Friday, April 29, 2005

Online Anonymity - Ratemyteachers.ie edition

Two interesting articles in the Irish Times today (subscription only) discuss the implications of ratemyteachers.ie, which allows students to give anonymous ratings and comments on their teachers. Needless to say, teachers aren't happy with comments such as "Couldn't teach her way out of a brown paper bag" and "Poor guy couldn't teach. Had it all in his head but just couldn't relate it to the students."

John Downes reports that the Joint Managerial Body (representing Irish secondary schools) has sought legal advice with a view to shutting down the service, only to be told that as the site is US based there is little that can be done. He also reports that the JMB has raised the issue with the Data Protection Commissioner, who has "indicated that the site is outside of [his] jurisdiction".

In the Business supplement, Fergal Crehan addresses the libel issues raised by the site, and also discusses the question of whether posters to the site could be identified (Article also available here) :
Contrary to widespread belief, the internet does not afford absolute anonymity, and Operation Amethyst, the Garda child pornography investigation, has shown that there is an electronic trail which can be followed from a web server back to an individual computer.

In theory, therefore, a person posting content on a website can be identified via their internet service provider (ISP). ISPs are prevented both by data protection laws and their own privacy policies from giving out the details of their subscribers without their consent, but English courts have made orders in defamation cases compelling them to do so. In 2001, the business website www.motleyfool.com was compelled to hand over details of a pseudonymous poster who made defamatory statements regarding the company Totalise on the Motley Fool site. It was later held on appeal that the Motley Fool was not to be responsible for Totalise's costs for this application, thus avoiding the dilemma where a website has a choice between breaking data protection regulations and its own privacy policy where it hands over information voluntarily, and court costs where it does so only after a court order is granted.

Ratemyteachers states on its site that it complies with all court orders and subpoenas, but is it possible for an Irish teacher to get such a court order? If the principle established in the Motley Fool case is followed in Ireland, then the answer may be yes.

Whether Rate My Teachers would comply with an Irish rather than a US court order is unknown, and although there is provision for such an order to be enforced by a US court, the cost of such enforcement would seem to be prohibitive.

The Motley Fool ruling also suggested that in the interests of fair procedure, the person who is to be "unmasked" should be contacted by the web host or ISP and given an opportunity to give reasons why he should not have his details passed on, thus allowing a court to take a more balanced view in deciding the issue. A court may decline to give such an order, for example, in "whistleblower" situations, where the anonymity of a poster is of great importance.
I have to quibble with Fergal on two points here though.

First, he repeats the popular misconception that ISPs are prevented by the Data Protection Act / their own privacy policies from disclosing subscribers' identities in this type of situation. As I've explained, this is an oversimplification. The Data Protection Act permits voluntary disclosure to protect the "legitimate interests" of a third party to whom the data is disclosed, subject to a proportionality test. It might be that a particular ISP's privacy policy will prevent disclosure - but this is a difficult issue. Privacy policies may be regarded by the courts as mere policies - and won't necessarily have the status of contractual promises. In any event, many privacy policies will contain limitations which allow for disclosure to third parties in this type of situation.

Second, it's misleading to say that an Irish court order would be enforced by a US court. The US legal environment in relation to defamation is very different, since the First Amendment gives strong protection to speech in general and anonymous speech in particular. In several cases US courts have refused to enforce English libel decisions which they felt conflicted with the First Amendment's guarantee of freedom of speech. Consequently, to enforce any Irish order in the US, the plaintiff would have to show that the Irish decision was compatible with the First Amendment - which could be very difficult, given the differences between Irish and US libel laws.

Wednesday, April 27, 2005

Your personal information is for sale

From The Guardian:
Two national newspapers paid to receive confidential information from the police national computer, a court heard yesterday.

Articles from the Sunday Mirror and the Mail on Sunday were used in evidence against two former police employees and two private investigators charged with offences involving the sale of police information to the press.

The court was told that Stephen Whittamore, a 56-year-old private investigator with links to the national press, provided "very personal and confidential details" about a series of high-profile figures, including the EastEnders actors Charlie Brooks and Jessie Wallace; Bob Crow, general secretary of the Rail Maritime and Transport Union; and Clifton Tomlinson, son of the actor Ricky Tomlinson.

Riel Karmy-Jones, prosecuting, told Blackfriars crown court in central London that Mr Whittamore had received the information "through a chain" made up of the three other defendants: the private investigator John Boyall, 52; Alan King, a 59-year-old retired police officer; and Paul Marshall, 39, a former civilian communications officer who was based at Tooting police station in London.

Mr Marshall and Mr King both pleaded guilty to conspiracy to commit misconduct in a public office, while Mr Whittamore and Mr Boyall pleaded guilty to the lesser charge of breaching the Data Protection Act. All four were given a two-year conditional discharge.
This isn't unusual. Spy Blog points out that there have been many similar cases in England, including:
the breach of the Driver Vehicle Licensing Agency computer systems by animal extremist supporter Barry Saul Dickinson who only got 5 months in jail for the offence of "misconduct in a public office" and the Metroplitan Police spy Ghazi Kassim who only got two and a half years for "three charges of misconduct in a public office".
Why the reference to English cases? Is Ireland somehow immune? Hardly. We can be sure that similar cases are happening here. Although we have yet to convict somebody of selling information, there are periodic glimpses of things happening under the surface.

Two recent examples. The Minister for Justice has stated that some GardaĆ­ are selling information to journalists. (The background to that statement includes alleged leaks by GardaĆ­ to journalists about an assault on the Minister's son earlier that year.) Similarly, the Sunday Business Post recently printed (in relation to the Morris Tribunal) that:
Gardai have also been on the receiving end of phone bill enquiries. “I was able to access the phone records of 38 people, most of them guards,” said private investigator Billy Flynn, who helped expose the Donegal garda scandal. “You get a complete profile of the person - who they are contacting, how often and at what times."
There are other credible allegations out there - but our defamation laws don't encourage their repetition here.

Any system is open to insider attacks, and there will always be a risk of a dishonest user seeking to profit from their access. The key must be to minimise this risk by limiting the data which is available to the insider, tracking the data which they access and determining whether they have a reason to do so, and ultimately deterring abuse with a credible risk of detection, prosecution and conviction. I'm not sure that Irish law goes far enough to do this.

Monday, April 25, 2005

Hot Press on the IRMA litigation

May's Hot Press has an article (not available online, as far as I know) about the filesharing litigation, including an interview with Dick Doyle of IRMA. Some interesting snippets from that article:
"18 months ago we sent brochures to 800 companies. We sent brochures to every governmental department. We sent one to every third level educational institution in the country. They all came back to me with what firewalls they have, and showed us what they're doing to make sure their students or lecturers aren't involved in it. They gave me evidence to show that under their Codes of Conduct, students will be taken off Internet access, fined or suspended."

"In the last three months, we've sent 6 million instant messages", he continues. "When someone is filesharing, a pop-up message comes up and says, 'This is IRMA - What you're doing is illegal'."

[...]

In order to identify music uploaders, Doyle spent a number of months infiltrating filesharing communities online. With the cooperation of an unnamed 'specialist' company, 4,000 seed songs were planted in various filesharing outlets (among them, Doyle recalls, tracks by Keane, Radiohead, Eminem and ABBA).

[...]

When contacted by IRMA, the 17 targeted individuals will be faced with two options.

"Option one is that they will be snowed under by evidence, and I will ask them to settle straightaway. This will involve getting rid of illegal files, cleaning up their PCs, getting rid of filesharing software. They will also, under court order, be asked to pay damages."

"In the UK, in 26 actions taken four months ago, 25 took option 1 and paid £3,000 damages. I would presume that anyone with common sense would do that."

[...]

"On this particular wave we've hit KaZaA and Gnutella, on the next we'll hit Limewire and all the rest."

Tuesday, April 19, 2005

Spinning Plausible Stories

The 2004 Report of the Data Protection Commissioner (pdf - summary in word format) has a worrying case study:

I received a complaint about Eircom not respecting a Barring Order that had been granted to a wife against her husband. Though she had changed the telephone account details from his name to her name, he had still been able to contact Eircom and had the access codes for voicemail reset so that he could access her voicemail. Furthermore, on closing the account, the final account had been sent to him at his address rather than hers.

Eircom investigated this complaint thoroughly from a data protection perspective. They were not able to establish definitively how the matters complained of arose but accepted that either the estranged husband had the account number himself or perhaps had “spun a plausible story” to Eircom.
Barring orders are granted in circumstances where there is a risk of violence. In this type of situation, disclosing somebody's personal information can threaten their safety or even their life. Yet, despite the fact that "procedures are in place for protecting confidential information and ... staff are aware of the company’s data protection obligations", information is still vulnerable to someone who can "spin a plausible story".

This is familiar territory. The phenomenon is better known as social engineering. It won't come as a surprise to anyone who has glanced at computer security. So why even mention it? Well, if we allow the government to push its data retention agenda then all sorts of personal information (such as details of the websites you visit or the emails you send) will be stored for several years. But don't worry about your privacy. After all,
"procedures are in place for protecting confidential information and ... staff are aware of the company’s data protection obligations".

Unless, of course, someone can spin a plausible story.

Political Spam

The 2004 Report of the Data Protection Commissioner (pdf - summary in word format) has just been released. There are several interesting case studies - one of which confirms that political spam is alive and well in Ireland. Note the unrepentent attitude of the politician in question:
[A] complaint ... was received in late 2003 ... about an unsolicited email of a political nature which had been sent by a County Councillor, Jon Rainey, of Fingal County Council. It was alleged that in June 2003 he had “harvested” email addresses from the address line of an email sent by a third party – who was also a County Councillor but of another party. (“Harvesting” refers to the addition to one’s own mailing list of any email address received on the “to” or “cc” line of the email). This was in contravention of the provisions of S.I. No. 535 of 2003 (European Communities (Electronic Communications Networks and Services (Data Protection) Regulations 2003) which provides for prior consent for unsolicited emailing of individuals for direct marketing purposes, including political purposes. I only name Mr. Rainey in my Report as he failed to cooperate with my investigations and only acknowledged the facts of the complaint 6 months after I had first raised them and then only when I had to formally issue him with an Information Notice under sections 10 and 12 of the Acts. At that late stage, he confirmed that the details of email addresses “harvested” from another email had been deleted from his system and that no further details had been obtained in this manner. However, his attitude to my Office was that the matter was of little consequence and he complained that I had “pestered” him. It is important that public representatives and candidates for elective office realise the importance of their obligations under the Acts and that, in so far as responding to legitimate investigations from statutory office holders is concerned, in no sense should they consider themselves above the law.
Irish politicians have been active spammers in the past, with the 2002 election campaign seeing voters annoyed by automated recorded phone calls and sms text messages, which were ultimately stopped by the intervention of the Data Protection Commissioner.

(There are two uncertainties raised by this case though. First, how did the councillor breach the 2003 Regulations by his actions in June 2003, when those Regulations only came into force on 6 November 2003? Second, under Irish law there is now an exemption for "direct mailing ... in the course of political activities" (s.1 of the Data Protection Act 1988 as amended). Is the term "direct mailing" wide enough to cover email (allowing this type of spam), or would it be limited to snail mail?)

Monday, April 18, 2005

Irish ISPs refuse to disclose users' identities

Fergus Cassidy points out that at least two Irish ISPs (Eircom.net and BT Ireland) have said that they will not disclose user details to IRMA without a court order. More details in the Irish Times (April 16 2005 - subscription only):
Eircom and BT Ireland confirmed yesterday that this customer data was protected under the Data Protection Act and they would not be giving the names to Irma. "We can't reveal names of customers to them because of data protection laws. But if there is a criminal inquiry, we can deal with gardai, but only the gardai," said a BT Ireland spokeswoman.

Irma will now have to seek injunctions from the High Court to compel the service providers to supply the information they need to prosecute. It said it is confident that the courts will force firms to supply the data. However, legal experts warned that there is no such guarantee.

"Internet firms are justified in not voluntarily disclosing such detail. It is then up to the music companies to show in court that they have sufficient evidence that particular individuals have been illegally distributing music files," said solicitor Paul Lambert.

US ISP sued for disclosing customer info

From CNET News.com
Comcast, the top U.S. cable TV network operator, is being sued by a Seattle-area woman for disclosing her name and contact information, court records showed Thursday.

In a lawsuit filed in King County, Wash., Dawnell Leadbetter said that she was contacted by a debt collection agency in January and told to pay a $4,500 for downloading copyright-protected music or face a lawsuit for hundreds of thousands of dollars.

Leadbetter, a mother of two teenage children, was a customer of Comcast's high-speed Internet access service.

The company, Settlement Support Center, based in Washington state, was using information that the Recording Industry of Association of America had obtained in a Philadelphia lawsuit over the illegal sharing of digital music files, said Lory Lybeck, the lawyer representing Leadbetter.

But no court authorized Comcast to release names and addresses of its customers, or notified his client that her information had been given to an outside party, Lybeck said.

Wednesday, April 13, 2005

Online Anonymity - Ryanair Edition

From the Guardian:
Pilots' leaders have accused Ryanair of an extraordinary attack on free speech in a high court battle over a website that contains anonymous criticisms of the airline by some of its employees.

The Irish low-cost carrier is trying to unmask the identity of pilots responsible for controversial remarks about its working practices on a message board run jointly by the British and Irish pilots' unions. Ryanair has drawn first blood by securing an injunction from a Dublin judge that bans the unions from destroying the codenames used by pilots on the Ryanair European Pilots' Association's website.

Jim McAuslan, general secretary of the British Airline Pilots' Association (Balpa), said: "We shall vigorously defend our position in refusing to divulge names of pilots who discuss with one another their problems and aspirations."

...

Union leaders say confidentiality is crucial in the aviation industry. They point out that pilots use online forums to report safety concerns. If anonymity is jeopardised concerns may never be aired.
Ryanair hasn't been shy about using the law to shut down sites which show it in a bad light. In this case, though, the site isn't public - access is limited to Ryanair pilots who register and are given a password.

The implication is that the real aim behind this litigation is to silence discussion of Ryanair's practices and to intimidate pilots who are afraid to speak under their own names. If so, that would be an improper use of the court process. The case raises some fundamental issues regarding freedom of speech and a full hearing in the High Court could be very interesting.

Tuesday, April 12, 2005

IRMA follows through on its threats

From RTE news - IRMA taking cases against internet piracy:
"The Irish Recorded Music Association has said it is pursuing cases against 17 people for illegally uploading music onto the internet."
It will be interesting to see how Irish ISPs respond to demands that they identify subscribers alleged to have shared music - in particular whether they make voluntary disclosure of this information.

Update - it's now clear that IRMA have yet to commence litigation. They've now requested that ISPs identify the users from their IP address and filesharing usernames. ISPs might or might not be able to do this voluntarily - but for the reasons I discussed here they should refuse voluntary disclosure and insist on a court order. Users should be wary of any ISP that's willing to hand over their personal information based on the mere accusation of a private body with no official standing. Irish ISPs should take a lead from their English counterparts' refusal of voluntary disclosure in the Motley Fool and later the BPI filesharing litigation.