Monday, December 28, 2009

Reform of search warrants must take electronic searches into account

The Law Reform Commission has just published a consultation paper on search warrants and bench warrants. In relation to search warrants it points out there is currently a bewildering array of statutory provisions (over 100 different Acts and Regulations) which deal with searches, with different procedures to be followed and different powers of search and seizure in each case. The consultation paper aims, amongst other things, to rationalise the law in this area, and seeks to put in place a single statutory framework.

Surprisingly, though, the consultation paper has almost nothing to say about searches of computers and data. In fairness, it does note that there are some existing (rather patchy) provisions which specifically deal with computer searches - such as the power to require passwords in s.48 of the Criminal Justice (Theft and Fraud Offences) Act 2001. It also makes a very brief reference to the need for specialist forensic examination of seized computers. However it fails to consider any of the difficulties which have emerged when traditional norms are applied to data, much less current proposals which would fundamentally rewrite the law in this area.

To take just a few examples: there is no recognition of the vast quantities of personal data which are often stored on computers, making searches particularly privacy invasive in a way which is not generally true elsewhere. On a similar note, the consultation paper fails to recognise that the effect of seizing a computer and data can often be to shut down a business or to seriously disrupt an individual's life, and that this can often be mitigated by returning a copy of the seized data. There's no analysis of how extensive searches of data should be - if, for example, a computer is seized on suspicion of fraud offences should it be permissible to automatically scan the hard drive to detect possible child pornography images? (These and many other issues have been extensively analysed by Orin Kerr in several excellent articles, including Search Warrants in an Era of Digital Evidence and Searches and Seizures in a Digital World.) Similarly, there's no mention of so-called remote searches (police hacking into computers at a distance), despite the fact that these have been the subject of recent EU proposals.

These and other issues will have to be addressed if the Law Reform Commission analysis is to deal with computer searches adequately in a way which protects privacy - if you're interested in bringing any of these issues to their attention, you can email them at info@lawreform.ie or make a submission via snail mail using the details on this page.

Sunday, December 27, 2009

Temple Street Hospital holding a de facto national DNA database?

Today's Sunday Times reports that the Temple Street Children's Hospital has kept blood samples of almost every newborn in the country since 1984 - without the consent or knowledge of their parents - and has kept those samples indefinitely. The details are remarkable:
A DUBLIN hospital has built a database containing the DNA of almost every person born in the country since 1984 without their knowledge in an apparent breach of data protection laws.

The Children’s University hospital in Temple Street is under investigation by the Data Protection Commissioner (DPC) since The Sunday Times discovered it has a policy of indefinitely keeping blood samples taken to screen newborn babies for diseases.

Unknown to the DPC, the hospital has amassed 1,548,300 blood samples from “heel prick tests” on newborns which are sent to it for screening, creating, in effect, a secret national DNA database. The majority of hospitals act on implied or verbal consent and do not inform parents what happens to their child’s sample.

The blood samples are stored at room temperature on cards with information including the baby’s name, address, date of birth, hospital of birth and test result. The DPC said it was shocked at the discovery.

On four occasions the hospital has allowed scientists from a university and other hospitals to access the Newborn Screening Cards (NSCs) for research purposes. This was done on the basis of anonymity but without the consent of parents and followed approval by the hospital’s ethics committee.

The DPC is now engaged in urgent discussions with the hospital, the Health Service Executive (HSE) and the Department of Health to force the hospital to comply with data protection legislation by January. The DPC could order the destruction of the records if it is not satisfied the hospital is taking the necessary actions.

“Clearly it is a matter of significant concern to us that holding data of this nature containing sensitive health details of such a significant portion of the population appears to have operated without taking account of data protection requirements,” said Billy Hawkes, the DPC commissioner.

“The issue of the justification for the holding of the blood samples for any period beyond that which is necessary to perform the initial blood test will have to be considered as part of this office’s investigation of this matter. At present the position would appear to be that there is no consent from parents for the information to be held at all.”
Similar de facto databases have been created in this accidental manner in other jurisdictions - in Australia and New Zealand for example - where they have been extremely controversial and have had safeguards imposed. In Western Australia, police began to use these databases without consent in criminal investigations, causing hospitals to destroy existing databases and to change medical practice to store samples for a two year period only. In New Zealand, meanwhile, the practice is that parents are fully informed as to the purpose for which samples are taken and stored, and have the right to have the sample returned to them once the testing is completed, and the privacy implications of this database are currently under review.

In light of these controversies elsewhere, the lack of informed consent and the fact that there is no legal basis for the heel prick tests (a point confirmed in North Western Health Board v. HW and CW) it's hard to see how Temple Street could have believed that it was entitled to hold onto these samples indefinitely - and it is remarkable that this point appears to have been missed by the ethics committee on four separate occasions.

Thursday, December 10, 2009

Consultation Paper on Electronic Evidence to be published today

The Law Reform Commission will be publishing a Consultation Paper on Documentary and Electronic Evidence today. The Irish Times has a summary of the contents:
The LRC states that in general there be no difference between the rules concerning manual or computer-generated documents and records; all business records, whether manual or computer-generated, should in general be presumed to be admissible and that the Bankers’ Books Evidence Act 1879, which allows banking records to be admitted as evidence in court, should be updated and extended to apply to records from all financial institutions.

For mechanically generated recordings, such as videos or CCTV, it should be clarified that any defects in their quality should not rule them inadmissible but should be simply a question of the weight given to the recording.

It also recommends that an expert group be established to develop standards and guidelines for the verification of electronic and digital signatures, and that the existing law which presumes that “public documents” are admissible should be updated, because much of the relevant legislation predates the foundation of the State.

Tuesday, December 08, 2009

Hosting defence applies to user comments: English High Court

In a significant decision, Karim v. Newsquest Media Group, Eady J. has accepted that online newspapers can rely on the E-Commerce Directive hosting defence in respect of user comments, meaning that they should generally be exempt from liability in respect of those comments provided that they take them down when notified that they are potentially defamatory.

The plaintiff in this case was a solicitor who had been struck off following mishandling of client funds. The defendant's websites reported the proceedings before the Disciplinary Tribunal in an article titled "Crooked solicitors spent client money on a Rolex, loose women and drink", and a number of users made further allegations about the plaintiff in the comments attached to the article. The defendant took exception to both the article itself and the user comments and issued proceedings against the defendant without prior notice. On receiving the proceedings, the defendant took down the articles and comments the same day.

The plaintiff's case comprised two components - the article and the attached user comments - and the defendant applied for summary judgment in respect of both.

As regards the article, the court had no difficulty in finding that it was covered by absolute privilege as a fair, accurate and contemporaneous report of legal proceedings under s.14 of the Defamation Act 1996, and that portion of the claim was struck out.

As regards the user comments, the defendant argued that it was protected by the hosting defence, as transposed into UK law by Regulation 19 of the Electronic Commerce (EC Directive) Regulations of 2002. This provides:
Where an information society service is provided which consists of the storage of information provided by a recipient of the service, the service provider (if he otherwise would) shall not be liable for damages or for any other pecuniary remedy or for any criminal sanction as a result of that storage where -

(a) the service provider -

(i) does not have actual knowledge of unlawful activity or information and, where a claim for damages is made, is not aware of facts or circumstances from which it would have been apparent to the service provider that the activity or information was unlawful; or

(ii) upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information, and

(b) the recipient of the service was not acting under the authority or the control of the service provider.
Although no authority was cited on this point, Eady J. stated that he was "quite satisfied" that the defendants could rely on this defence, going on to hold that the users were not acting under the "authority or control" of the defendant. This portion of the claim was therefore struck out also.

This appears to be the first time that an English court has dealt with this question, though it reaches the same result as the Irish decision in Mulvaney v. Betfair (t/a The Sporting Exchange).

As with that decision, it is good news for online publishers dealing with user-generated content, suggesting that the courts will adopt a wide interpretation of the hosting defence. But as with Mulvany v. Betfair, it might be unwise to celebrate yet. This is a first instance decision (albeit a decision of one of the most prominent judges in this field) and was based on the arguments of one side only. It does not consider the arguments which might be put forward to limit the hosting defence, and rather glosses over the question of whether posters in a moderated forum could be said to be acting under the authority or control of the host.

Experience from the US has shown that online immunities tend to be extensively challenged as plaintiffs seek to work around them. Section 230 of the Communications Decency Act has, in particular, been repeatedly litigated and occasionally evaded by plaintiffs. (Eric Goldman analyses some of the approaches taken by plaintiffs: 1|2|3.) It's safe to say that similar challenges to the hosting immunity are likely in Europe until such time as the European Court of Justice issues a definitive interpretation of its scope.

(Via The Register)

EU guidance on unfair commercial practices - confirms rules apply to social networking, blogs

The Commission has just published a lengthy working document (PDF) with guidance on the application of the Unfair Commercial Practices Directive. This confirms that the Directive applies to blogs and social networking sites and gives some examples of banned practices - such as the use of fake comments or "astroturfing":
Social media, which include blogs, social networking sites, have become important avenues for commercial practices, especially hidden ones. They are sometimes used by traders to promote and advertise their products.

For example, several Member States have reported that cosmetic companies have paid bloggers to promote and advertise their products on a blog aimed at teenagers, unbeknownst to other users. In such cases, the authorities considered that the bloggers concerned were engaging in hidden commercial practices.

Unfair commercial practices may also occur on price comparison websites. An obvious case is when an online price comparison service belongs or is linked to a trader and is used to advertise its products. For example, the site "quiestlemoinscher.com" (literally "whoisthecheapest.com"), a grocery price comparison service created by a French major supermarket company, was considered by French courts to be a trader's website and a tool for comparative advertising...

[T]he Directive tackles the particular situation of "hidden" traders or traders representing themselves as consumers. Under Annex I of the Directive (the "black list"), the following practice is prohibited in all circumstances: Falsely claiming or creating the impression that the trader is not acting for purposes relating to his trade, business, craft or profession, or falsely representing oneself as a consumer.

For example, "hidden" traders may be:
– a hotel website including flattering comments supposedly by consumers which are actually drafted by the hotel owner;
– a bookshop advertising its "customers' choice" books where customers have never been consulted and the choice is made by the bookseller.
Of course, none of this should come as any suprise to Irish readers. The Directive was implemented in Ireland by the Consumer Protection Act 2007, and both Daithi and Damien had good posts around that time pointing out that the Act would prohibit businesses from posing as consumers or (covertly) paying bloggers to post about them.

Responsibility for enforcing the Consumer Protection Act lies with the National Consumer Authority. Given how common fake comments have become, I'm surprised that they haven't put out any guidance on this topic. It may be that it will take a complaint from an annoyed blogger (is there any other type?) or forum moderator before they take any action in this area.

Incidentally, it must be said that the approach taken by the Directive and national law (which is limited to paid posts or "advertorials") is much more sensible than the approach which the FTC has taken in the United States, where it now requires bloggers and twitterers to post details of any supposed conflict of interest - even a review copy of a book! - on pain of a $11,000 fine. Jack Shafer has more on the FTC rules (PDF).

Monday, December 07, 2009

Time for national steps to tackle cybercrime

The Irish Times has a good report of the recent IRISS Conference on Cybercrime. The comments of Paul Gillen were particularly interesting:
Det Insp Paul Gillen, head of the Garda computer crime investigation unit, said he was very concerned about the possibility of distributed denial-of-service attacks against Irish sites.

"I’m scared that Ireland will suffer what Estonia suffered," he said, referring to incidents in April and May 2007 when many Estonian government websites and critical systems were taken offline. "Ireland’s capability to react to something like that would worry me," said Det Insp Gillen...

Despite newspaper reports and regular warnings from banks, the phishing problem has got worse, added Det Insp Gillen. "We still have people who are willing to sit down and give their user name and password and are willing to write 100 PIN numbers from a code card that the bank gave them – and then they’ll go back to check they’re the right ones," he said. "Somewhere along the way, we’re obviously failing at getting the information out to the general public to make them more aware of hi-tech crime."

According to Det Insp Gillen, phishing scams usually happen in four stages: the hack is performed to infiltrate a person’s PC and steal their login details, or else the victim is tricked into revealing their pass codes by an e-mail that seems to have been sent by their bank. Criminals then gain access to the person’s bank account over the internet and use the codes to transfer money to an account in another part of the country.

Gangs then use "money mules" – other people who withdraw funds from ATMs. "The money mule is the first person to raise their head above the trench to have the back of their collar grabbed,” said Det Insp Gillen, who said gardaí have had some success stopping this.

"Everyone in this structure receives a percentage of the take in the crime," he said. "We’re dealing with highly organised crime here. The only way we’re in a position to deal with it is if IT security professionals, academics, law enforcement and a Cert join into a community to develop a task force, because everyone has information that could be a piece of evidence."
So what is currently being done to deal with the problems identified at the conference?

One promising development took place in August when the Minister for Communications announced that a report outlining a national cyber security strategy would be in place by the end of the year. (According to the Press Office in Communications, the report is currently being finalised.)

On the legislative front, however, the picture is gloomier. Irish law still has no general offence to deal with denial of service attacks (PDF) or online interception and implementation of the Cybercrime Convention and the Framework Decision on Attacks Against Information Systems is long overdue.

There is a Criminal Justice (Cybercrime and Attacks against Information Systems) Bill on the legislative agenda - but there's no date given for when we might see a draft. Given that we were initially promised implementing legislation in 2003 (PDF, p.25) and again in 2006, one might be forgiven for being sceptical as to whether any reform of the law relating to cybercrime will take place in the lifetime of this Government.

Wednesday, December 02, 2009

Software development agreement did not transfer copyright

OUT-Law have a report of an interesting recent English case - Infection Control Enterprises Limited v Virrage Industries Limited and Aidan Cartwright [2009] EWHC 2602 (QB) - concerning ownership of commissioned software which was intended for resale by the client. As is increasingly the trend, the client didn't succeed in their claim that there was an implied term that they would acquire the copyright.

I discussed the legal issues involved in these types of cases in a 2007 article in the Journal of Intellectual Property Law & Practice - "Copyright in Custom Code: Who Owns Commissioned Software?" Fortunately this decision doesn't appear to have proved me wrong.

Thursday, November 19, 2009

Telenor Pirate Bay blocking decision - English translation

In an important (but surprisingly poorly publicised) decision two weeks ago a Norwegian court dealt a blow to music industry attempts to force ISPs to police their users, holding that Telenor was under no obligation to block access to The Pirate Bay. An English translation of that decision is now available (PDF link) and makes interesting reading. One particularly significant portion of the ruling stresses that it is not appropriate to assign a censorship function to private entities, and that if filtering is to be required then legislation would be necessary:
If the plaintiffs' claim is heard, this will, in the court's view, give a situation difficult to handle in practice. Reference is made to the fact that the content on The Pirate Bay, and also other websites, can be changed and is in fact constantly being changed. The court further states that Telenor as an Internet provider does not have a duty to monitor or investigate what Internet is used for, so that the Internet providers must be notified of alleged illegal actions. Thus, Telenor and other Internet providers, as private companies, must assess whether or not to stop a relevant website or service. This task normally belongs to public authorities, and the court finds that in the present situation, it is unnatural to assign such responsibility to private companies. If this solution is to be chosen, a closer study will be required. As we have been informed, the Ministry of Culture and Church Affairs has already initiated a legislation process on these matters.

Saturday, November 14, 2009

BT Ireland caves in on "three strikes" demands?

According to today's Irish Times the music industry's litigation against BT Ireland has been settled. Terms of the agreement weren't revealed, but my assumption would be that BT have agreed to implement a three strikes system for disconnecting users accused of filesharing, following the Eircom model. Surprisingly however there hasn't yet been a press release from IRMA or BT. Does anyone have more information?

Edited to add: Thanks to the anonymous commenter for pointing out that this simply follows BT's deal to move its consumer division to Vodafone.

Sunday, November 08, 2009

Irish law on hacking tools / dual-use software

In my last post I mentioned the iPhone dessid app which generates WEP keys from the SSIDs of Eircom routers - making life easier for individuals who wish to piggyback on the wifi of others.

What are the legal issues associated with using or providing this app? Unsurprisingly media coverage of the software has reported that unauthorised access to wifi may constitute a criminal offence, something Eoin O'Dell has previously teased out in a series of posts (1|2|3).

A more difficult question however - and one which hasn't yet been considered - is whether simply providing the app might itself constitute a criminal offence.

So called hacking tools have been specifically criminalised in some jurisdictions. In the UK for example section 37 of the Police and Justice Act 2006 (which was eventually brought into force in October 2008) amended the Computer Misuse Act 1990 to create a new offence of making, supplying or obtaining articles for use in computer misuse offences - an offence which would be committed where a person supplies a program "intending it to be used" or "believing that it is likely to be used" in an unauthorised access offence.

That offence is wide enough to capture dual-use tools - programs such as this one which have legitimate as well as criminal uses - and consequently the Crown Prosecution Service has issued guidelines to prosecutors in relation to when prosecutions should be brought, looking at factors such as whether software is "available on a wide scale commercial basis and sold through legitimate channels", is "widely used for legitimate purposes", is "circulated to a closed and vetted list of IT security professionals or [is] posted openly" or has been "developed primarily, deliberately and for the sole purpose of committing" an offence.

Unsatisfactory though the UK law and guidance might be (a point made by, amongst others, Richard Clayton) it does at least attempt to legislate specifically for computer crime. Irish law on the other hand has no offence specifically tailored for this situation, leaving us to wonder whether new situations might be forced within the confines of old offences. I wrote about this point recently for Reich (ed.), Cybercrime and Security, and here's a short excerpt:
While Irish law does not specifically deal with these matters, it may be possible to prosecute in individual cases using section 4 of the Criminal Damage Act 1991. That section provides:
“A person (in this section referred to as the possessor) who has any thing in his custody or under his control intending without lawful excuse to use it or cause or permit another to use it— (a) to damage any property belonging to some other person … shall be guilty of an offence.”
Bearing in mind that the definition of property under the 1991 Act includes data, this section would seem to be wide enough to criminalise possession of e.g. a virus or Trojan horse where accompanied by an intention to damage property. It should, however, be noted that this section does not criminalise creation, possession, sale or distribution per se – in every case it must be shown that the defendant had an intention to use the item to damage property. This appears to create two related problems for prosecutors. From an evidential point of view it is likely that they will face a difficulty in demonstrating that an accused person had the necessary intention. Moreover, the intention which must be shown is an intention to damage property – a mere intention to carry out an unauthorised access would not suffice. If, for example, A were found to be in possession of a username and password belonging to B, this would not be an offence under section 4 if A’s intention was merely to view B’s data.
Applying this analysis to the dessid app, it seems to me unlikely that distributing this or similar software would be an offence under section 4. First, that section requires an intention to cause or permit a person to use it to commit an offence. Mere foresight that an offence might be committed would not seem to be enough. Secondly, section 4 applies only to things to be used for the purpose of criminal damage - so that distribution of software for some other illegal purpose (such as unauthorised access) would not fall within its remit. (A further obstacle might lie in the narrow wording of section 4 - is software a "thing" within the meaning of that section?)

Friday, November 06, 2009

Unauthorised access? There's an app for that

APPLE IS benefiting from sales of a piece of software that provides free access to up to 250,000 home broadband networks without the owners’ knowledge.

The software for Apple iPhones, called “dessid”, which costs €1.59, exploits a flaw in the hardware Eircom provided to its broadband customers and which first came to light in September 2007.

The problem occurred because each Eircom customer’s wireless network broadcast a unique eight-digit code as its network name. The password was derived from these digits.
To my mind, the real issue behind this Irish Times story is not that you can buy an app which allows you to piggyback on the wifi of Eircom customers (there's a handy web page that will still work even if Apple pulls the program from the app store) - instead it's that Eircom have agreed to disconnect users accused of filesharing, despite knowing full well that their own wireless modems are insecure and that people will be wrongfully disconnected as a result.

Sunday, October 18, 2009

Data breach consultation paper now out

The Data Protection Review Group has now published a consultation paper (pdf) on reforming Irish law on notification of data breaches. Pages 33-38 on possible regulatory options are particularly useful, though the group is clearly hampered by the fact that any national reforms might soon be out of date as a result of changes at European level.

Garda databases still open to abuse?

From today's Sunday Business Post:
A garda undermined a series of major anti-crime surveillance operations by passing details of car registrations belonging to undercover detectives onto a gang of armed robbers.

The garda is the subject of an internal investigation which is looking into a number of officers who are suspected of being on the payroll of separate Dublin criminals. The garda was in regular contact with a crime figure who is facing charges related to serious criminal activity.

When the criminal gang suspected that they might be under surveillance, they supplied the garda with a list of car registrations they had encountered. The garda checked the car details on the force’s Pulse IT system and informed the gang if the cars were part of the Garda fleet.

In several cases, the garda was able to identify vehicles that were being used by an undercover Garda unit. To avoid detection, the officer got junior uniformed gardaí to log into the Pulse system using their own passwords - as the system records a digital imprint of every log-in by a member using their unique password, The Sunday Business Post understands.
Update (8.11.09) - The Sunday Independent has more on abuse of Garda databases.

Moriarty-Tribunal.ie v. MoriartyTribunal.com - Denis O'Brien takes the PR battle online

Today's Sunday Business Post has an interesting article about Denis O'Brien's latest salvo in his ongoing PR battle against the Moriarty Tribunal investigation into how he came to be awarded Ireland's second mobile phone licence.

The official website of the Tribunal is moriarty-tribunal.ie and O'Brien has now launched a full frontal attack on the findings of the tribunal at moriartytribunal.com, which bills itself as presenting "the true picture of the Moriarty Tribunal's 8 1/2 year inquiry into the awarding of the second mobile phone licence" - including confidential correspondence between the Tribunal and parties.

Is a UDRP claim on the cards? Probably not (though there has been one case where an Irish public body has unsuccessfully invoked the IEDRP). Nevertheless, I'll be interested to see whether the Tribunal will object to the use of such a similar domain name.

Friday, October 16, 2009

UK Government abandons plans for mandatory web filtering

Just over a month ago the Independent on Sunday reported that:
The Home Office is drawing up plans for what, in effect, would be the first form of state intervention in Britain in relation to the internet.

British ISPs would face heavy fines for failing to block sites containing images of child sexual abuse, according to the contents of a leaked Home Office document seen by The Independent on Sunday...

The leaked Home Office letter says a clause in the Police, Crime and Private Security Bill in the Queen's Speech would "compel domestic ISPs to implement the blocking of illegal images of child sexual abuse".
This was far from new policy - since 2006 the Home Office has consistently said that it would legislate for mandatory filters unless ISPs "voluntarily" filtered against the IWF blacklist. But according to The Register, it has now rather abruptly changed its position:
The government has abandoned its long-standing pledge to force 100 per cent of internet providers to block access to a list of child pornography websites.

The decision to drop the policy will be finalised at a meeting on Monday to be attended by internet industry representatives, children's charities and Alun Michael MP.

The former minister had aimed to pressurise small ISPs to implement the Internet Watch Foundation's (IWF) blacklist with the threat of legislation, but the Home Office has now backed down. A lobbying campaign argued costs were too high for small companies to bear and that the blocking technology can be easily circumvented by determined paedophiles.
Instead the Home Office will attempt to use consumer pressure to encourage the remaining ISPs to filter:
For the first time the IWF will publish the list of ISPs who are certified as having implemented its blacklist. "Hopefully consumer and public pressure will encourage the ISPs who aren't on the list to comply," said Carr. A Home Office spokesman said: "We will continue to urge ISPs to implement blocking, and ask consumers to check with their suppliers that they have done so. The Government recognises the work done by most of the internet industry to tackle this problem."
Why the about-face? One factor may have been that the Home Office didn't enjoy wide support for its plans even amongst official bodies. The Chief Executive of the Child Exploitation and Online Protection Centre (CEOP) recently said that he was not convinced of the need to introduce mandatory filtering, while apComms had come out strongly against mandatory web filters. Key to both views was the recognition (which was slow in dawning at the Home Office) that web filters are increasingly irrelevant to the wider problem. Or, as The Register put it:
One likely factor in the softening of stance of both the government and charities is the fact that on the frontline of online child protection, websites carrying images of abuse are no longer seen as a priority.

The Child Exploitation and Online Protection Centre is focussed on paedophile peer to peer networks as they are much more likely to carry recent images, potentially indicating ongoing abuse. The IWF's website blocking is seen as yesterday's issue.
Coincidentally, Germany is also having second thoughts about mandatory filtering, with post-election negotiations for a new coalition government featuring demands that the proposed filtering system be halted.

Thursday, October 15, 2009

apComms come out for worldwide IWF system; against mandatory internet filtering

apComms - the influential UK All Party Parliamentary Communications Group - have now issued the Report from their inquiry "Can we keep our hands off the net?". This inquiry commenced in April and focused on five questions:
#1 Can we distinguish circumstances when ISPs should be forced to act to deal with some type of bad traffic? When should we insist that ISPs should not be forced into dealing with a problem, and that the solution must be found elsewhere?
#2 Should the Government be intervening over behavioural advertising services, either to encourage or discourage their deployment; or is this entirely a matter for individual users, ISPs and websites?
#3 Is there a need for new initiatives to deal with online privacy, and if so, what should be done?
#4 Is the current global approach to dealing with child sexual abuse images working effectively? If not, then how should it be improved?
#5 Who should be paying for the transmission of Internet traffic? Would it be appropriate to enshrine any of the various notions of Network Neutrality in statute?
The full report is an interesting document, and is squarely at odds with current government policy in several areas. Here's what it has to say on filesharing, for example:
We do not believe that disconnecting end users is in the slightest bit consistent with policies that attempt to promote eGovernment, and we recommend that this approach to dealing with illegal file-sharing should not be further considered.
What interests me most is what apComms have to say about dealing with online child pornography. Here they've adopted what seems to be a sensible approach (no doubt influenced by their advisor, Richard Clayton) warning against over-reliance on filters, rejecting government policy to introduce mandatory filters and instead recommending an international extension of IWF-type voluntary cooperation on notice and take-down systems:
We recommend that the Government does not legislate to enforce the deployment of blocking systems based on the IWF lists. This has the potential to damage future attempts to fix problems through self-regulation, and will thus, in the long term, be counterproductive...

It seems quite clear from the evidence that we received that a great deal more could be done to promptly request ISPs to remove child sexual abuse image websites. The IWF are clearly doing a good job along these lines within the UK, but they tell us that they are unable to extend this activity to key countries such as the US and Russia.

In our view, this is an unacceptable situation. If the IWF are unable to perform this important function on a global basis, then some other organisation will need to be given the task. Although there is no particular reason why such a global body should be UK based, the long history of leadership in this area makes the UK a natural candidate to develop a new approach.

We recommend that the Government, in consultation with the EU Commission, establish whether the Internet Watch Foundation (IWF) should extend its “notice and take-down” mechanisms to the whole world, and if not, work to establish such a global system.
More from Andres and The Register.

Wednesday, October 14, 2009

Judgment in Irish Pirate Bay blocking case now available

The Courts.ie website now has the full text of the judgment by Charleton J. in EMI Records v. Eircom where an order was made against Eircom requiring them to block access to The Pirate Bay. This decision is of limited precedential value - it was made on the consent of Eircom and is an ex tempore judgment only. Nevertheless it's worth reading for an insight into how Irish judges will respond to claims that websites should be blocked.

The judgment itself doesn't refer to the terms of the order against Eircom, but I've previously put up the relevant portions of the order.

Tuesday, October 13, 2009

IRISS Conference on Cybercrime in Ireland

This promises to be a very interesting event:
IRISS Conference 2009

IRISS will hold its first annual conference on the 19th of November 2009 at the D4 Berkley Court hotel. This all day conference will focus on providing you with an overview of the current cyber threats facing businesses in Ireland and what you can do to help deal with those threats.

Experts on various aspects of cyber crime and cyber security will share their thoughts and experiences with you while a number of panel sessions will provide you with the opportunity to discuss the issues that matter to you most. There will be a number of expert speakers on cyber crime including representatives from;

* The Irish Reporting and Information Security Service
* An Garda Siochana,
* The Data Protection Commissioner's Office
* The European Network and Information Security Agency
* OWASP (The Open Web Application Security Project).

In parallel to the above speaking sessions Ireland's first Cyber Security Challenge, HackEire, will be held to identify Ireland's top cyber security experts. HackEire will see 10 teams, up to a maximum of four people per team, compete against each other in a controlled environment to see which team will be the first to exploit weaknesses in a number of systems and declare victory. The purpose of the HackEire competition is to demonstrate how attackers could gain access to your systems and allow you to learn from the event on how to prevent such attacks from impacting your network.

The conference will be open to anyone with the responsibility for securing their business information assets. There is no charge for those who wish to attend.
(via Michele)

Monday, October 12, 2009

Employment law issues that didn't exist when I was in law school

From OUT-LAW:
Employers must gain control of their employees' online behaviour and virtual attire according to business research firm Gartner. It said that companies should establish dress codes for employees' avatars.

Friday, September 25, 2009

JC Decaux should backpedal on iPhone app threat

I'm quoted in today's Irish Times on the threats made by JC Decaux against Fusio resulting in their taking down their Dublin Bikes App.

Leave aside for a moment the PR stupidity of this strategy.

Ignore if you will the dubious legal basis of their claim. (Without going into the finer points of copyright in facts, database rights, clickwrap agreements or possible passing off, the vague nature of their complaint - "Following our conversion, I confirm that you do not have the rights to use the information published on the web site http://www.dublinbikes.ie/. In particular the data concerning the stations is the property of JCDecaux and cannot be used without our prior authorisation" - makes it clear that they have little idea what they are talking about.)

Think instead about the issue of principle. A body which is operating in partnership with Dublin City Council is attempting to stop an Irish company from providing - free of charge - facts to the public about the service which they offer, without giving any justification for doing so, and without offering an alternative of their own. (I'm happy to see that at least some of our politicians understand the absurdity of this.)

I spoke to the press office in Dublin City Council today, who made it clear that they regard this matter as nothing to do with them. But why not? DCC were happy to work with Fusio to develop the app. Is there no provision in their contract with JCD establishing an obligation to provide information to the public about the service? Will they make sure that future contracts address this type of situation? (And - while I'm on the topic of the contract - why does JCD own the domain dublinbikes.ie? Is there any provision in the contract for the domain to revert to DCC on its expiry?)

Tuesday, September 15, 2009

Ryanair screen scraping: New litigation

I've blogged before about Ryanair's case against Travelfusion and Bravofly in respect of screen scraping. According to RTE News, this case has now been joined by a fresh set of proceedings in the High Court by Ryanair against Ticketpoint, Reisebuero and Billigfluege, alleging that they are using screen scraping to resell Ryanair tickets at higher prices.

According to the news report, Ryanair is complaining that the three companies are "applying a service charge and credit card charges to the prices". I wonder who they got that idea from?

Thursday, September 03, 2009

Lori Drew decision published - Breach of terms of use as a criminal offence

When Lori Drew was prosecuted for bullying via MySpace which led to the suicide of Megan Meier many people were worried about the prosecution theory of the case. The basis of the charge was not the bullying itself but rather that by failing to comply with MySpace's terms of use Lori Drew had committed an offence of unauthorised access to a computer. If accepted, this theory would have criminalised failure to abide by terms of use - terms which most users never read and which are often vague and imprecise in their scope - and effectively permitted site owners to provide that a breach of their rules would now be a crime. As Andy Grossman put it, the effect would be that "every site on the Internet gets to define the criminal law. That’s a radical change. What used to be small-stakes contracts become high-stakes criminal prohibitions."

Consequently there was some relief two months ago when the trial judge indicated that he would quash the jury's guilty verdict, but his short oral statement of reasons on that day didn't go into detail as to why the prosecution case was flawed. The full written judgment has now been published, and shows that the trial judge applied the void for vagueness doctrine to find that a prosecution based on simple breach of terms of use would not give fair warning to users as to what actions might be criminal and would criminalise vast numbers of users without providing even minimal guidelines to govern prosecutions.

Would a similar result be reached in Ireland? The position is complicated slightly by the peculiar wording of the relevant offence - which speaks of "access without lawful excuse" rather than "unauthorised access" - but the same underlying principles would apply. The domestic caselaw - in particular King v Attorney General [1981] IR 223 - has established the proposition that the ingredients of an offence must be set out with precision and clarity and this has since been reinforced by ECHR jurisprudence requiring accessibility and foreseeability in criminal offences (e.g. CR v. United Kingdom). In light of those principles, it seems likely that the Irish courts would follow the reasoning in the Lori Drew case.

Some key portions of that ruling are worth quoting:
If a website’s terms of service controls what is “authorized” and what is “exceeding authorization” - which in turn governs whether an individual’s accessing information or services on the website is criminal or not, section 1030(a)(2)(C) would be unacceptably vague because it is unclear whether any or all violations of terms of service will render the access unauthorized, or whether only certain ones will.

For example, in the present case, MySpace’s terms of service prohibits a member from engaging in a multitude of activities on the website, including such conduct as “criminal or tortious activity,” “gambling,” “advertising to . . . any Member to buy or sell any products,” “transmit[ting] any chain letters,” “covering or obscuring the banner advertisements on your personal profile page,” “disclosing your password to any third party,” etc... The MSTOS does not specify which precise terms of service, when breached, will result in a termination of MySpace’s authorization for the visitor/member to access the website.
By utilizing violations of the terms of service as the basis for the... crime, that approach makes the website owner - in essence - the party who ultimately defines the criminal conduct. This will lead to further vagueness problems. The owner’s description of a term of service might itself be so vague as to make the visitor or member reasonably unsure of what the term of service covers. For example, the MSTOS prohibits members from posting in “band and filmmaker profiles . . . sexually suggestive imagery or any other unfair . . . [c]ontent intended to draw traffic to the profile.”

Moreover, website owners can establish terms where either the scope or the application of the provision are to be decided by them ad hoc and/or pursuant to undelineated standards. For example, the MSTOS provides that what constitutes “prohibited content” on the website is determined “in the sole discretion of MySpace.com . . . .” Additionally, terms of service may allow the website owner to unilaterally amend and/or add to the terms with minimal notice to users.
Because terms of service are essentially a contractual means for setting the scope of authorized access, a level of indefiniteness arises from the necessary application of contract law in general and/or other contractual requirements within the applicable terms of service to any criminal prosecution.
Treating a violation of a website’s terms of service, without more, to be sufficient to constitute “intentionally access[ing] a computer without authorization or exceed[ing] authorized access” would result in transforming section 1030(a)(2)(C) into an overwhelmingly overbroad enactment that would convert a multitude of otherwise innocent Internet users into ... criminals... If any conscious breach of a website’s terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that section 1030(a)(2)(C) becomes a law “that affords too much discretion to the police and too little notice to citizens who wish to use the [Internet].”
Eric Goldman has analysis of the decision and its implications for legal responses to cyberbullying - suggesting that the decision is likely to encourage lawmakers to introduce new offences of online harassment.

Monday, August 31, 2009

The Pirate Bay block takes effect

Today, September 1st, is the day that the Eircom is scheduled to start blocking The Pirate Bay. It will be interesting to see how it is implemented and whether there are any technical side effects (along the lines of the recent IWF / Wikipedia fiasco). If you're an Eircom customer, perhaps you might post a comment as to whether you can still access thepiratebay.org or the other URLs / IP addresses which are being blocked or whether you've noticed any other effects of the blocking.

Friday, August 28, 2009

Eircom, three strikes and false positives

I've said before now that the three strikes system which Eircom has agreed to use is likely to result in innocent people being wrongly accused.

Some of these cases will be due to Eircom's own incompetence in issuing up to 250,000 wireless routers with easily guessable passwords - which will result in some people piggybacking on Eircom users' connnections. But there is a wider problem, in that the investigators used by the music industry have a track record of making false copyright infringement claims.

A particularly interesting study from the University of Washington (Zeropaid story | Full details and paper) shows the risks.

In that study, the researchers document receiving 487 notices under the DMCA: all wrongfully alleging that files were being illegally shared over BitTorrent. Among the alleged culprits were three laserjet printers which between them were accused on nine separate occasions of downloading movies. (Bad printers! No toner for you tonight.)

The research conclusions?
Practically any Internet user can be framed for copyright infringement today.
By profiling copyright enforcement in the popular BitTorrent file sharing system, we were able to generate hundreds of real DMCA takedown notices for computers at the University of Washington that never downloaded nor shared any content whatsoever.

Further, we were able to remotely generate complaints for nonsense devices including several printers and a (non-NAT) wireless access point. Our results demonstrate several simple techniques that a malicious user could use to frame arbitrary network endpoints.

Even without being explicitly framed, innocent users may still receive complaints.
Because of the inconclusive techniques used to identify infringing BitTorrent users, users may receive DMCA complaints even if they have not been explicitly framed by a malicious user and even if they have never used P2P software!
In light of these findings, I wonder how reliable the evidence presented by the music industry to Eircom will be, and whether the flaws identified in this study will be addressed. So far, all we have to go on are leaked details of a draft protocol between Eircom and the music industry on the information to be provided with each accusation.

Those details are, however, too vague at this stage to be useful.

For example, the draft apparently provides that "the information which will be provided by the record companies will be of the same type as that used in the three previous disclosure actions in the Irish High Court". What precisely does this mean? Similarly, the protocol appears to require the music industry to provide "the digital fingerprint/hash for copyright material detected". Does this mean that before a complaint can be made, the investigators must download the entire file allegedly shared by the user? There is also apparently provision for "reputable annual independent certification that the necessary ... I.T. ... controls relating to the obtaining, generating and processing of data by Detecnet ... have been complied with". Will this require certification that the types of problems identified by the University of Washington and others have been solved? In fairness to Eircom, it does appear that it has made some efforts to include elements in the agreement which might meet some of these problems. But without more detail on the agreement it's impossible to be confident that innocent users (or printers!) will not be wrongly accused.

Tuesday, August 25, 2009

Technical aspects of The Pirate Bay blocking

Eircom's block of The Pirate Bay comes into force on September 1st. With that in mind it might be worth examining precisely what Eircom is obliged to do. The relevant portion of the court order (to which Eircom consented) is the following:
IT IS ORDERED

(1) Pursuant to Section 40(4) of the Copyright and Related Rights Act, 2000 that the Defendant do block or otherwise disable access by its subscribers to the Website ThePirateBay.org and related domain names IP addresses and URLs listed in the Schedule attached hereto together with such other domain names IP addresses and URLs as may reasonably be notified as related domain names by the Plaintiffs to the Defendant from time to time...

Schedule

The Pirate Bay main site

Thepiratebay.org main site is hosted on a server with IP address 192.121.86.15

The Pirate Bay trackers

The Pirate Bay current tracker URL is:

http://tracker.thepiratebay.org:80/announce
udp://tracker.thepiratebay.org:80/announce

This URL resolves to the following IP addresses:

192.121.86.2
192.121.86.3
192.121.86.4
192.121.86.5
192.121.86.6
192.121.86.7
192.121.86.8

Domain names that re-direct to The Pirate Bay

Piratebay.net
Piratebay.org
Piratebay.se
Thepiratebay.com
Thepiratebay.net
Thepiratebay.nu
Thepiratebay.se
Pro-piracy.nl
Smais.org
Thepiratebay.org
Piratebay.no

The re-directs are all hosted on the main server with IP 192.121.86.15 (owned by The Pirate Bay)

The Pirate Bay .torrent files
The Pirate Bay .torrent files are hosted on IP 192.121.86.19 with (sub)domain
http://torrents.thepiratebay.org
Astute readers might have guessed that the list of IP addresses would rapidly go out of date and checking today that seems to be the case. This might be related to the fact that earlier today TPB upped and moved servers in response to the Swedish authorities ordering their connectivity provider to disconnect them from the internet.

Whatever the reason, this highlights one problem with the order - there's no provision for the possibility that an IP address or domain name initially associated with TPB later comes to be associated with a different and innocent site. I'm told (by someone who should know) that this is unlikely at least in the short term in the case of TPB - but that's no excuse for an order which doesn't even consider this risk, much less provide for any safeguard.

Of course, the order doesn't specify the methods to be used by Eircom to "block or otherwise disable access by its subscribers to the Website ThePirateBay.org and related domain names IP addresses and URLs". Any thoughts on what these might be and their possible pitfalls?

Friday, August 21, 2009

Computer forensics, proprietary methods and peer review

As I prepare my course materials for the new course in Digital Investigations and the Law I find myself revisiting cases which I intended to blog when they were initially decided but which never made it to the screen. Here's an interesting one from 2005 which discusses when a court will compel computer forensics experts to reveal their proprietary methods, and which raises some interesting questions about whether such methods are compatible with the general approach of the courts towards expert witnesses.

In Mulcahy v Avoca Capital Holdings [2005] IEHC 136 (full text not available but summarised here) the plaintiff was the subject of disciplinary procedures by his employer including allegations of "improper dealing with the e-mail inboxes of senior members of staff and ... improper dealing with the company's IT systems". He brought an action in the High Court seeking to stop the disciplinary process.

In order to deal with the allegations against him, the plaintiff sought to have his computer forensics experts examine certain computers belonging to the employer. Access was granted by the court, but a dispute arose as to whether the plaintiff's experts would be entitled to keep secret their proprietary methods for carrying out the examination.

Significantly, Clarke J. held that while a court would not unnecessarily require an expert to reveal confidential methods, by acting as an expert witness a person exposed their methodology to scrutiny in court and fair procedures demanded that the other party be able to assess and challenge that approach in appropriate cases.

The relevant passage is worth quoting in full as the judgment doesn't seem to be freely available online:
The final point I would like to comment on is the argument put forward in evidence on behalf of Grant Thornton [acting for the plaintiff], which amounted to a plea for the protection of their proprietary methods. A court must always, in circumstances such as this, be concerned not to expose experts to any unnecessary exposure of the benefits of their craft, as it were, but it does have to be said that a person who presents themselves as willing to act as an expert in proceedings necessarily exposes their methods to investigation in court. Just to put it at its mildest, if Grant Thornton and Ritz [acting for the defendant]were to give evidence in a trial which conflicted as to their findings, the only way the court could resolve that conflict would be by investigating their methods and forming a view as to which method is better. So it seems to me, as a matter of principle and a matter of practice in this case, an expert just cannot stand on ceremony in that way; by being available to give forensic evidence in proceedings and expert is potentially exposing his methods to detailed investigation. He cannot say, "I am going to give evidence but I am not going to tell people how I carried out my inquiries." While a court should not make any directions that would unnecessarily expose the skills of an expert, it nonetheless seems to me that there is a limit to the extent to which those methods can be protected and, therefore, on the facts of this case I would not place any significant weight on that concern on their part. (Emphasis added.)
This decision is in one sense unsurprising: past decisions such as State (D&D) v. Groarke [1990] 1 IR 305 have shown a judicial willingness to look behind an expert's opinion to the procedure on which it is based.

But perhaps the most interesting aspect of this case, as compared with the use of other expert witnesses such as doctors or engineers, is the tacit assumption that computer forensics experts will be using methods which are confidential to them or home-grown.

Perhaps in the relatively early years of computer forensics as a discipline this assumption might have been justified - though today it's beginning to look increasingly shaky with the move towards open source forensics tools as well as commercial products such as EnCase. Nevertheless it raises an interesting question - should the courts accept expert testimony when the underlying tools or methods have not been the subject of peer review to ensure their reliability?

Although the Irish courts have yet to adopt an approach similar to the US Daubert standard, there has been at least one recent judgment in which "expert" testimony has been rejected where it hasn't been shown to have a "properly established scientific provenance" or "the requisite degree of expert peer approval". (See DPP v. Michael Joseph Kelly (2008) in relation to the controversial CUSUM technique for determining the author of a document.) In light of this decision, one wonders how the Irish courts might evaluate the use of proprietary computer forensics tools today.

For more on this issue, Meyers and Rogers (2004) is a good starting point.

Wednesday, August 19, 2009

Eircom to block the Pirate Bay from September; UPC not so keen

In the latest twist in the Irish filesharing wars, it's emerged today that Eircom will start blocking access to The Pirate Bay from the first of September, while UPC has rejected music industry demands that it do so also. (The Irish Times | RTE). So what's going on?

First - the Eircom situation. When Eircom settled the case brought against it by the music industry it agreed - in addition to implementing a three strikes system against its users - not to oppose any application to the court to block access to The Pirate Bay. The predictable result was that an unopposed application would be granted without any real judicial scrutiny - and this has now happened. On the 24th of July, on the consent of Eircom, Mr. Justice Charleton in the High Court granted an order requiring it to:
block or otherwise disable access by its subscribers to the website thePirateBay.org and related domain names, IP addresses and URLs ... together with such other domain names, IP addresses and URLs as may reasonably be notified as related domain names by [the music company plaintiffs] to [eircom] from time to time.
That order requires Eircom to put such a block in place from the start of September (and, remarkably, to block additional sites designated by the plaintiffs as "related" - something presumably designed to avoid evasion but which may be prone to abuse). Crucially, however, Mr. Justice Charleton stressed that he had only heard one side, and that consequently any decision he made was on the basis of one side putting forward an unopposed application - expressly noting that had the matter being argued, a different conclusion might have been reached by a different court. In short, the order has no precedential value.

Despite this, however, the music industry appears to have been emboldened by the order, which takes us on to the UPC situation. It seems that the plaintiffs then wrote to UPC demanding that it also block The Pirate Bay, lest customers "migrate" from Eircom, and threatening immediate proceedings unless it blocked access also. UPC - which is already being sued by the music industry in separate proceedings essentially demanding it implement "three strikes" - has rejected this demand, and indicated that it will vigorously defend any additional action also.

The current state of play raises some interesting questions. For example: Will users begin to migrate from Eircom? Is it appropriate for a court - even on consent - to make an order which will have the effect of blocking user access to a great deal of legitimate content? (While the percentage of legal torrents on The Pirate Bay might be contested, there's no doubt but that it indexes a great deal of legitimate content.) Should such an order allow plaintiffs to (apparently unilaterally) determine which sites are "related" and require those to be blocked also? Why have Eircom been so shy about revealing the existence of the blocking? Expect these, and other issues to come to the fore over the next few days.

Adrian Weckler has more, including the UPC press release.

Friday, August 14, 2009

Overseeing Surveillance - Lessons from the UK Experience?

In a previous post I pointed out the remarkable lack of transparency in the oversight of surveillance in Ireland. This has become all the more worrying since July when the remit of this oversight system was extended (by the Criminal Justice (Surveillance) Act 2009) beyond telephone tapping and data retention to include also the planting of covert audio bugs, video cameras and gps trackers. In effect, the Designated Judge has now been given (by ad hoc extensions of his role) oversight of most forms of surveillance - with public accountability in respect of this oversight remaining limited to a single page annual report.

Two recently published documents from the UK illustrate a better model of oversight.

The first is the 2008 Report of the Interception of Communications Commissioner. The primary role of this official - a retired judge - is similar to that of the Irish Designated Judge in relation to interceptions and data retention. Unlike our uninformative annual report, however, the Interception Commissioner gives much more detail in relation to his work. Here are some examples:
In short, I meet officers in the agencies undertaking interception work and officials in the departments of the Secretaries of State/Ministers which issue the warrants. Prior to each visit, I obtain a complete list of warrants issued or renewed or cancelled since my previous visit. I then select, largely at random, a sample of warrants for inspection. These include both warrants and attendant certificates. In the course of my visit I satisfy myself that those warrants fully meet the criteria of RIPA, that proper procedures have been followed and that the relevant safeguards and Codes of Practice have been followed. During each visit I review each of the files and the supporting documents and discuss the cases with the officers concerned. I can, if I need to, view the product of interception. It is of paramount importance to ensure that the facts justified the use of interception in each case and that those concerned with interception fully understand the safeguards and the Codes of Practice...

During 2008, I visited a total of nine communication service providers (CSPs) and internet service providers (ISPs) consisting of the Royal Mail and the communications companies who are most engaged in interception work. These visits, mostly outside London, are not formal inspections but are designed to enable me to meet both senior staff in each company as well as the personnel who carry out the work on the ground, and for them to meet and talk to me. I have no doubt that the staff in the CSPs and ISPs welcome these visits. We discussed the work that they do, the safeguards that are in place, any errors that have occurred, any legal or other issues which are of concern to them, and their relationships with the intercepting agencies...

Fifty errors and breaches [in relation to interceptions] have been reported to me during the course of 2008. This is a marked increase when compared with the total of 24 errors and breaches reported in my last Annual Report. I consider the number of errors to be too high. By way of example, details of some of these errors are recorded below...
That report gives a similar level of detail in relation to communications data issues. Here's an example:
the police took swift action when information from a reliable source suggested that a number of very young children were at immediate risk of falling into the hands of a paedophile ring. Subscriber information relating to an Internet Protocol (IP) Address was obtained in order to locate an address for the children but unfortunately it would appear this was not correct. The police entered the address and arrested a person who was completely innocent and further enquiries are continuing. This was a very unfortunate error and the whole process of obtaining data relating to IP addresses has been re-examined. In this case there was confusion between the Internet Service Provider and the public authority over how the data should be interpreted, particularly in relation to the critical international time zones. Better checks and balances have been put in place to help clarify the process, which includes liaison with the SPoC trainers and these should help to prevent similar errors in the future.
The second recent document from the UK is the Report of the Chief Surveillance Commissioner for 2008/2009. This report covers some of the same areas where the Designated Judge now has responsibilities, particularly in relation to the planting of covert bugs and video surveillance. Again the level of review is quite detailed:
Common causes of error
The areas that have received the most criticism on inspection – and this applies equally to all types of public authority – in this reporting period are:
(a) a continuing failure on the part of Authorising Officers properly to demonstrate that less intrusive methods have been considered and why they have been discounted in favour of the tactic selected;
(b) the continuing preference to interpret private information as limited to biographical data rather than recognise the wider meaning decided by the European Court of Human Rights. A specific act of surveillance may not be intrusive but a combination of acts may enable the construction of a profile; this requires careful consideration when judging whether an individual’s private life is subject to interference;
(c) the failure of Authorising Officers, when cancelling authorisations, to give directions for the management and storage of the product of the surveillance;
(d) the continuing confusion with regard to the need for authorisation when surveillance equipment (such as CCTV) is focused on an individual in a public place. It is not where the CCTV is placed (which may be overt or covert) but the manner in which the camera is used that is determinative of whether the surveillance is covert;
(e) Authorising Officers not knowing the capability of the surveillance equipment which they are authorising. For instance, there are differences between video cameras that record continuously and those activated by motion; and between thermal image and infra-red capability. These differences may have an important bearing on how a surveillance operation is conducted and the breadth of the authorisation being granted. Therefore, a simple authorisation for ‘cameras’ is usually insufficient;
(f) poor internal audit by senior management. The Central Record of Authorisations is often in a form not conducive to quick review or status check. Sometimes it is apparent that there has been no meaningful internal audit between OSC inspections; and
(g) those conducting covert surveillance basing their activity on what was requested rather than on what was specifically authorised. R v Sutherland underpins the importance of briefing those conducting the surveillance beforehand on the specific authorisation.
The significance of these reports lies not so much in the specifics, but in the fact that they illustrate a more effective form of regulating surveillance. The Irish model - in which oversight is minimal and given as a part-time duty to a busy judge - seems increasingly unsustainable in comparison.

Friday, August 07, 2009

Eircom briefing note on "three strikes" filesharing settlement leaked

I've just stumbled on a document on scribd which purports to be a "Briefing Note on arrangement between Eircom and the Irish Recorded Music Association (IRMA) with regard to Copyright Infringement" dating from March. While there's no indication as to who posted the document or whether it is authentic, it certainly appears to be genuine and to reflect Eircom's position. There are some very interesting details in the document as to how Eircom proposes to implement "three strikes" and here's an excerpt:
Under the draft protocol, the notification shall include the following information (at a minimum):
* details of copyright holder (name and address);
* why the notification is being sent (i.e. setting out the breach of copyright);
* the actual copyright work that has been infringed (information on copyright material, for example artist, song, title and album title);
* the IP address;
* the time stamp of when the investigation was initiated;
* the time stamp of when the investigation was completed, the peer to peer application/software used by the customer;
* and, the digital fingerprint/hash for copyright material detected;

The last item, the digital fingerprint/hash of the copyright material detected, allows eircom to verify that the copyright work identified by the record companies is in fact owned by them.

In addition, the information which will be provided by the record companies will be of the same type as that used in the three previous disclosure actions in the Irish High Court involving the parties and eircom will not act upon a notification from the record companies that does not contain the information set out above.

eircom has also requested that the record companies provide independent certification that the notification has been lawfully obtained by and on behalf of the record companies.

The record companies are also to provide reputable annual independent certification that the necessary legal, I.T., entity level and regulatory controls relating to the obtaining, generating and processing of data by Detecnet (or any other supplier engaged by the record companies) have been complied with.
Full text.

Update (19.08.09): Torrentfreak and SiliconRepublic have since run stories about this document.

Thursday, August 06, 2009

Locational Privacy

The EFF have published an excellent short report on locational privacy (pdf) which highlights the threats posed by data retention and other technological developments. Here's an excerpt:
What is locational privacy?

Locational privacy (also known as “location privacy”) is the ability of an individual to move in public space with the expectation that under normal circumstances their location will not be systematically and secretly recorded for later use. The systems discussed above have the potential to strip away locational privacy from individuals, making it possible for others to ask (and answer) the following sorts of questions by consulting the location databases:

• Did you go to an anti-war rally on Tuesday?
• A small meeting to plan the rally the week before?
• At the house of one “Bob Jackson”?
• Did you walk into an abortion clinic?
• Did you see an AIDS counselor?
• Have you been checking into a motel at lunchtimes?
• Why was your secretary with you?
• Did you skip lunch to pitch a new invention to a VC? Which one?
• Were you the person who anonymously tipped off safety regulators about the rusty machines?
• Did you and your VP for sales meet with ACME Ltd on Monday?
• Which church do you attend? Which mosque? Which gay bars?
• Who is my ex-girlfriend going to dinner with?

Of course, when you leave your home you sacrifice some privacy. Someone might see you enter the clinic on Market Street, or notice that you and your secretary left the Hilton Gardens Inn together. Furthermore, in the world of ten years ago, all of this information could be obtained by people who didn’t like you or didn’t trust you.

But obtaining this information used to be expensive. Your enemies could hire a guy in a trenchcoat to follow you around, but they had to pay him. Moreover, it was hard to keep the surveillance secret — you had a good chance of noticing your tail ducking into an alley.

In the world of today and tomorrow, this information is quietly collected by ubiquitous devices and applications, and available for analysis to many parties who can query, buy or subpoena it. Or pay a hacker to steal a copy of everyone’s location history.

It is this transformation to a regime in which information about your location is collected pervasively, silently, and cheaply that we’re worried about.
(via Mathias Klang)

Tuesday, July 28, 2009

Sutherland Institute v. Continuative: Is it time to take the U out of UDRP?

OUT-LAW has a good report of the WIPO panel decision in Sutherland Institute v. Continuative LLC - a decision which by focusing on the location of the parties makes me wonder whether it's misleading to describe the UDRP as a "Uniform" Dispute Resolution Policy.

On the face of it this was a relatively straightforward case. The complainant was a right wing Utah think thank hosted at SutherlandInstitute.org while the respondent set up a parody site at SutherlandInstitute.com. A screengrab of a portion of both pages shows the difference:

Despite the fact that the respondent did not defend the proceedings, the panelist found in their favour, holding that it had not been established that they had registered and used the domain "in bad faith" as required by the UDRP. This isn't of itself a surprising outcome, but it's the reasoning underpinning this conclusion which I find interesting. The key passage is this:
Because this proceeding involves political speech that is strongly protected under the U.S. Constitution, the Panel will not in these proceedings involving two U.S. parties attempt to identify bad faith elements that are not specifically enumerated in the Policy. If the right of political speech is to be interfered with based upon Complainant’s service mark incorporated in Respondent’s disputed domain name, it is preferable that a federal or state court make that application of the concept of “bad faith”.
This passage relies on the fact that the parties are both US based to apply US law. As such it takes advantage of rule 15(a) of the UDRP which gives a panel a remarkably wide discretion to decide claims based on "any rules and principles of law that it deems applicable". This has often been used by panelists to apply domestic rules of law where the parties are both from the same jurisdiction - to the extent that the Berkman Center's excellent Analysis of UDRP Issues assumes this to be the norm. Indeed, this practice is supported by paragraph 176 of the WIPO Final Report which led up to the adoption of the UDRP, which states:
In applying the definition of abusive registration given above in the administrative procedure, the panel of decision-makers appointed in the procedure shall, to the extent necessary, make reference to the law or rules of law that it determines to be applicable in view of the circumstances of the case. Thus, for example, if the parties to the procedure were resident in one country, the domain name was registered through a registrar in that country and the evidence of the bad faith registration and use of the domain name related to activity in the same country, it would be appropriate for the decision-maker to refer to the law of the country concerned in applying the definition.
Against this, however, is a strong body of opinion which argues that national law should not be imported into the UDRP - that to do so will lead to a lack of uniformity and to inconsistent outcomes. For example, in McMullan Bros & Maxol v. Web Names, the panelist ruled that:
5.10 Paragraph 15(a) of the Rules requires a Panel to make its decision "in accordance with the Policy, these Rules and any rules and principles of law that it deems applicable." This might justify applying the without prejudice doctrine in this case, but the Panel is unconvinced. The Policy provides an international procedure for international application by a panel comprising panelists who may come from a jurisdiction unconnected with either party. To import a national rule simply because both parties come from the same jurisdiction may result in similar cases being decided in a different manner dependant upon geographical accident. This is a conclusion that this Panel finds inherently unattractive. At times resort to national law may be unavoidable (for example when determining the existence of a trademark recognised by the Policy), but the Panel sees no reason for doing so in this case.
Similarly Wotherspoon & Cameron argue that:
The UDRP was developed by reference to the status of national laws and international treaties. In our view, it already reflects a somewhat harmonized version of these laws. The practice of referring to territorial laws undermines a central purpose of the UDRP — to provide a uniform mechanism for resolution of domain name disputes in the face of the borderless nature of the Internet. By continuing to refer to national laws, Panels will reinforce jurisdiction specific intellectual property rights and undermine the goal of a global uniformity in resolving domain name disputes.
This clash of views highlights an unresolved tension within the UDRP as to how to deal with choice of law issues. There is an obvious attraction in the use of national law where a matter is very closely connected with one jurisdiction. But doing so - even if permitted by the UDRP - does run the risk of eroding its "uniform" nature. Also, this growing practice adds an extra layer of complexity to UDRP proceedings - forcing parties to address choice of law issues as well as the substance of any claim - and may also result in registrants and trademark holders gaming the system by choosing to establish themselves in the jurisdictions which they see as most friendly to their side.

Gerald Levine has more, including an interesting discussion of an alternative choice of law approach under the UDRP.

Friday, July 17, 2009

Bill published to transfer RegTel premium rate functions to Comreg

I've posted before (1|2) about some of the problems in regulation of premium rate services in Ireland and in particular the difficulties presented by the role of RegTel, the non-statutory industry regulatory body, due to its lack of legislative powers. (More on RegTel from Daithi | Eoin.) As noted in those posts, the Minister for Communications some time ago committed himself to introducing legislation which would transfer RegTel's functions to ComReg .

That legislation has now emerged, in the form of the Communications Regulation (Premium Rate Services) Bill 2009. According to the explanatory memorandum, the purpose of the Bill is to provide for:
• the transfer of the function of regulating premium rate services to the Commission for Communications Regulation, hereinafter called the Commission.
• the licensing of premium rate services by the Commission.
• offences, penalties and rights of appeal in relation to the regulation of premium rate services.
• the funding of expenses incurred by the Commission in exercise of its regulatory functions.
• the transfer of staff and responsibility for certain legal proceedings, respectively, from Regtel to the Commission.
• compliance by the Commission with the same obligations in relation to Ministerial directions, reporting and accountability responsibilities in respect of premium rate services as it has in respect of electronic communications and postal services.
Key elements here are the introduction of a licence to provide premium rate services and the creation of a range of criminal offences including acting without a licence and overcharging / charging for services which were not requested.

More from the Irish Times | Siliconrepublic.

(I'm a bit late blogging this story - I lost sight of this Bill in the flurry of legislative activity during the run up to the summer vacation, particularly the rushing through of the Criminal Justice (Surveillance) Act 2009 and the introduction of the Communications (Retention of Data) Bill 2009. More on these anon.)

Wednesday, July 08, 2009

Eircom hacking shows flaws in Irish computer crime law

Today's Irish Times has a report of an apparent denial of service attack against Eircom:
MANY OF Eircom’s 500,000 internet subscribers have been left offline or experienced delays in web browsing at times this week because of a suspected attack by hackers.

Some customers who tried to connect to popular sites such as RTÉ, Facebook or Bebo were redirected to incorrect websites, often displaying images of advertising or scantily clad women.

The company blamed the problems on “an unusual and irregular volume of internet traffic” directed at its website, which affected the systems and servers that provide access to the internet for its customers.

Internet discussion groups speculated that the problems were caused by a hacker accessing Eircom’s domain name server (DNS) system through a denial-of-service attack.

This involves a target site being saturated with messages and requests to the point it can no longer function properly.
I've said it before but it's worth repeating: Irish law does not adequately deal with computer crime at the moment (with denial of service attacks being one of many areas left without adequate sanctions) and legislation to implement the Cybercrime Convention and the Framework Decision on Attacks Against Information Systems is now long overdue.

Here's an excerpt from a chapter I wrote in Reich (ed.), Cybercrime and Security discussing the uncertain Irish law on denial of service attacks:
Whether or not such an attack would amount to an offence under Irish law will vary depending on the precise structure of the attack.

For example, suppose that A sets out to harm B by sending several million emails to B’s server. The effect is not only to use up B’s bandwidth but also to use his disk capacity. In this case, it might be possible to charge A with criminal damage under section 2 of the Criminal Damage Act 1991, on the basis that A has damaged B’s data within the meaning of section 1 by adding to it without lawful excuse.

This result is supported by the English decision in DPP v. Lennon. In that case the defendant was a 16 year old who took umbrage at the circumstances of his dismissal and sent five million emails to his former employer with the expressed intention of “causing a bit of a mess up”. He was charged with unauthorised modification to a computer system with intent to impair the operation of the computer, contrary to section 3(1) of the Computer Misuse Act 1990 (the equivalent provision to section 2 of the Criminal Damage Act 1991). His defence was that the company had implicitly consented to receiving emails and as such he had not made unauthorised modifications. Although the trial judge accepted this argument, on appeal the Divisional Court held that any implied consent did not extend to emails sent for the purpose of disrupting the system. Per Jack J.:
“I agree, and it is not in dispute, that the owner of a computer which is able to receive emails is ordinarily to be taken as consenting to the sending of emails to the computer. His consent is to be implied from his conduct in relation to the computer. Some analogy can be drawn with consent by a householder to members of the public to walk up the path to his door when they have a legitimate reason for doing so, and also with the use of a private letter box. But that implied consent given by a computer owner is not without limit. The point can be illustrated by the same analogies. The householder does not consent to a burglar coming up his path. Nor does he consent to having his letter box choked with rubbish. That second example seems to me to be very much to the point here. I do not think that it is necessary for the decision in this case to try to define the limits of the consent which a computer owner impliedly gives to the sending of emails. It is enough to say that it plainly does not cover emails which are not sent for the purpose of communication with the owner, but are sent for the purpose of interrupting the proper operation and use of his system.”
However, if the facts of a denial of service attack are varied slightly then criminal damage may no longer be an appropriate charge. Suppose for example that C sets out to hinder access to D’s publicly available website, and does so by programming several computers to repeatedly download large pages from the site. The result is to use up D’s bandwidth and ensure that other users cannot get through to the site, though the server itself continues to function. What crime, if any, has been committed?

In this case C would not have damaged D’s data (assuming that C downloaded data only and did not make any modifications to the data on the server). It might be argued that C has committed criminal damage to the server itself given the extended definition of “damage” under section 1, which includes situations where a person “whether temporarily or otherwise, render[s] inoperable or unfit for use or prevent[s] or impair[s] the operation of” property.

Such a charge would, however, prevent some difficulties. It might be successful if the effect of a denial of service attack was to cause the server to crash – that temporary inoperability would certainly seem to constitute damage within the meaning of section 1. In the hypothetical above, however, C has not rendered the server inoperable but merely inaccessible – which would seem to fall outside the scope of the criminal damage offence.

On the other hand, using the reasoning in DPP v. Lennon it might be possible to characterise the attack as unauthorised access contrary to section 5 of the Criminal Damage Act 1991. The argument could be made that while public websites carry with them an implied permission to access the site, this permission does not (to use the words of Jack J.) cover visits which are “the purpose of interrupting the proper operation and use of [the] system”, so that such a visit would constitute operation of the server with intent to access data without lawful excuse.