Monday, December 22, 2008

Some thoughts on the IWF / Wikipedia debacle

One of the highest profile internet stories of December came when the Internet Watch Foundation placed a Wikipedia page on its black list of child pornography URLs, causing the page itself to be blocked by most UK ISPs and (more significantly) causing substantial collateral damage by preventing many UK users from being able to edit Wikipedia pages.

Now, after heavy criticism from internet users, the IWF has executed a hasty about turn, backing down after just five days. Though it still claims that the image in question is "potentially in breach of the Protection of Children Act 1978", nevertheless it has stated that given the "contextual issues involved in this specific case" and "in light of the length of time the image has existed and its wide availability, the decision has been taken to remove this webpage from our list".

While it's too soon to say what the long term implications of this might be, in the short term it has certainly damaged the reputation of the IWF, perhaps irreparably. As John Ozimek has pointed out, other actions of the IWF must now come into question:
So the scene was set for the IWF to take a fall. Gone is its record for 100 per cent undisputed blocking. Gone, too, is its reputation for being the undisputed good guy. Many people have looked at the image in question and have taken the view that it is not porn, or indecent, or abuse. Having made that judgement, they have started to ask questions about other imagery that the IWF has sought to block.

The absolute certainties that underpin a view that claims indecency is always porn is always abuse are shaken. Not least by reports that the child - now an adult - whose image lies at the heart of this controversy, is reported to have no regrets at all in respect of the photo.
It has also tarnished the IWF's legitimacy. In large part this rests on claims that it operates a formal mechanism for identifying material to be blocked, along with a (semi-) independent appeals procedure. But the ad hoc nature of the decision making in this case - where the IWF board ignored the results of its own appeals procedure - suggests that there are different rules in place for high profile sites with vocal supporters. Lilian Edwards puts the point well:
Non-accountable: the IWF`applied their own appeals procedure to the decision, after media pressure, and reversed it. Effectively they changed their mind. This is not how true courts and tribunals work, where an appeal must be heard by a seperate body with an account of what factors lead to a different legal decision. The IWF may have truely reconsidered their opinion as to the law (although their own press release rather speaks against this), but they may equally well have simply bent to public pressure, or practical enforcement problems. For those who truly want an objective system which responsibly cracks down on child porn, this is surely unacceptable. Justice is a system, not an arbitrary private discretion.
The incident has also compromised claims for the technical efficiency of UK internet filtering. While at least one UK ISP has resorted to a crude form of IP blocking, the two stage filtering process pioneered by BT (as its "Cleanfeed" system) has been sold on the basis that it can effectively block specific URLs without degrading network performance and with no collateral damage to legitimate content. That has been shown not to be the case. As Richard Clayton points out in a comprehensive post on the technical aspects of the system:
To sum up the key technical matters: the IWF chose to filter text pages on Wikipedia rather than just the images they were concerned about; the use of proxies by ISPs broke Wikipedia’s security model that prevents vandalism; the previous controversy about the Virgin Killers album cover meant that IWF’s URLs were quickly identified; however different capitalisations of URLs, the different blocking technologies, and the different implementation timescales led to considerable confusion as to who blocked what and when.

Some of these matters could be described as "human error" and might be done better in any re-run of these events with any of the other questionable images hosted on Wikipedia (and many other mainstream sites). However, most of the differences in the effectiveness of the attempted censorship stem directly from diverse blocking system designs — and we can expect to see them recur in future incidents. The bottom line is that these blocking systems are fragile, easy to evade (even unintentionally), and little more than a fig leaf to save the IWF’s blushes in being so ineffective at getting child abuse image websites removed in a timely manner.
The case has also thrown up issues of selective enforcement and parity of treatment between offline and online content. The IWF blacklisted this image only when hosted by Wikipeda - despite the fact that the same image was hosted by online retailers (and, indeed, has appeared on the cover of albums in your local record shop for the last thirty years). This disparity was bound to cause criticism, and the IWF's response - that it only acts on complaints received by it - has been felt by many to be inadequate.

Many users - when made aware of the blocking - also questioned the deceptive error messages used by most ISPs. Although some (notably Demon Internet) show pages indicating that content has been blocked, most ISPs appeared to be using fake 404 pages. It is far from clear why this is done, particularly when the practice in many jurisdictions using similar systems is to use block pages telling users why content has been blocked and what they can do if they feel that this is a mistake. (E.g. Sweden | Finland.)

The approach taken by the IWF to borderline images and fair procedures also comes into question. On their own admission they blocked the image on the basis that it was "potentially illegal" - and did so without notifying Wikipedia much less offering a right to be heard. One Wikipedia admin board sums up this point well:
The image is not certain to be illegal. In the IWFs own words the image was judged to be "potentially illegal indecent image of a child under the age of 18, but hosted outside the UK". The album has been for sale in many countries with this cover for over 30 years. No one has ever been prosecuted over the image as far as is known. The FBI investigated a report of this album cover in spring 2008 and decided to take no action. The Wikimedia Foundation has not been requested by the FBI or any other law enforcement agency to remove the image and has certainly not been charged over it. The ultimate arbiter of whether an image is illegal is a court of law, in particular a jury, and not a self-selecting group, however well-intentioned their motives.

The IWF blocked access to a page on one of the world's most-visited websites without informing its owners. We understand that their policy is not to contact any of the hosts they block, but commonsense should have told them that blocking such a website might have unforeseen consequences. In particular, they failed to understand that whereas a block of the article itself may well amount to restraint on the guaranteed freedom to receive and impart information, the image itself is uploaded from a different URL which could have been separately blocked by the ISPs with whom they are in partnership; in this way, they demonstrate a complete lack of understanding of how websites work, which is chilling in the extreme for a supposed Internet Watchdog.
Taking a longer term view, this incident means that any widening of the IWF's remit is now likely to be put on hold. There have been suggestions in the past that the blacklist should be extended to e.g. websites which "glorify terrorism", while the police and Ministry of Justice have already been advising individuals to refer alleged "extreme pornography" images to the IWF for assessment - however, in light of the considerable reputational damage caused by the Wikipedia ban the IWF is likely to be more cautious before it takes on any new roles.

Of course, it's not just in the UK that these debates are taking place - in the United States for example there are striking parallels about the way in which an private body (the National Center for Missing and Exploited Children) has become an "unofficial internet regulator" carrying out internet censorship without any legislative basis, oversight or transparency. Chris Soghoian has an insightful editorial with more detail.

Increased criminal penalties for spammers

In good news for Irish internet and mobile phone users the sending of spam has for the first time become an indictable offence, carrying a possible maximum penalty of €250,000 or up to 10% of a company's turnover (Sunday Times, Silicon Republic). Most cases will presumably remain in the District Court, where the maximum penalty is increased to €3,000. The changes should substantially strengthen the hand of the Data Protection Commissioner in dealing with persistent offenders.

Update - 12 January 2009: The full text of the amending statutory instrument is now available. Other changes made by the SI include extending to two years the period in which summary prosecutions can be brought, providing that in prosecutions where consent is an issue the burden of proof rests on the defendant to show that a subscriber opted in, clarifying the scope of the soft opt-in provision in respect of similar goods or services, and providing that an officer of a company can be prosecuted without the need first to proceed against or convict the company of the offence.

Wednesday, December 17, 2008

Mobile phone bullying - operators try to ward off regulation?

The Irish Times is reporting that the major mobile operators have launched a new pamphlet aimed at helping parents deal with issues such as mobile phone bullying. A response to recent political demands that the industry be required to implement (rather ill conceived) technological solutions?

It's probably worth mentioning that this is taking place against the backdrop of European initiatives on safer mobile use under which the industry has agreed to implement national self-regulation.

HEAnet Conference - video and slides now available


The HEAnet National Networking Conference took place last month in Kilkenny and the organisers have now put up video and slides for all presenters. I'm obviously biased in recommending my own presentation "Here come the Internet cops" (final keynote) but other highlights for me included Aidan Carty and Anthony Keane's "Honeypots and Darknets - What are they good for?" and Cathal McCauley and Peter Clarke's "Second Life - Brave New Frontier or Fleeting Gimmick?".

Monday, December 08, 2008

Internet Watch Foundation blocks Wikipedia

The internet - and more significantly the mainstream media - is abuzz with the news that the hitherto low profile Internet Watch Foundation has blacklisted a Wikipedia page. The IWF blacklist - more formally the Child Sexual Abuse Content URL List - is a list of URLs alleged to contain child pornography, which UK ISPs have "voluntarily" agreed to block (that is, they volunteered when the government indicated that if they did not legislation would be introduced compelling them to do so).

This presents all sorts of interesting problems for the law and civil liberties. There is no legislation underpinning the IWF, which is a purely private body. There is no judicial control of its activities, and the process by which it blocks sites is particularly opaque (it does not notify site owners either before or after sites are blocked, nor does it offer a right to be heard). It does claim to offer a right of appeal against blocking, but that is not an appeal to an independent body but to a division of the Metropolitan Police. In short, it has (with government backing) implemented a remarkable system of censorship which departs from almost every traditional understanding of freedom of expression in the UK.

I've been following the development of this system for some time now, and I spoke about some of these issues in this paper at the 2008 BILETA Conference in Glasgow:

Friday, December 05, 2008

UK DNA database held to be in breach of European Convention on Human Rights

Good news from the European Court of Human Rights, which has held that the UK DNA database - the largest in the world, containing the DNA of hundreds of thousands of innocent people (amongst them forty thousand children) - is in breach of Article 8 of the ECHR on private and family life. Here are some highlights from the decision:
The Court observes that the protection afforded by Article 8 of the Convention would be unacceptably weakened if the use of modern scientific techniques in the criminal-justice system were allowed at any cost and without carefully balancing the potential benefits of the extensive use of such techniques against important private-life interests. In the Court's view, the strong consensus existing among the Contracting States in this respect is of considerable importance and narrows the margin of appreciation left to the respondent State in the assessment of the permissible limits of the interference with private life in this sphere. The Court considers that any State claiming a pioneer role in the development of new technologies bears special responsibility for striking the right balance in this regard.
...
The Court acknowledges that the level of interference with the applicants' right to private life may be different for each of the three different categories of personal data retained. The retention of cellular samples is particularly intrusive given the wealth of genetic and health information contained therein. However, such an indiscriminate and open-ended retention regime as the one in issue calls for careful scrutiny regardless of these differences.
...
Of particular concern in the present context is the risk of stigmatisation, stemming from the fact that persons in the position of the applicants, who have not been convicted of any offence and are entitled to the presumption of innocence, are treated in the same way as convicted persons. In this respect, the Court must bear in mind that the right of every person under the Convention to be presumed innocent includes the general rule that no suspicion regarding an accused's innocence may be voiced after his acquittal (see Asan Rushiti v. Austria, no. 28389/95, § 31, 21 March 2000, with further references). It is true that the retention of the applicants' private data cannot be equated with the voicing of suspicions. Nonetheless, their perception that they are not being treated as innocent is heightened by the fact that their data are retained indefinitely in the same way as the data of convicted persons, while the data of those who have never been suspected of an offence are required to be destroyed.
...
The Court further considers that the retention of the unconvicted persons' data may be especially harmful in the case of minors such as the first applicant, given their special situation and the importance of their development and integration in society. The Court has already emphasised, drawing on the provisions of Article 40 of the UN Convention on the Rights of the Child of 1989, the special position of minors in the criminal-justice sphere and has noted in particular the need for the protection of their privacy at criminal trials (see T. v. the United Kingdom [GC], no. 24724/94, §§ 75 and 85, 16 December 1999). In the same way, the Court considers that particular attention should be paid to the protection of juveniles from any detriment that may result from the retention by the authorities of their private data following acquittals of a criminal offence. The Court shares the view of the Nuffield Council as to the impact on young persons of the indefinite retention of their DNA material and notes the Council's concerns that the policies applied have led to the over-representation in the database of young persons and ethnic minorities, who have not been convicted of any crime (see paragraphs 38-40 above).
...
In conclusion, the Court finds that the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the present applicants, fails to strike a fair balance between the competing public and private interests and that the respondent State has overstepped any acceptable margin of appreciation in this regard. Accordingly, the retention at issue constitutes a disproportionate interference with the applicants' right to respect for private life and cannot be regarded as necessary in a democratic society. This conclusion obviates the need for the Court to consider the applicants' criticism regarding the adequacy of certain particular safeguards, such as too broad an access to the personal data concerned and insufficient protection against the misuse or abuse of such data.
That last sentence is key - the court is holding that the principle of retention itself is unacceptable, irrespective of the procedural safeguards that might apply to access to or use of the genetic data.

Tuesday, December 02, 2008

Identifying Individuals in Internet Iniquity: ECHR rules on naming wrongdoers

The European Court of Human Rights gave an important decision today in KU v. Finland, dealing with the issue of whether states are obliged to have laws which allow for the identification of internet wrongdoers. In short, according to the court the answer is yes - national laws must "provide the framework for reconciling the various claims which compete for protection in this context" and a national law which gives an absolute guarantee of anonymity and confidentiality of communication may breach the rights of persons who are affected by online wrongdoing.

In this case the applicant, who was then aged 12, was the victim of a fake personal ad giving his name, phone number, date of birth and his picture and claiming that he was looking for a homosexual relationship. The applicant learned of this when he received a phone call from an older man. Although that man was eventually identified and charged with an offence the person who placed the ad remained unidentified. The police sought to find out (from the ISP) the name of the subscriber behind the dynamic IP address used to place the ad. The service provider however was advised that it was bound by the duty of the confidentiality of telecommunications and could not reveal the user's identity. The Finnish courts ultimately agreed, holding that the law as it stood provided for this information to be revealed only in respect of specified criminal offences - and although defamation ("calumny") was a criminal offence, it was not a sufficiently serious offence to fall within the scope of the legislation.

The applicant applied to the European Court of Human Rights, claiming that the fake ad constituted a violation of his right to a private life under Art. 8 of the ECHR, and that as he could not identify the person responsible he had been denied an effective remedy for that violation under Art. 13 ECHR.

The court held that Finland was in breach of its obligations under Article 8, in that it had not provided an effective criminal sanction for the violation of the applicant's rights. The fact that a remedy was available against a third party - the service provider - was not sufficient. This did not mean that the identity of the person responsible would have to be revealed in every case - but national law must provide a framework within which a decision could be made balancing the rights of a victim with the considerations of freedom of expression and confidentiality of communications. As the national law at the relevant time failed to do this (prohibiting disclosure except in a narrow class of cases) it was in breach of Article 8. Consequently the court did not go on to consider the issue under Article 13. The relevant passages are worth quoting in full:
45. The Court considers that, while this case might not attain the seriousness of X and Y v. the Netherlands, where a breach of Article 8 arose from the lack of an effective criminal sanction for the rape of a handicapped girl, it cannot be treated as trivial. The act was criminal, involved a minor and made him a target for approaches by paedophiles...
46. The Government conceded that at the time the operator of the server could not be ordered to provide information identifying the offender. They argued that protection was provided by the mere existence of the criminal offence of calumny and by the possibility of bringing criminal charges or an action for damages against the server operator. As to the former, the Court notes that the existence of an offence has limited deterrent effects if there is no means to identify the actual offender and to bring him to justice...
47. As to the Government's argument that the applicant had the possibility to obtain damages from a third party, namely the service provider, the Court considers that it was not sufficient in the circumstances of this case. It is plain that both the public interest and the protection of the interests of victims of crimes committed against their physical or psychological well-being require the availability of a remedy enabling the actual offender to be identified and brought to justice, in the instant case the person who placed the advertisement in the applicant's name, and the victim to obtain financial reparation from him.
48. The Court accepts that in view of the difficulties involved in policing modern societies, a positive obligation must be interpreted in a way which does not impose an impossible or disproportionate burden on the authorities or, as in this case, the legislator. Another relevant consideration is the need to ensure that powers to control, prevent and investigate crime are exercised in a manner which fully respects the due process and other guarantees which legitimately place restraints on crime investigation and bringing offenders to justice, including the guarantees contained in Articles 8 and 10 of the Convention, guarantees which offenders themselves can rely on. The Court is sensitive to the Government's argument that any legislative shortcoming should be seen in its social context at the time. The Court notes at the same time that the relevant incident took place in 1999, that is, at a time when it was well-known that the Internet, precisely because of its anonymous character, could be used for criminal purposes (see paragraphs 22 and 24 above). Also the widespread problem of child sexual abuse had become well-known over the preceding decade. Therefore, it cannot be said that the respondent Government did not have the opportunity to put in place a system to protect child victims from being exposed as targets for paedophiliac approaches via the Internet.
49. The Court considers that practical and effective protection of the applicant required that effective steps be taken to identify and prosecute the perpetrator, that is, the person who placed the advertisement. In the instant case such protection was not afforded. An effective investigation could never be launched because of an overriding requirement of confidentiality. Although freedom of expression and confidentiality of communications are primary considerations and users of telecommunications and Internet services must have a guarantee that their own privacy and freedom of expression will be respected, such guarantee cannot be absolute and must yield on occasion to other legitimate imperatives, such as the prevention of disorder or crime or the protection of the rights and freedoms of others. Without prejudice to the question whether the conduct of the person who placed the offending advertisement on the Internet can attract the protection of Articles 8 and 10, having regard to its reprehensible nature, it is nonetheless the task of the legislator to provide the framework for reconciling the various claims which compete for protection in this context. Such framework was not however in place at the material time, with the result that Finland's positive obligation with respect to the applicant could not be discharged.
When I blogged about this case before, I mentioned concerns that it might require states to introduce much wider rules to identify internet users. Is it likely to have this effect? While it's difficult to make an immediate assessment, there are factors in the judgment which could go either way. The court points out that it is dealing with a "grave" criminal offence, which leaves open the question of whether the reasoning would apply to less serious offences or to civil matters only. It also limits itself to requiring a national balancing framework between the rights of an alleged victim and the general rights of privacy in communications and freedom of expression - presumably within that framework states will enjoy a significant margin of appreciation. On the other hand, it rejects the argument that other systems (such as notice and takedown or intermediary liability) can suffice, insisting instead on requiring identification of users. It also focuses on the "ability of the victim to obtain financial reparation", which seems to extend the reasoning to civil matters also. On the whole, the judgment raises more questions than it answers, and these issues will need to be addressed in future cases.

Monday, December 01, 2008

James Boyle - The Public Domain

James Boyle is one of the most interesting people working in the area of intellectual property. His 1996 book Shamans, Software, and Spleens was an early and engaging look at whether intellectual property law had become tilted too heavily in favour of rights-holders. In Bound by Law he collaborated with Keith Aoki and Jennifer Jenkins to produce something other than "grey lawyerly prose" - an entertaining comic book guide to the way in which IP law is crippling documentary film-makers. He's chair of the Creative Commons board. Oh, and he also writes novels.

In his latest book - The Public Domain: Enclosing the Commons of the Mind - he has produced another fascinating read. Starting by asking just why the US government issued a patent on making peanut butter and jelly sandwiches(!) he argues that we have allowed IP law to grow in an almost unfettered way and that this "New Enclosure Movement" has created an environment which stifles creativity and jeopardises the notion of the public domain.

Best of all, he's practising what he preaches by making the book available in its entirety for free under a Creative Commons licence.