Thursday, January 29, 2009

"Three strikes" for Ireland - Eircom, music industry settle filtering case

The big news of the day in Ireland is that Eircom and the music industry have settled the case in which the music industry had demanded that Eircom monitor users' connections to block peer to peer filesharing (background here). Instead the industry has dropped the action on condition that Eircom introduce a "three strikes" system where users accused of filesharing by the music industry will be disconnected after two warning letters. According to Eircom it has agreed to:
1) inform its broadband subscribers that the subscribers IP address has been detected infringing copyright and

2) warn the subscriber that unless the infringement ceases the subscriber will be disconnected and

3) in default of compliance by the subscriber with the warning it will disconnect the subscriber
More from Digital Rights Ireland | EFF | ars technica | Boing Boing | Daithi. Oisin, commenting on Lex Ferenda, makes some interesting points which in the spirit of the litigation I'm shamelessly going to copy (though I'm not sure that I agree that Eircom will need to change their terms of use - the existing policy is already drafted to allow termination for almost any infraction):
What’s probably going to happen is that this whole issue is going to shift from being an IP/regulatory law one to being a contract/ consumer protection law one. Two points spring to mind.

First, to put this settlement into practice Eircom will have to modify its terms of service for all its current customers (without giving any legal consideration for a unilateral modification of a contract) which could pose considerable enforceability problems. Moreover, to properly incorporate the ‘three strikes and your out’ rule into its contracts Eircom is probably going to have to draw this new provision to the attention of its subscribers (so we may, indirectly, get to figure out what the terms of settlement were).

Second, and more interestingly, if, and when, Eircom seeks to terminate someone’s service, we may finally get some litigation as to whether or not these often unfair, impenetrable user agreements are actually enforceable or not. We’ll finally get to see if the Unfair Terms Directive, along with all the old common law and equity cases on enforcing one-sided terms that weren’t negotiated or drawn to the parties attention have any bearing on user agreements.
My take? This isn't really a win for the music industry. They were clearly hoping for an outright win requiring all ISPs to filter and setting a precedent in a common law jurisdiction to match SABAM v. Tiscali. Instead they've merely achieved an agreement with one ISP - albeit the largest - which doesn't go any further than they might have been able to achieve by negotiation in the first place. As Ronan Lupton points out the agreement is not enforceable against the rest of the industry, and it is debatable whether other ISPs will show any appetite to come on board. Moreover, if three strikes is challenged as Oisin suggests then it will receive much less judicial deference than if it had been adopted as part of an industry wide deal with explicit government support.

It is, though, a loss for the user. The three strikes process in this case is procedurally
unfair and represents an extreme model largely rejected elsewhere.

Tuesday, January 27, 2009

Blogger who didn't delete comment can't sue over it

OUT-LAW has a very interesting application of the rule that one cannot sue for libel in respect of a publication to which one consents:
Christopher Carrie is the author of a self-published book in which he claims to have been sexually abused by the son of writer JRR Tolkien, Father John Tolkien. John Tolkien, who was a priest, died in 2003.

Carrie set up a blog on 5th February 2007 and published a post under a pseudonym on 6th February, promoting his website and his book, which could be downloaded from there for free.

The court heard that JRR Tolkien's great grandson Royd Tolkien had posted a comment on the site claiming that Carrie was a fraudster who had tried to defraud the Catholic Church and the Tolkien family and had admitted to lying about sexual abuse to extract money from the church.

Carrie denied the claims via his pseudonym on the site, and sued Tolkien, claiming that the remarks were defamatory.

Carrie did not remove the remarks, though, even though the Court heard that he had seen them four-and-a-half hours after they were posted. The remarks are still online.

Tolkien argued that this meant that Carrie consented to the publication of the comments, and the High Court agreed. Mr Justice Eady granted summary judgment in favour of Tolkien.

"No explanation was offered for [Carrie] having taken no steps to delete it until his witness statement of 18 November 2008 was served," said the ruling. "The explanation given, however, of putting the words 'in context' does not in any way detract from the validity of a defence of authorisation or acquiescence. The fact remains that he could have removed it at any time over the last 22 months."
Full judgment here.

What's it all about?

Here's a word cloud from the excellent Wordle visualising recent posts to this blog:

Monday, January 19, 2009

Data Protection Review Group Announced

The Department of Justice has today announced the creation of a Data Protection Review Group on breaches of data protection. The terms of reference are:
a. Legal issues

i. Consider whether Irish Data Protection legislation needs to be amended to deal with data breaches.
ii. Assess the effectiveness of existing legislation in this context, including the impact of mandatory reporting legislation where it has been introduced.
iii. Assess the likely impact of the scope and timing of the forthcoming ePrivacy Directive and next EU Data Protection directive and other relevant international legislative developments.
iv. Describe the range of options in existing legislation within EU and with competing non EU states.
v. Consider the potential formats of mandatory reporting.
vi. Consider the role and level of penalties in any mandatory regime.

b. Technical issues


i. Definition of "breach" in the context of how organisations' use of technology is changing.
ii. Assessment of the assortment of devices and locations holding data now.
iii. Assessment of whether the same mechanisms should apply to paper and electronic media in any suggested change.
iv. Attempt to foresee unintended consequences in the light of the rapid evolution of technology and business practices.

c. Regulatory issues

i. Assess the prevalence of the data breach problem and level of existing reports.
ii. Assess any empirical evidence that Data Protection legislation informs industrial location decisions.
iii. Consider whether any change bear on Public and Private sectors equally.
iv. Assess how to establish the threshold of seriousness - in some cases a very small number of records could potentially cause substantial harm.
v. Balance the potential effectiveness of any proposed change against increasing the costs of doing business in Ireland - the Group should, insofar as possible, ensure that its deliberations equate to a Regulatory Impact Analysis.

The members of the group are:
Chairman: Mr. Eddie Sullivan (former Secretary General Department of Finance), Mr. Billy Hawkes, Data Protection Commissioner, Professor Robert Clark (School of Law, UCD), Ms. Isolde Goggin (former Chair of Comreg and expert on Regulatory Impact Assessment), Mr. Alec Dolan & Ms. Noreen Walsh (Department of Justice, Equality and Law Reform, Mr. Dave Ring (CMOD, Department of Finance), Mr. Tony McGrath (Department of Enterprise, Trade and Employment), Mr. Paul Carroll (Department of Social and Family Affairs) and Mr. Roger O'Connor (Department of Communications, Marine and Natural Resources).

The decision to look at data breaches - and in particular mandatory reporting - was made in October of last year after parliamentary questions revealed that the government was losing at least one electronic device per week, and that the vast majority of devices were not encrypted.

Submissions to the group should be sent to dataprotectionreview@justice.ie by March 1st.

Thursday, January 15, 2009

The Music Industry v. Eircom - Let Battle Commence!

The trial started today in the case being brought by the EMI, Sony, Warner and Universal against Eircom, in which the music industry is demanding that Eircom put in place a filtering system to block peer to peer downloads. The case is being heard in the High Court before Charleton J. under the record number 2008/1601P EMI RECORDS IRELAND LTD & ORS V EIRCOM LTD. It's listed for hearing for four weeks (and will be in Court 7 should you be passing the Four Courts and interested in observing some of the argument). For the argument that the plaintiffs' case represents a threat to privacy and freedom of expression on the internet see this Digital Rights Ireland post.

Update (16.01.08): The Irish Times has coverage of the first day of hearings. I was rather amused by this internal email from 2001:
"We need to reach a decision on how we are going to handle this," the e-mail said. "PS: 'piracy' is a loaded term. Could we say 'sharing' – 'piracy' implies there’s something wrong with it.

"Think of it as helping the health and good living of rich cocaine-sniffing rock stars by leaving them with less free money to spend on sex and drugs."
In a separate story, the Irish Times also reveals claims by the music industry that their campaign of litigation directly against individual uploaders "had cost the companies some €600,000 and secured compensation of only €70,000".

Tuesday, January 13, 2009

ComReg to Regulate .ie ccTLD

Important news for the Irish internet with the announcement that Comreg has completed its consultation process and now proposes to introduce a new framework for regulation of the .ie top level domain. The press release summarises the changes as follows:
- ComReg will, by way of regulation, appoint IEDR as the authority authorised to register .ie domain names in accordance with Section 32(4)(a) of the Act of 2007,
- IEDR will set up and maintain a Policy Advisory Committee (PAC) representative of all stakeholders with a focus on more transparent policy development,
- IEDR will continue to adopt the "managed approach" to .ie registrations to ensure continued protection for .ie domain name holders and consumers,
- ComReg will implement a monitoring framework and will participate in the PAC to keep abreast of activities in the marketplace,
- Further regulatory measures may be considered in the future, as warranted.
Daithi has an excellent post discussing the ComReg proposals and their background, which I won't attempt to follow until I've had a chance to look at the proposals in more detail - but I can't help wondering whether this will now mean that the IEDR may be subject to judicial review.

Sunday, January 11, 2009

An Irish "Digital Legal Services Centre"?

The Irish Institute of European Affairs has a strong track record of hosting and promoting debate on issues around technology and law. Recent speakers have included Jonathan Zittrain, Bruce Schneier, Viviane Reding, Peter Fleischer, and Larry Sanger.

Now the IIEA has launched a report - The Next Leap: Competitive Ireland in the Digital Era (PDF) - which is full of interesting ideas aimed towards promoting Ireland as a "software and services hub".

One that struck me was the notion of establishing an Irish Digital Legal Services Centre. This, so the suggestion goes, would be:
an IFSC type development from which services such as intellectual property, rights clearance, payments, data protection, retention & privacy etc. could be provided for digital firms operating within the EMEA region.
This is a particularly good idea and in many ways is the next logical step from the early approach which the Irish government took towards promoting Ireland as an e-commerce location (particularly in the run up to the adoption of the Electronic Commerce Act 2000). It would also build on the expertise which is already developing here in servicing the Irish branches of firms such as PayPal, Ebay, Google and Microsoft.

So what could be done to promote this idea?

For a start, we would need government recognition of the importance of the Data Protection Commissioner. If Ireland is to be a credible location for online businesses it needs a data protection system which is capable of being the de facto lead regulator for multinational operations. Recent government moves (by decentralising the office to Portarlington resulting in the loss of staff and expertise and by the abortive proposals to merge the office with entirely dissimilar agencies) suggest that the government has little understanding of the importance of this role.

We would also need to see a reversal of policy in relation to data retention. The Department of Communications has repeatedly warned that government policy here will mean imposing increased costs on Irish business and reducing competitiveness - particularly where there are no provisions for cost reimbursement - but the Department of Justice has ploughed on regardless to achieve the largely mythical benefits of data retention.

Conversely, the Department of Justice has also ignored areas of Irish law where change is essential and could be achieved at relatively low cost. As I've said for a while now, Irish law on computer crime is badly in need of reform. Areas such as interception of online communications, access to stored communications and denial of service attacks are essentially unregulated - giving little protection to online businesses. Legislation in this area is long overdue and would help to promote Irish attractiveness for online business.

Another area which would benefit from (relatively cheap and easy) reform is Internet gaming. Ireland is already a hub of internet gaming sites, but still operates on the basis of laws which are obscure and outdated. The Department of Justice has already - to its credit - dealt with some of the issues involved in the report "Regulating Gaming in Ireland", but more needs to be done. It would be undesirable if the political dispute in relation to fixed odds betting terminals were to hold up reform of online gaming.

Reforming the possible liability of online intermediaries generally should also be a priority. Ireland has adopted a barebones implementation of the Electronic Commerce Directive, creating only the mandatory exemptions from liability in respect of hosting, mere conduits and caching. This compares with other jurisdictions which have created immunities for e.g. search engines and content aggregators. This narrow approach is something which worries intermediaries (UK link but Irish law is very similar) and there is a strong argument to be made for extending the hosting notice and takedown model to other intermediaries also. Failure to do so will undermine the desirability of Ireland as a location for such services.

Neil Leyden has some interesting comments / proposals in a similar vein here and here.

Saturday, January 10, 2009

Data Protection Commissioner may prosecute for spam without seeking negotiated settlement - High Court

As we've seen before ("How to be sued by space cadets") Realm Communications has been trying to stymie prosecutions being brought against it for spam. Their claim has been that the Data Protection Commissioner is under a statutory duty to seek an amicable resolution before resorting to the heavy guns of a criminal prosecution.

In the recent statutory instrument amending data protection law the Minister sought to preempt this argument for future cases, by including a provision stating that:
If of the opinion that the circumstances relating to a complaint investigated under Regulation 17 involve the commission of an offence under these Regulations, the Commissioner may bring and prosecute proceedings for the offence without attempting to bring about an amicable resolution of the complaint.
But this still left the position in doubt in respect of offences committed and prosecutions commenced before this change.

The High Court has now rejected the argument that an amicable resolution must be sought, McCarthy J. holding (according to the Irish Times report) that "the absence of resolution attempts did not erase the fact that regulations were breached". This is an unsurprising result - the legislation certainly doesn't expressly provide that there must be an attempt at settlement, and while it might be best practice to do so, a strict duty would tie the hands of the DPC (especially when dealing with repeat offenders) and would undermine the effectiveness of the criminal penalty. But though the result might have been predictable the ruling is still useful, particularly as it clarifies the position in respect of other pending prosecutions. (Edited to add: full judgment now available here.)

Wednesday, January 07, 2009

Danish censorship list leaked

Another internet censorship story which didn't get the attention it deserved over Christmas was the revelation that the blacklist operated by the Danish child pornography filtering system - all 3863 blocked URLs - was leaked on December 23 and is available in full online.

If nothing else, this (in conjunction with the Thai leak) vividly illustrates one key criticism of any internet filtering system - that the list of blocked content will inevitably leak and so facilitate access to the supposedly blocked content.

A note of caution for bloggers - the Danish list is reported to contain links to child pornography sites, meaning that linking to the list might itself be an offence under section 5 of the Child Trafficking and Pornography Act 1998. That section makes it a criminal offence to "knowingly [publish] or [distribute] any advertisement likely to be understood as conveying that ... any other person produces, distributes, prints, publishes, imports, exports, sells or shows any child pornography". Legal opinion in the UK (in relation to their similar Protection of Children Act 1978) has been that domain names and URLs might themselves constitute such illegal advertisements.

Monday, January 05, 2009

Thai censorship list leaked: RTÉ News blocked

Thailand's Ministry of Information and Communication Technology operates a secret internet censorship system, blocking access to websites deemed unsuitable for the Thai people. The list of blocked websites has now been leaked, and makes for interesting reading. Doubtless Thais will be glad to know that they are being protected from such evils as the Economist , Charlie Chaplin and Hillary Clinton's campaign videos.

Irish readers will be interested to note that one of the banned pages is from RTÉ News, even though that page merely discusses Thai blocking of YouTube and does not itself contain any content that could remotely be considered offensive.