Tuesday, July 28, 2009

Sutherland Institute v. Continuative: Is it time to take the U out of UDRP?

OUT-LAW has a good report of the WIPO panel decision in Sutherland Institute v. Continuative LLC - a decision which by focusing on the location of the parties makes me wonder whether it's misleading to describe the UDRP as a "Uniform" Dispute Resolution Policy.

On the face of it this was a relatively straightforward case. The complainant was a right wing Utah think thank hosted at SutherlandInstitute.org while the respondent set up a parody site at SutherlandInstitute.com. A screengrab of a portion of both pages shows the difference:

Despite the fact that the respondent did not defend the proceedings, the panelist found in their favour, holding that it had not been established that they had registered and used the domain "in bad faith" as required by the UDRP. This isn't of itself a surprising outcome, but it's the reasoning underpinning this conclusion which I find interesting. The key passage is this:
Because this proceeding involves political speech that is strongly protected under the U.S. Constitution, the Panel will not in these proceedings involving two U.S. parties attempt to identify bad faith elements that are not specifically enumerated in the Policy. If the right of political speech is to be interfered with based upon Complainant’s service mark incorporated in Respondent’s disputed domain name, it is preferable that a federal or state court make that application of the concept of “bad faith”.
This passage relies on the fact that the parties are both US based to apply US law. As such it takes advantage of rule 15(a) of the UDRP which gives a panel a remarkably wide discretion to decide claims based on "any rules and principles of law that it deems applicable". This has often been used by panelists to apply domestic rules of law where the parties are both from the same jurisdiction - to the extent that the Berkman Center's excellent Analysis of UDRP Issues assumes this to be the norm. Indeed, this practice is supported by paragraph 176 of the WIPO Final Report which led up to the adoption of the UDRP, which states:
In applying the definition of abusive registration given above in the administrative procedure, the panel of decision-makers appointed in the procedure shall, to the extent necessary, make reference to the law or rules of law that it determines to be applicable in view of the circumstances of the case. Thus, for example, if the parties to the procedure were resident in one country, the domain name was registered through a registrar in that country and the evidence of the bad faith registration and use of the domain name related to activity in the same country, it would be appropriate for the decision-maker to refer to the law of the country concerned in applying the definition.
Against this, however, is a strong body of opinion which argues that national law should not be imported into the UDRP - that to do so will lead to a lack of uniformity and to inconsistent outcomes. For example, in McMullan Bros & Maxol v. Web Names, the panelist ruled that:
5.10 Paragraph 15(a) of the Rules requires a Panel to make its decision "in accordance with the Policy, these Rules and any rules and principles of law that it deems applicable." This might justify applying the without prejudice doctrine in this case, but the Panel is unconvinced. The Policy provides an international procedure for international application by a panel comprising panelists who may come from a jurisdiction unconnected with either party. To import a national rule simply because both parties come from the same jurisdiction may result in similar cases being decided in a different manner dependant upon geographical accident. This is a conclusion that this Panel finds inherently unattractive. At times resort to national law may be unavoidable (for example when determining the existence of a trademark recognised by the Policy), but the Panel sees no reason for doing so in this case.
Similarly Wotherspoon & Cameron argue that:
The UDRP was developed by reference to the status of national laws and international treaties. In our view, it already reflects a somewhat harmonized version of these laws. The practice of referring to territorial laws undermines a central purpose of the UDRP — to provide a uniform mechanism for resolution of domain name disputes in the face of the borderless nature of the Internet. By continuing to refer to national laws, Panels will reinforce jurisdiction specific intellectual property rights and undermine the goal of a global uniformity in resolving domain name disputes.
This clash of views highlights an unresolved tension within the UDRP as to how to deal with choice of law issues. There is an obvious attraction in the use of national law where a matter is very closely connected with one jurisdiction. But doing so - even if permitted by the UDRP - does run the risk of eroding its "uniform" nature. Also, this growing practice adds an extra layer of complexity to UDRP proceedings - forcing parties to address choice of law issues as well as the substance of any claim - and may also result in registrants and trademark holders gaming the system by choosing to establish themselves in the jurisdictions which they see as most friendly to their side.

Gerald Levine has more, including an interesting discussion of an alternative choice of law approach under the UDRP.

Friday, July 17, 2009

Bill published to transfer RegTel premium rate functions to Comreg

I've posted before (1|2) about some of the problems in regulation of premium rate services in Ireland and in particular the difficulties presented by the role of RegTel, the non-statutory industry regulatory body, due to its lack of legislative powers. (More on RegTel from Daithi | Eoin.) As noted in those posts, the Minister for Communications some time ago committed himself to introducing legislation which would transfer RegTel's functions to ComReg .

That legislation has now emerged, in the form of the Communications Regulation (Premium Rate Services) Bill 2009. According to the explanatory memorandum, the purpose of the Bill is to provide for:
• the transfer of the function of regulating premium rate services to the Commission for Communications Regulation, hereinafter called the Commission.
• the licensing of premium rate services by the Commission.
• offences, penalties and rights of appeal in relation to the regulation of premium rate services.
• the funding of expenses incurred by the Commission in exercise of its regulatory functions.
• the transfer of staff and responsibility for certain legal proceedings, respectively, from Regtel to the Commission.
• compliance by the Commission with the same obligations in relation to Ministerial directions, reporting and accountability responsibilities in respect of premium rate services as it has in respect of electronic communications and postal services.
Key elements here are the introduction of a licence to provide premium rate services and the creation of a range of criminal offences including acting without a licence and overcharging / charging for services which were not requested.

More from the Irish Times | Siliconrepublic.

(I'm a bit late blogging this story - I lost sight of this Bill in the flurry of legislative activity during the run up to the summer vacation, particularly the rushing through of the Criminal Justice (Surveillance) Act 2009 and the introduction of the Communications (Retention of Data) Bill 2009. More on these anon.)

Wednesday, July 08, 2009

Eircom hacking shows flaws in Irish computer crime law

Today's Irish Times has a report of an apparent denial of service attack against Eircom:
MANY OF Eircom’s 500,000 internet subscribers have been left offline or experienced delays in web browsing at times this week because of a suspected attack by hackers.

Some customers who tried to connect to popular sites such as RTÉ, Facebook or Bebo were redirected to incorrect websites, often displaying images of advertising or scantily clad women.

The company blamed the problems on “an unusual and irregular volume of internet traffic” directed at its website, which affected the systems and servers that provide access to the internet for its customers.

Internet discussion groups speculated that the problems were caused by a hacker accessing Eircom’s domain name server (DNS) system through a denial-of-service attack.

This involves a target site being saturated with messages and requests to the point it can no longer function properly.
I've said it before but it's worth repeating: Irish law does not adequately deal with computer crime at the moment (with denial of service attacks being one of many areas left without adequate sanctions) and legislation to implement the Cybercrime Convention and the Framework Decision on Attacks Against Information Systems is now long overdue.

Here's an excerpt from a chapter I wrote in Reich (ed.), Cybercrime and Security discussing the uncertain Irish law on denial of service attacks:
Whether or not such an attack would amount to an offence under Irish law will vary depending on the precise structure of the attack.

For example, suppose that A sets out to harm B by sending several million emails to B’s server. The effect is not only to use up B’s bandwidth but also to use his disk capacity. In this case, it might be possible to charge A with criminal damage under section 2 of the Criminal Damage Act 1991, on the basis that A has damaged B’s data within the meaning of section 1 by adding to it without lawful excuse.

This result is supported by the English decision in DPP v. Lennon. In that case the defendant was a 16 year old who took umbrage at the circumstances of his dismissal and sent five million emails to his former employer with the expressed intention of “causing a bit of a mess up”. He was charged with unauthorised modification to a computer system with intent to impair the operation of the computer, contrary to section 3(1) of the Computer Misuse Act 1990 (the equivalent provision to section 2 of the Criminal Damage Act 1991). His defence was that the company had implicitly consented to receiving emails and as such he had not made unauthorised modifications. Although the trial judge accepted this argument, on appeal the Divisional Court held that any implied consent did not extend to emails sent for the purpose of disrupting the system. Per Jack J.:
“I agree, and it is not in dispute, that the owner of a computer which is able to receive emails is ordinarily to be taken as consenting to the sending of emails to the computer. His consent is to be implied from his conduct in relation to the computer. Some analogy can be drawn with consent by a householder to members of the public to walk up the path to his door when they have a legitimate reason for doing so, and also with the use of a private letter box. But that implied consent given by a computer owner is not without limit. The point can be illustrated by the same analogies. The householder does not consent to a burglar coming up his path. Nor does he consent to having his letter box choked with rubbish. That second example seems to me to be very much to the point here. I do not think that it is necessary for the decision in this case to try to define the limits of the consent which a computer owner impliedly gives to the sending of emails. It is enough to say that it plainly does not cover emails which are not sent for the purpose of communication with the owner, but are sent for the purpose of interrupting the proper operation and use of his system.”
However, if the facts of a denial of service attack are varied slightly then criminal damage may no longer be an appropriate charge. Suppose for example that C sets out to hinder access to D’s publicly available website, and does so by programming several computers to repeatedly download large pages from the site. The result is to use up D’s bandwidth and ensure that other users cannot get through to the site, though the server itself continues to function. What crime, if any, has been committed?

In this case C would not have damaged D’s data (assuming that C downloaded data only and did not make any modifications to the data on the server). It might be argued that C has committed criminal damage to the server itself given the extended definition of “damage” under section 1, which includes situations where a person “whether temporarily or otherwise, render[s] inoperable or unfit for use or prevent[s] or impair[s] the operation of” property.

Such a charge would, however, prevent some difficulties. It might be successful if the effect of a denial of service attack was to cause the server to crash – that temporary inoperability would certainly seem to constitute damage within the meaning of section 1. In the hypothetical above, however, C has not rendered the server inoperable but merely inaccessible – which would seem to fall outside the scope of the criminal damage offence.

On the other hand, using the reasoning in DPP v. Lennon it might be possible to characterise the attack as unauthorised access contrary to section 5 of the Criminal Damage Act 1991. The argument could be made that while public websites carry with them an implied permission to access the site, this permission does not (to use the words of Jack J.) cover visits which are “the purpose of interrupting the proper operation and use of [the] system”, so that such a visit would constitute operation of the server with intent to access data without lawful excuse.

Friday, July 03, 2009

Search engines and safe harbours

Danny O'Brien has a strong piece in today's Irish Times arguing that Irish and European law is holding back development of online businesses by imposing excessive liabilities on search engines. Here's an excerpt:
In the US, the law specifically carves out a protection against liability for "information location tools" - search engines, in other words.

It is the same sort of "safe harbour" that protects web hosting services from being sued over their customers' content and internet service providers and mobile phone companies from being penalised for making temporary caches of websites to cut down connection costs and speed up connections.

No such protection exists in Europe for search engines. However the very fact that these US search engine companies are so large and, moreover, have large subsidiaries in Europe and beyond, gives them a little more protection from midnight raids than start-ups like SurfTheChannel.

It also provides them with something of an economic advantage over any upstart European search engine.

When Bing, the new Microsoft search engine, was launched, only a few noted that its "video search" effectively embedded copyrighted content on to Microsoft's own website (try typing The Office into its video search and see what happens).

If that had been a European search engine launched by a plucky new start-up, you can bet that its lawyers would have warned them off such a feature.

This effectively means that one of the biggest selling points of Microsoft's Google competitor is out of bounds for any European contender...

Perhaps the best solution would be for individual countries in the EU to make themselves more business friendly.

The e-commerce directive already allows individual nations to carve out wider exceptions than those listed.

Countries like Spain, Portugal and Austria have all included some protection to search engines, as well as anyone providing a weblink to another website.

Perhaps Ireland could create its own "safe harbour" in national law for new internet start-ups.

That way, we could draw investment from other countries who want the benefit of being able to find what we need on the internet but are scared to alienate the vested interests who would rather choke it.
(emphasis added)
I'm in agreement with Danny and would go one step further - rather than limit a new immunity to search engines, we should extend it to other online intermediaries such as content aggregators. This 2006 report from the UK Department of Trade and Industry is a good starting point for understanding how content aggregators and others are deterred by possible liability.

Thursday, July 02, 2009

The Music Industry v. ISPs - Round 2 - UPC and BT vow to fight

Adrian Weckler has the press releases:

The company is now preparing its defence and intends to vigorously defend its position in Court...

UPC has made its position clear from the outset -- it will not agree to a request that goes beyond what is currently provided under existing legislation. There is no basis under Irish law requiring ISPs to control, access or block the internet content its users download. In addition, the rights holders' proposal gives rise to serious concerns for data privacy and consumer contract law.

Irish and European law maintains a careful balance between the rights and obligations of copyright owners, internet users and ISPs. The three strikes policy that was agreed in private with eircom as part of the settlement, and any attempt to impose in upon the industry generally, seriously undermines that balance.

It is unfortunate that the rightsholders did not take up UPC's suggestion that it convene a stakeholder forum in which their concerns could be addressed. UPC indicated that it would be willing to participate in such a forum provided all relevant parties that have a vested interest in this matter were included (eg ISPs, the Data Protection Commission, the National Consumer Agency and relevant Departments of the Government). (Emphasis added)
BT are more laconic:
BT Ireland believes there is no legal basis for such a claim and the proceedings will accordingly be strongly defended.