its blacklist. "Hopefully consumer and public pressure will encourage the ISPs who aren't on the list to comply," said Carr. A Home Office spokesman said: "We will continue to urge ISPs to implement blocking, and ask consumers to check with their suppliers that they have done so."

Does this mark the start of a trend towards greater use of consumer pressure by the UK government as a means of regulating what ISPs do?