Friday, September 25, 2009

JC Decaux should backpedal on iPhone app threat

I'm quoted in today's Irish Times on the threats made by JC Decaux against Fusio resulting in their taking down their Dublin Bikes App.

Leave aside for a moment the PR stupidity of this strategy.

Ignore if you will the dubious legal basis of their claim. (Without going into the finer points of copyright in facts, database rights, clickwrap agreements or possible passing off, the vague nature of their complaint - "Following our conversion, I confirm that you do not have the rights to use the information published on the web site In particular the data concerning the stations is the property of JCDecaux and cannot be used without our prior authorisation" - makes it clear that they have little idea what they are talking about.)

Think instead about the issue of principle. A body which is operating in partnership with Dublin City Council is attempting to stop an Irish company from providing - free of charge - facts to the public about the service which they offer, without giving any justification for doing so, and without offering an alternative of their own. (I'm happy to see that at least some of our politicians understand the absurdity of this.)

I spoke to the press office in Dublin City Council today, who made it clear that they regard this matter as nothing to do with them. But why not? DCC were happy to work with Fusio to develop the app. Is there no provision in their contract with JCD establishing an obligation to provide information to the public about the service? Will they make sure that future contracts address this type of situation? (And - while I'm on the topic of the contract - why does JCD own the domain Is there any provision in the contract for the domain to revert to DCC on its expiry?)

Tuesday, September 15, 2009

Ryanair screen scraping: New litigation

I've blogged before about Ryanair's case against Travelfusion and Bravofly in respect of screen scraping. According to RTE News, this case has now been joined by a fresh set of proceedings in the High Court by Ryanair against Ticketpoint, Reisebuero and Billigfluege, alleging that they are using screen scraping to resell Ryanair tickets at higher prices.

According to the news report, Ryanair is complaining that the three companies are "applying a service charge and credit card charges to the prices". I wonder who they got that idea from?

Thursday, September 03, 2009

Lori Drew decision published - Breach of terms of use as a criminal offence

When Lori Drew was prosecuted for bullying via MySpace which led to the suicide of Megan Meier many people were worried about the prosecution theory of the case. The basis of the charge was not the bullying itself but rather that by failing to comply with MySpace's terms of use Lori Drew had committed an offence of unauthorised access to a computer. If accepted, this theory would have criminalised failure to abide by terms of use - terms which most users never read and which are often vague and imprecise in their scope - and effectively permitted site owners to provide that a breach of their rules would now be a crime. As Andy Grossman put it, the effect would be that "every site on the Internet gets to define the criminal law. That’s a radical change. What used to be small-stakes contracts become high-stakes criminal prohibitions."

Consequently there was some relief two months ago when the trial judge indicated that he would quash the jury's guilty verdict, but his short oral statement of reasons on that day didn't go into detail as to why the prosecution case was flawed. The full written judgment has now been published, and shows that the trial judge applied the void for vagueness doctrine to find that a prosecution based on simple breach of terms of use would not give fair warning to users as to what actions might be criminal and would criminalise vast numbers of users without providing even minimal guidelines to govern prosecutions.

Would a similar result be reached in Ireland? The position is complicated slightly by the peculiar wording of the relevant offence - which speaks of "access without lawful excuse" rather than "unauthorised access" - but the same underlying principles would apply. The domestic caselaw - in particular King v Attorney General [1981] IR 223 - has established the proposition that the ingredients of an offence must be set out with precision and clarity and this has since been reinforced by ECHR jurisprudence requiring accessibility and foreseeability in criminal offences (e.g. CR v. United Kingdom). In light of those principles, it seems likely that the Irish courts would follow the reasoning in the Lori Drew case.

Some key portions of that ruling are worth quoting:
If a website’s terms of service controls what is “authorized” and what is “exceeding authorization” - which in turn governs whether an individual’s accessing information or services on the website is criminal or not, section 1030(a)(2)(C) would be unacceptably vague because it is unclear whether any or all violations of terms of service will render the access unauthorized, or whether only certain ones will.

For example, in the present case, MySpace’s terms of service prohibits a member from engaging in a multitude of activities on the website, including such conduct as “criminal or tortious activity,” “gambling,” “advertising to . . . any Member to buy or sell any products,” “transmit[ting] any chain letters,” “covering or obscuring the banner advertisements on your personal profile page,” “disclosing your password to any third party,” etc... The MSTOS does not specify which precise terms of service, when breached, will result in a termination of MySpace’s authorization for the visitor/member to access the website.
By utilizing violations of the terms of service as the basis for the... crime, that approach makes the website owner - in essence - the party who ultimately defines the criminal conduct. This will lead to further vagueness problems. The owner’s description of a term of service might itself be so vague as to make the visitor or member reasonably unsure of what the term of service covers. For example, the MSTOS prohibits members from posting in “band and filmmaker profiles . . . sexually suggestive imagery or any other unfair . . . [c]ontent intended to draw traffic to the profile.”

Moreover, website owners can establish terms where either the scope or the application of the provision are to be decided by them ad hoc and/or pursuant to undelineated standards. For example, the MSTOS provides that what constitutes “prohibited content” on the website is determined “in the sole discretion of . . . .” Additionally, terms of service may allow the website owner to unilaterally amend and/or add to the terms with minimal notice to users.
Because terms of service are essentially a contractual means for setting the scope of authorized access, a level of indefiniteness arises from the necessary application of contract law in general and/or other contractual requirements within the applicable terms of service to any criminal prosecution.
Treating a violation of a website’s terms of service, without more, to be sufficient to constitute “intentionally access[ing] a computer without authorization or exceed[ing] authorized access” would result in transforming section 1030(a)(2)(C) into an overwhelmingly overbroad enactment that would convert a multitude of otherwise innocent Internet users into ... criminals... If any conscious breach of a website’s terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that section 1030(a)(2)(C) becomes a law “that affords too much discretion to the police and too little notice to citizens who wish to use the [Internet].”
Eric Goldman has analysis of the decision and its implications for legal responses to cyberbullying - suggesting that the decision is likely to encourage lawmakers to introduce new offences of online harassment.