Search engines and safe harbours

Danny O'Brien has a strong piece in today's Irish Times arguing that Irish and European law is holding back development of online businesses by imposing excessive liabilities on search engines. Here's an excerpt:

In the US, the law specifically carves out a protection against liability for "information location tools" - search engines, in other words.

It is the same sort of "safe harbour" that protects web hosting services from being sued over their customers' content and internet service providers and mobile phone companies from being penalised for making temporary caches of websites to cut down connection costs and speed up connections.

No such protection exists in Europe for search engines. However the very fact that these US search engine companies are so large and, moreover, have large subsidiaries in Europe and beyond, gives them a little more protection from midnight raids than start-ups like SurfTheChannel.

It also provides them with something of an economic advantage over any upstart European search engine.

When Bing, the new Microsoft search engine, was launched, only a few noted that its "video search" effectively embedded copyrighted content on to Microsoft's own website (try typing The Office into its video search and see what happens).

If that had been a European search engine launched by a plucky new start-up, you can bet that its lawyers would have warned them off such a feature.

This effectively means that one of the biggest selling points of Microsoft's Google competitor is out of bounds for any European contender...

Perhaps the best solution would be for individual countries in the EU to make themselves more business friendly.

The e-commerce directive already allows individual nations to carve out wider exceptions than those listed.

Countries like Spain, Portugal and Austria have all included some protection to search engines, as well as anyone providing a weblink to another website.

Perhaps Ireland could create its own "safe harbour" in national law for new internet start-ups.

That way, we could draw investment from other countries who want the benefit of being able to find what we need on the internet but are scared to alienate the vested interests who would rather choke it. (emphasis added)

I'm in agreement with Danny and would go one step further - rather than limit a new immunity to search engines, we should extend it to other online intermediaries such as content aggregators. This 2006 report from the UK Department of Trade and Industry is a good starting point for understanding how content aggregators and others are deterred by possible liability.

The Music Industry v. ISPs - Round 2 - UPC and BT vow to fight

Adrian Weckler has the press releases:

UPC

The company is now preparing its defence and intends to vigorously defend its position in Court...

UPC has made its position clear from the outset -- it will not agree to a request that goes beyond what is currently provided under existing legislation. There is no basis under Irish law requiring ISPs to control, access or block the internet content its users download. In addition, the rights holders' proposal gives rise to serious concerns for data privacy and consumer contract law.

Irish and European law maintains a careful balance between the rights and obligations of copyright owners, internet users and ISPs. The three strikes policy that was agreed in private with eircom as part of the settlement, and any attempt to impose in upon the industry generally, seriously undermines that balance.

It is unfortunate that the rightsholders did not take up UPC's suggestion that it convene a stakeholder forum in which their concerns could be addressed. UPC indicated that it would be willing to participate in such a forum provided all relevant parties that have a vested interest in this matter were included (eg ISPs, the Data Protection Commission, the National Consumer Agency and relevant Departments of the Government). (Emphasis added)

BT are more laconic:

BT Ireland believes there is no legal basis for such a claim and the proceedings will accordingly be strongly defended.

Quote of the day

Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four.

- Bruce Schneier

Bord Gais Laptop Loss

I wrote an opinion piece for the Sunday Business Post on the recent Bord Gais laptop loss - using it as a jumping off point to argue for a data breach notification law in Ireland. Here's an excerpt:

It hasn’t been a good week for personal information. Last Tuesday, the HSE admitted that it had lost an unencrypted laptop containing sensitive information, including particular social work case notes on nine families.

Remarkably, the HSE had not reported this loss to the Data Protection Commissioner, who learned of the incident from media reports. The HSE incident was eclipsed the following day when Bord Gáis revealed that it had lost an unencrypted laptop with account details - including bank and credit card information - on 75,000 customers, exposing them to the risk of identity theft.

Unfortunately, these are not isolated incidents. In the last year alone, multiple cases have come to light: notably Bank of Ireland, which lost personal data on more than 30,000 life assurance customers; the Office of the Comptroller and Auditor General, which lost information on 380,000 social welfare recipients; and Airtricity which posted the financial details of 1,200 customers on its website for six weeks.

Why have Irish organisations been so slipshod with the information we have entrusted to them? One problem is that the bodies that hold the data suffer little direct damage if the data is lost - it is the individual, not the company, who suffers the harm. Consequently, there is little financial incentive for them to take adequate measures to protect our data.

This is compounded by a lack of transparency. Under Irish law, there is no express obligation for a company that has lost customer data to notify anyone - neither the customer nor the Data Protection Commissioner.

The result is that organisations try to cover up data breaches to save face. Consequently, if your details are leaked, it is entirely possible that the first you will know of it is when you discover that your fraudulent alter ego has enjoyed a spending spree on your credit card or run up huge debts in your name. By then, it’s too late.

More from the Digital Rights Ireland perspective here. What Irish bloggers have been saying about the Bord Gais scandal here.

The Music Industry v. ISPs - Round 2

After their inconclusive action against Eircom, this time the music industry is suing UPC and BT. Proceedings were issued on Tuesday according to the (stupidly not hot-linkable) search facility on courts.ie. Expect the cat to be put among the pigeons shortly.

I believe that litigation demanding that ISPs monitor what their users do and/or disconnect users based on three unproven allegations is unjustified - for the reasons why, see the Digital Rights Ireland site in relation to user monitoring and three strikes.

Digital Britain and the Internet Watch Foundation

The long awaited Digital Britain Report (pdf) has stirred up a great deal of comment - particularly in relation to filesharing - though little of it complimentary. (E.g. Andes Guadamuz | Chris Marsden | Lilian Edwards | The Register.)

But one aspect of the report which has received less attention (with the notable exception of the Register) is its discussion of the Internet Watch Foundation (pp. 202-203). This is relatively short so it's worth posting in full:

Criminal Material on the Internet

64. The Internet Watch Foundation, based in Cambridge and with just 15 employees, is tasked with minimising the availability of criminal content – specifically, child sexual abuse content hosted anywhere in the world and criminally obscene and incitement to racial hatred content hosted in the UK. It works with law enforcement agencies worldwide and operates a "notice and take down" procedure in relation to content on UK sites and a list of international child abuse sites that ISPs can block at the network level. The vast majority of UK networks use this list and discussions are under way to ensure that relevant consumer networks are comprehensively covered.

65. As a result of the partnership approach adopted by the IWF, less than 1% of child sexual abuse content, known to the IWF, has been hosted in the UK since 2003, down from 18% in 1997. The IWF’s work remains invaluable to every part of the value chain in the UK’s Internet industry. And, in a world of universal availability, increasing take-up and enhanced services on the network the work of the IWF will become more and more important.

66. IWF’s current income includes a contribution from the EU Safer Internet Action Plan with the bulk being derived from voluntary membership subscriptions. Its current income equates to some £1m per annum. This voluntary structure means that there is no certainty that the level of funding received now from the EU or from its membership will continue at this level in the future. In the current economic climate a voluntary funding base carries with it increased uncertainty over funding. Whereas having secure funding would allow the IWF to consider expanding its internal skill base, especially with regard to hiring additional technical expertise and raising greater awareness amongst Internet users about their role and remit. The IWF model of self-regulation is a success and is admired internationally, but if the regulation of criminal content is not adequately funded by industry, Government would need to consider statutory intervention. We therefore call on the IWF membership to propose a more secure funding model for the future.

67. The IWF has also been a model for international hotlines for reporting child abuse material, especially across the EU. Some operators already use its list of illegal sites internationally. Since most child abuse material originates outside the EU, there is a case for its operations to cover at least the whole of the EU. We will therefore explore with the IWF and the European Commission the scope for a pan-European model with commensurate funding.

What to make of this discussion? First, it's noticeably uncritical. For example, the claim that the "IWF model ... is a success and is admired internationally" simply ignores the criticisms that have been voiced of the IWF model by observers such as Lilian Edwards, Frank Fisher, Richard Clayton (pdf) and others.

In part, this flows from a second problem with the report - it doesn't differentiate between the role of the IWF in dealing with illegal material hosted in the UK (which is generally regarded as successful) with its role in providing a blacklist against which ISPs can/must filter (a much more controversial and ineffective endeavour). By conflating the two it attempts to use the success of the hosting remit to justify expansion of the very different filtering remit.

Third, the report - by referring to exploring "a pan-European model" - appears to be unaware of the fact that there are already proposals at an EU level for internet filtering. In fact, far from exporting the IWF model to Europe those proposals - by requiring the involvement of "judicial or police authorities" and "adequate safeguards ... to ensure that the blocking is limited to what is necessary, that users are informed of the reason for the blocking and that content providers are informed of the possibility of challenging it" - would if adopted require the IWF model to be entirely rebuilt.

Overall, therefore, the report's analysis of the IWF is quite flawed - undermining the recommendations it makes in respect of funding. It will be interesting to see how IWF members respond.

Incidentally, it's also been a busy week elsewhere in Europe in relation to internet filtering as proposed German legislation to require blocking of child pornography appears to be agreed between the main parties.

A must see - Tony Bunyan comes to Dublin

Tony Bunyan is one of the stalwarts of the civil liberties movement in the UK and Europe. As a journalist, writer and founder of Statewatch he's been at the very forefront of monitoring what governments and the European Union have been doing in our name (but without our knowledge). The Irish Council for Civil Liberties is bringing him to Dublin next Saturday (20th June) to talk about his new report, "The Shape of Things to Come" - and I can't recommend this event highly enough to anyone interested in law, technology and civil liberties. It will be held in The Blue Room, Law Society of Ireland, Blackhall Place, Dublin 7 (map) at 3.30pm. The talk is free but spaces are limited so if you'd like to go, contact Joanne Garvey (Tel: 01-7994504 or E-mail: info@iccl.ie) to ensure a place.

Update: The Irish Times has a report from the talk.

Computers, Freedom & Privacy 2009

I'm lucky enough to be at Computers Freedom & Privacy 2009, which has just started in George Washington University with a opening talk from Susan Crawford. She's been appointed as Special Assistant to the President for Science, Technology, and Innovation Policy, and her talk (and the hosting of CFP in Washington this year) reflects a buzz of excitement here about the new administration and the possibility for change in technology and privacy policy.

Video of most of the conference proceedings is being streamed live online. There's also a twitter feed at #cfp09 and an event blog.