Friday, December 17, 2010

Firms hampered by failure to keep law up to date with internet age

I have an opinion piece in today's Irish Times arguing that the Taoiseach's recent comments about reform of copyright law create an opportunity for wider reform. Unfortunately, the Irish Times doesn't allow inline links, so here's a version with relevant links included:
Firms hampered by failure to keep law up to date with internet age

Much of the Irish law governing the internet is archaic, restrictive and hampers growth, writes TJ McIntyre

IN A speech this week, the Taoiseach announced support for a review of European and Irish copyright law, stating “it is time to review our copyright legislation, and examine the balance between the rights holder and the consumer, to ensure that our innovative companies operating in the digital environment are not disadvantaged against competitors”.

This is a welcome development for the Irish internet industry, which has argued for some time that copyright reform would be desirable.

It follows a seminar last month, hosted by Digital Rights Ireland, Google and the Institute of International and European Affairs, where speakers from businesses such as, UPC and Google pointed out the practical problems copyright laws can create.

In particular, one of the reasons why the US has been so successful at encouraging internet innovation is that US copyright law includes a doctrine known as fair use. This permits the use of portions of a copyrighted work so long as the normal economic exploitation of the work is not undermined.

Irish law, by comparison, has no equivalent to the flexible doctrine of fair use.

Instead, there is a finite and restrictive list of exceptions to copyright, hampering the ability of Irish businesses to develop new forms of internet services.

Reform of the law – if it addresses this and similar issues – will help promote the growth of new businesses in this area and avoid the loss of jobs to more internet-friendly jurisdictions, such as the US.

However, this is not a uniquely Irish development. It follows action at European Union level and in other countries such as Britain. Last month, David Cameron said UK copyright laws were out of date and needed to be reviewed to “make them fit for the internet age”.

The Irish Government will have to move quickly to avoid falling behind Britain and other European bodies that have taken the initiative in this area.

It will also be important that copyright not be considered in isolation, as it is just one of a number of areas where Irish businesses have been hampered by a failure to keep the law up to date with the internet.

After a flurry of activity leading up to the Electronic Commerce Act 2000, there has been relatively little reform since.

Consequently, much of the Irish law governing the internet is now a decade old – an eternity in the online world – and is no longer suited for current conditions.

One of the most important areas in need of reform is defamation. A significant risk faced by Irish internet companies is that of being sued for what users say. Under the law as it stands, businesses such as online forums, auction sites and even search engines face a real likelihood of legal action being brought against them, even though they were in no way responsible for what was said and behaved reasonably.

European law does recognise the injustice of this, and provides some protection for these intermediaries. Ireland, however, has adopted a very limited implementation of this European law, so Irish online businesses are much more exposed than those in other jurisdictions.

Remarkably the Defamation Act 2009 ignored proposals for reform of the law in this area.

If the Taoiseach is to succeed in his stated aim of ensuring that Irish businesses are not disadvantaged against competitors, then it will be important to tackle online defamation also.

Wednesday, November 24, 2010

EU Internal Security Strategy Published

The Commission has just published an internal security strategy document setting out a four year plan for European level action on the issues of "fighting and preventing serious and organised crime, terrorism and cybercrime, strengthening the management of our external borders and building resilience to natural and man-made disasters."

While the entire plan is likely to be controversial (and the sections on border control have already been criticised), I'd like to focus on the section on cybercrime and to offer a few thoughts:
Action 1: Build capacity in law enforcement and the judiciary

By 2013, the EU will establish, within existing structures, a cybercrime centre, through which Member States and EU institutions will be able to build operational and analytical capacity for investigations and cooperation with international partners. The centre will improve evaluation and monitoring of existing preventive and investigative measures, support the development of training and awareness-raising for law enforcement and judiciary, establish cooperation with the European Network and Information Security Agency (ENISA) and interface with a network of national/governmental Computer Emergency Response Teams (CERTs). The cybercrime centre should become the focal point in Europe's fight against cybercrime.

At national level, Member States should ensure common standards among police, judges, prosecutors and forensic investigators in investigating and prosecuting cybercrime offences. In liaison with Eurojust, CEPOL and Europol, Member States are encouraged by 2013 to develop their national cybercrime awareness and training capabilities, and set up centres of excellence at national level or in partnership with other Member States. These centres should work closely with academia and industry.
The recommendations for action at EU level are welcome, but unfortunately Ireland has a long way to go to meet the recommendations for action at national level. I've written about the failings in the Irish response to cybercrime recently in the Sunday Business Post.
Action 2: Work with industry to empower and protect citizens

All Member States should ensure that people can easily report cybercrime incidents. This information, once evaluated, would feed into national and, if appropriate, the European cybercrime alert platform. Building on the valuable work under the Safer Internet Programme, Member States should also ensure that citizens have easy access to guidance on cyber threats and the basic precautions that need to be taken. This guidance should include how people can protect their privacy online, detect and report grooming, equip their computers with basic anti-virus software and firewalls, manage passwords, and detect phishing, pharming, or other attacks. The Commission will in 2013 set up a real-time central pool of shared resources and best practices among Member States and the industry.

Cooperation between the public and private sector must also be strengthened on a European level through the European Public-Private Partnership for Resilience (EP3R). It should further develop innovative measures and instruments to improve security, including that of critical infrastructure, and resilience of network and information infrastructure. EP3R should also engage with international partners to strengthen the global risk management of IT networks.

The handling of illegal internet content – including incitement to terrorism – should be tackled through guidelines on cooperation, based on authorised notice and take-down procedures, which the Commission intends to develop with internet service providers, law enforcement authorities and non-profit organisations by 2011. To encourage contact and interaction between these stakeholders, the Commission will promote the use of an internet based platform called the Contact Initiative against Cybercrime for Industry and Law Enforcement.
Much of this is uncontentious, but the references to handling illegal internet content require careful scrutiny. The "guidelines on cooperation" and "notice and takedown procedures" reflect a worrying trend at EU level towards bringing about internet censorship by means of self-regulation. The result is that decisions about legality are being made in a way which doesn't have a legislative basis and excludes judicial oversight. This trend can already be seen in relation to internet filtering but this strategy, if implemented, would seem to extend it significantly further. It is hard to see how this proposal could be compatible with Article 10 of the European Convention on Fundamental Rights.
Action 3: Improve capability for dealing with cyber attacks

A number of steps must be taken to improve prevention, detection and fast reaction in the event of cyber attacks or cyber disruption. Firstly, every Member State, and the EU institutions themselves should have, by 2012, a well-functioning CERT. It is important that, once they are set up, all CERTs and law enforcement authorities cooperate in prevention and response. Secondly, Member States should network together their national/governmental CERTs by 2012 to enhance Europe's preparedness. This activity will also be instrumental in developing, with the support of the Commission and ENISA, a European Information Sharing and Alert System (EISAS) to the wider public by 2013 and in establishing a network of contact points between relevant bodies and Member States. Thirdly, Member States together with ENISA should develop national contingency plans and undertake regular national and European exercises in incident response and disaster recovery. Overall, ENISA will provide support to these actions with the aim of raising standards of CERTs in Europe.
The Irish CERT body (IRISS) does not have any state funding at present - will this recommendation encourage the Irish government to provide funding?

Wednesday, November 17, 2010

Legal issues for mobile marketing

Peppe Santoro of Eversheds O'Donnell Sweeney has just placed a very comprehensive and useful presentation on this topic on Slideshare:
Strongly recommended.

Friday, November 12, 2010

More developments on defence access to breathalyser source code

I've blogged before about whether a defendant in a drink driving charge is entitled to examine the source code to the breath testing machine, and there's been a High Court decision on this point since then, but this issue has recently cropped up yet again in the form of an interesting decision of the Information Commissioner.

In Case 080260 - Mr. W & The Medical Bureau of Road Safety (MBRS) the applicant sought to use a FOI request to the Medical Bureau of Road Safety to obtain (amongst other things) the source code relating to a "Lion Intoxilyzer 6000 IRL". The decision of the Information Commissioner addressed a number of important issues - including whether FOI could be used to "provide a parallel system whereby the defence could obtain what is in effect disclosure in a criminal case" - but in relation to the source code the Commissioner had this to say:
It is my understanding that the term "source code" refers to high level code, the disclosure of which would allow the development of competing products. I therefore accept that the source code at issue in this case qualifies as a trade secret within the meaning of section 27(1)(a) of the FOI Act. I also consider that, on balance, the public interest would not favour release, particularly if the testing, maintenance and repair records are made available. As Ms. Campbell stated, court procedures must be considered adequate to ensure the fairness of any criminal proceedings under the Road Traffic Acts.

I also accept that a duty of confidence would be owed to Lion Laboratories in the circumstances. Moreover, I note that evidence was submitted in the case stated by Judge Mary Devins in DPP v. O'Malley [2008] IEHC 117 to show that the MBRS is contractually prohibited from disclosing the source code to any third party. In the circumstances, I am satisfied that the source code is exempt under section 26(1)(b) as well as section 27(1)(a) of the FOI Act.
While this may be the correct result in the context of FOI, when taken together with the decision in DPP v. O'Malley it seems to leave defendants in drink driving cases with no effective means of challenging the inner workings of the machines used to convict them, and may potentially lead to an injustice. As a fundamental principle of law, if a person is to be convicted based on the "testimony" of a machine then that person should have the right to challenge the process by which the machine generates that "testimony" - something which may require inspection of the source code. As things stand however it seems that there's no route in Irish law for that to be done.

Wednesday, November 10, 2010

Advertising standards, the internet and "ghost and entity removal"

There was some publicity recently about the fact that the UK Advertising Standards Authority is to extend its remit to cover online advertising also. Surprisingly, however, there appeared to be very little awareness of the fact that the Advertising Standards Authority of Ireland has explicitly covered internet advertising since 2001. (Rather than 2009, as the Sunday Business Post suggested.)

To honour this long record of regulating internet advertising, I thought I'd share a recent ASAI decision on internet advertising- one which considered amongst other things "Shamanic Healing", "Angel Therapy" and - best of all - "Ghost and Entity Removal". The complaint related to an Irish website Seventh Heaven Healing and the variety of "spiritual" services it offered. According to the decision, "the complainant challenged all the claims in relation to distant healing and medical advice from the spirit world. He questioned the ability to arrange for divine intervention and requested that proof be provided for all claims."

Perhaps unsurprisingly, the ASAI wasn't persuaded by the website owner's claims that she could not prove her "claims on healing an individual without disclosing personal information about the people in question" and that "as a medical intuitive she uses her mediumship ability to help individuals remove energy blocks on an energetic scale". Consequently it ordered that "the advertisement must not run in its current format again".

As to how effective that ruling has been, judge for yourself at (Warning - autoplay saccharine music.) Or, if you're in a hurry, jump straight to the "Ghost and Entity Removal" page.

For a related ASAI ruling on "powerful energy over the phone" and "healing" in relation to cancer and "sick babies" see this decision.

Police access to encrypted files: Does the Anglo case show up a gap in the legislation?

According to today's Irish Independent the Anglo investigation is being held up by encrypted files:
Gardai are unable to examine more than 100 key files in their investigation into Anglo Irish Bank because former senior executives have not handed over the computer passwords.

Former Anglo staff hold passwords to about 200 documents vital to the inquiries being carried out jointly by the Garda Fraud Bureau and the Director of Corporate Enforcement.

The passwords for around a third of the encrypted documents have been produced so far by the bank. But Anglo admitted it has been unable up to now to secure the rest.

Among the former employees being contacted by Anglo to establish if they have knowledge of the missing passwords is its ex-chairman Sean FitzPatrick.

Gardai are using state-of-the-art technology to crack the password puzzle and are confident they will be able to gain access to all of the key documents.

But they indicated yesterday that the absence of the passwords was one of the factors which have delayed the completion of their inquiries.
In light of this story it might be worth considering the legal position governing police access to such files and whether or not the former bank officials mentioned might be compelled to assist in decrypting them.


Irish law generally doesn't require disclosure of passwords or private keys to police - see e.g. section 28 of the Electronic Commerce Act 2000. (This is in contrast to the position in the UK, where there is a wide power to order key disclosure and it is an offence to fail to disclose - see here for an example of such an order.)

However, there are specific Garda powers under the Criminal Justice (Theft and Fraud Offences) Act 2001 which are relevant. Will they apply to the facts of this particular case?

Search warrants

The first power is contained in section 48 of the Act, which deals with search warrants and provides that:
A member of the Garda Síochána acting under the authority of a warrant under this section may—

(a) operate any computer at the place which is being searched or cause any such computer to be operated by a person accompanying the member for that purpose, and
(b) require any person at that place who appears to the member to have lawful access to the information in any such computer—

(i) to give to the member any password necessary to operate it,
(ii) otherwise to enable the member to examine the information accessible by the computer in a form in which the information is visible and legible, or
(iii) to produce the information in a form in which it can be removed and in which it is, or can be made, visible and legible.
Consequently search warrants under this section can have the effect of requiring individuals to provide passwords or to decrypt information (to provide it in a "visible and legible" form). However, this power wouldn't apply in the context of the Anglo investigation insofar as it only applies to any "person at the place which is being searched". Former bank employees who are sipping brandy at home can't be required to assist in the decryption process.

Evidence orders

At first glance, the section 52 power would appear to be more promising. That section provides that:
(2) A judge of the District Court, on hearing evidence on oath given by a member of the Garda Síochána, may, if he or she is satisfied that—

(a) the Garda Síochána are investigating an offence to which this section applies,
(b) a person has possession or control of particular material or material of a particular description, and
(c) there are reasonable grounds for suspecting that the material constitutes evidence of or relating to the commission of the offence,

order that the person shall—

(i) produce the material to a member of the Garda Síochána for the member to take away, or
(ii) give such a member access to it,

either immediately or within such period as the order may specify.

(3) Where the material consists of or includes information contained in a computer, the order shall have effect as an order to produce the information, or to give access to it, in a form in which it is visible and legible and in which it can be taken away.
As with the section 48 power, this includes a power to require a person to decrypt information (though not to require a person to provide a password or key). Again, however, it wouldn't seem to apply to former bank officials. The order to produce and/or decrypt evidential material applies where a person has certain material in their "possession or control". This wouldn't seem to stretch to the situation where the material - the file - is located on bank premises and as such isn't in the possession or control of the former bank official.

Other statutory powers?

Sections 48 and 52 of the 2001 Act are not the only statutory powers to provide for passwords to be handed over or information to be decrypted. Similar powers are contained in section 16 of the Proceeds of Crime Act 1996 (as amended by the Proceeds of Crime (Amendment) Act 2005) and several other pieces of legislation. However, these powers all appear to be modelled on the 2001 Act and consequently would fall foul of the same problems if applied to a person who is not at the scene or does not have possession or control of the material in question.


If this analysis is correct then there would seem to be a gap in the 2001 Act powers to require decryption - while a person can be compelled to decrypt material so long as they remain in employment in a particular organisation it would seem that once they leave then they are no longer subject to these powers.

Tuesday, November 09, 2010

Are Norwich Pharmacal orders compatible with the Data Retention Directive?

Interesting news from Sweden, where a court has made a preliminary reference to the ECJ which calls into question the use of information held under the Data Retention Directive to identify users accused of copyright infringement. According to a report in Intellectual Asset Management:
The request for a preliminary ruling was made by the Supreme Court in a copyright litigation case between five audiobook publishers, and Perfect Communication AB, an ISP. Before the case reached the Supreme Court, the audiobook companies had requested the district court to order Perfect Communication to reveal information regarding the name and address of the registered user of a certain IP address, who was suspected of infringing copyrights in a large number of popular audiobooks...

On 25th August 2010 the Supreme Court requested a preliminary ruling from the ECJ on two questions:

* Whether the Data Retention Directive prevents the application of a national rule based on the EU IP Rights Enforcement Directive (2004/48/EC), which provides that an ISP in a civil case can be ordered to provide a copyright owner or a rights holder with information on which subscriber holds a specific IP address assigned by the ISP, from which address the infringement is alleged to have taken place.
* Whether the answer to the first question is affected by the fact that the state has not yet implemented the Data Retention Directive, although the deadline for implementation has passed.
While the full text of the reference isn't available, the ISP's case seems to be based on the interaction between the ePrivacy Directive and the Data Retention Directive. In particular it appears to argue that data stored under the Data Retention Directive should only be made available to national authorities for the purposes of that Directive - not for other, unrelated purposes (such as civil actions against filesharing). If successful, the implications would be far reaching and would at the very least require the Irish and UK courts to revisit cases such as EMI v. Eircom which deal with Norwich Pharmacal orders identifying internet users.

(My thanks to Niall Handy for pointing out this case.)

Monday, October 11, 2010

EMI v. UPC - Full judgment now available

It's been a busy few days for copyright law in Ireland. First the important decision in Koger v. HWM, and now the landmark decision in EMI v. UPC (RTÉ | Irish Times), which derailed music industry plans to compel ISPs to introduce "three strikes" in Ireland.

I'm still digesting the 82 pages of the judgment, but in the meantime here's the full text for your delectation:

EMI v. UPC                                                            

Tuesday, September 21, 2010

Google Transparency Report launched

The New York Times has a story today about Google's new Transparency Report. The Report - which expands on an earlier initiative - tracks government intervention on the internet and shares internal data from Google in three broad categories:

* Government inquiries for information about users;
* Government requests to remove content (both hosted content and search results); and
* Traffic flows.

In each case the data is broken down by country. In relation to the UK, for example, the map shows that for the period January-June 2010 there were:

1343 data requests
48 removal requests, for a total of 232 items; and
62.5% of removal requests were fully or partially complied with

o 1 court order to remove content
o 1 item requested to be removed

o 3 court orders to remove content
o 32 items requested to be removed

o 1 court order to remove content
o 1 items requested to be removed

Web Search
o 8 court orders to remove content
o 144 items requested to be removed

o 6 court orders to remove content
o 29 non-court order requests to remove content
o 54 items requested to be removed
There's no data given for Ireland for the same period. This may mean one of two things - either there were no Irish requests to take down information or access user information during that period, or else (probably more likely) there were so few Irish requests that Google has chosen not to reveal the statistics. For what it's worth, during the previous six month period Google indicates that there were fewer than 10 Irish government requests to remove content, of which 50% were complied with.

The traffic flow portion of the report is new and particularly interesting - by visualising the amount of data flowing to a particular country it graphically illustrates government attempts to block access to particular sites. Here, for example, is a graph of YouTube traffic to Turkey from March 2010 onwards. The abrupt drops in traffic appear to coincide with the Turkish government's ongoing attempts to block users from viewing YouTube and other Google services.

Google must be congratulated for providing this information - along with Herdict and Chilling Effects (which is also supported by Google) the information provided will be invaluable in tracking attempts to control the flow of information on the net. However, as Lilian Edwards and Christopher Soghoian have pointed out this is still only a start - greater detail as to the types of content being targeted and the legal basis for requests is necessary to make sense of the raw numbers. Perhaps in the next revision?

Friday, September 10, 2010

Monitoring online radicalisation

I was at the fascinating Terrorism and New Media conference in DCU yesterday taking part in a panel discussion "Monitoring the Internet for Violent Radicalisation: Ethical and Legal Issues", along with Mina al Lami (LSE), Paul Durrant (ISPAI) and Sadhbh McCarthy (Centre for Irish and European Security).

The discussion was under the Chatham House Rule so I won't be putting names to views, but the other panelists and the audience had some interesting perspectives which I thought worth jotting down.

There was a definite concern that anti-terror laws (especially in the UK) may make criminals of researchers. Cases such as the recent University of Nottingham arrests have made academics increasingly nervous and uncertain as to whether they can carry out their work in a way which is compliant with the law. From a purely practical perspective (at a conference where the majority of participants were from outside Ireland) there is a fear that the contents of one's laptop might be legal in country A but not in country B.

On a related point researchers were worried as to their legal and ethical responsibilities if they find material which might provide evidence of a crime or indications that a crime might be committed in the future. For Irish researchers section 9 of the Offences Against the State Act 1998 presents particular problems, making failure to volunteer certain information to Gardaí punishable by up to five years' imprisonment unless the researcher has a "reasonable excuse" for that failure. There seems to be a relatively low level of awareness of this and other reporting obligations.

The source material for studies in this area - jihadi forums, bulletin boards, chatrooms, etc. also presented difficulties for researchers. What ethical standards apply to the use of material deliberately published for a global audience? Does it matter whether individuals have used their real name or a pseudonym? Does it matter whether material is on an open forum or requires registration? Are researchers justified in deceit as to their identity or institutional affiliation in signing up to these forums? While there has been a good deal written on these issues (well summarised here) it seemed that these points still trouble researchers.

Finally, there was a substantial consensus that existing EU practice doesn't provide adequate ethical review of research in this area. When funding decisions are being made, there is a narrow focus on legality - asking "will researchers be breaking the law?" - rather than on wider ethical questions such as "is it desirable to develop particular tools of censorship or mass surveillance?" The INDECT project was cited as a prime example of inadequate ethical review, which (perhaps not surprisingly) has led to widespread media criticism.

Tuesday, August 10, 2010

Putting the "Entertainment" into Media and Entertainment Law

Ever wondered what a letter from Lindsay Lohan's lawyers would look like? Perhaps you wanted to know how Britney Spears and Kevin Federline agreed to enter into a fake marriage? Or maybe you wanted to see how contestants in American Idol sign their rights away on entering the show? If so, look no further. US law professor Eric Johnson has put together an excellent compendium of materials on media and entertainment law for his courses. Unlike traditional materials, however, his compendium includes not just the (relatively staid) decisions of the courts but also dressing room requirements, the bluff and bluster of correspondence, and more. As he explains:
I'm a strong believer in assigning readings other than judicial opinions. So my compendium includes contracts, demand letters, and various litigation pleadings. These documents are especially valuable reading in entertainment law and media law, where industry custom, intimidation tactics, creative lawyering, ignorance, bullying, and fear all combine to play a role that rivals that of the law itself.

Wednesday, July 14, 2010

Access controlled

The new book Access Controlled from the OpenNet Initiative is now available for free download to read free online. The sequel to the superb Access Denied, it describes a system of state control of the internet which is developing rapidly - from the relatively crude first generation of controls based on filtering and blocking towards a more sophisticated next-generation system which adds features such as built-in surveillance, control of users by contractual terms of use, and authority delegated to private bodies to oversee the net. As the introduction puts it:
States no longer fear pariah status by openly declaring their intent to regulate and control cyberspace. The convenient rubric of terrorism, child pornography, and cyber security has contributed to a growing expectation that states should enforce order in cyberspace, including policing unwanted content... Internet censorship is becoming a global norm.
As with Access Denied, the book is divided into two parts: opening with analytical chapters examining developments from data retention to the Global Network Initiative and followed by individual country and regional profiles. The latter are extremely useful overviews of the state of play worldwide - for me, however, the real strength of the book lies in the first six chapters in which a strong line up of authors consider international developments. Colin Maclay's chapter Protecting Privacy and Expression Online: Can the Global Network Initiative Embrace the Character of the Net? was a particular highlight, shining a light on a promising but as yet immature and relatively unexamined development.

Strongly recommended.

Friday, July 02, 2010 2009 Annual Report has just published its annual report for 2009 which makes for interesting reading. 2009 marks the 10th anniversary of the Hotline, which started operations in November 1999.

By way of background, is an industry self-regulatory body (or perhaps co-regulatory: the boundaries are fluid) run by the ISPAI using funding from members and from the European Commission. The role of the Hotline is to receive complaints from the public about illegal content online and to act as a filter for those complaints - for example, if illegal material is found to be hosted in Ireland it will be notified to the Garda Síochána and/or the ISP; if hosted abroad it will be notified to the local authorities via either the INHOPE network or the Garda Síochána. Although it deals with reports of illegal content generally the primary focus of the Hotline is on preventing the distribution of child pornography.

Key statistics from the report:
* 2117 total number of reports processed by the Hotline.
* 284 of the above were determined as illegal under Irish law.
* 9 of the 284 proved to be duplicate reports, resulting in,
* 275 unique illegal reports. Of these:
* 9 were other issues (such as racism, threats of violence against individuals and financial scams that had an Irish connection).
* 267 were assessed as child sexual abuse and were forwarded for action through INHOPE or to An Garda Síochána for national investigation or forwarding via Interpol to other jurisdictions. One of these reports was of child grooming, all others were cases of child pornography.
Although the number of complaints had increased, the number of child pornography images reported was significantly reduced:
the reports assessed as illegal under Irish law numbered 536 in 2008 compared with 284 in 2009, a very significant drop of 252. Analysis of the figures suggests that the decline reflects that the public simply do not encounter illegal content with the same frequency as in previous years. Similar observations have been reported by other INHOPE hotlines. This could be a turning point reflecting some degree of success due to the sustained worldwide effort to counter child abuse images on the Internet.
One complaint related to child pornography on the web hosted in Ireland (the first time this had been detected):
The problem of weak log-on/password security was highlighted last October when the Hotline had its first absolutely confirmed report of a child pornography website in Ireland. The Garda investigation discovered that because of weak log-on/passwords the site had been hacked by criminals based outside the jurisdiction. The CSAM had been placed in a separate directory which was not navigatable from the shop website. However, clicking on the link in the banner site which held the full URL led directly to the planted directory. This contained PHP routines which created a pay-site portal with preview images pulled in from hosts in other countries.

The UK hotline, the International Watch Foundation (IWF), received a report about a banner site advertising a wide range of different child pornography sources. One of the banners linked to an IP address in Ireland. The IWF forwarded the report to Our content analysts verified that the content was indeed illegal under Irish law and confirmed the trace. The ISP was a major data centre in Dublin but we discovered that the IP was in fact sub-leased to a web developer/small hosting service in Co. Cork who had created and maintained the website on behalf of the client, a small retail business.
The complaints, as in previous years, overwhelmingly related to images hosted on the web and via spam emails, with complaints relating to p2p and Usenet being a vanishingly small proportion of the total:

(This statistic, however, appears to reflect the passive role of the Hotline, which is limited to receiving complaints from members of the public - it has no proactive role to actively search out child pornography. Recent media coverage of Irish p2p users downloading and uploading child pornography suggests that a significant number of Irish users may be sharing child pornography via p2p but that this is not registering on the Hotline radar.)

One particularly interesting part of the report was its analysis of those countries where child pornography is most often found to be hosted. Until recently the US and Russia were generally regarded as the worst offenders in this regard - recently, however, Russia appears to have improved its enforcement somewhat. Although the US continues to head this list, there has been a striking fall in the number of child pornography websites detected there, which may suggest that US procedures for taking down these sites are becoming more effective:

Friday, June 25, 2010

Technology, privacy and domestic violence

Privacy advocacy in Ireland faces a number of challenges. Often it's met with the old canard "if you've nothing to hide you've nothing to fear" - implying that privacy is something for wrongdoers and criminals. A related problem has been a lack of wider public concern about privacy issues: while occasional issues (such as the recent series of data breaches) trigger public interest, more often issues such as data retention tend to be seen as rather esoteric and remote from people's day to day lives.

This makes a recent story on domestic violence charity Women's Aid all the more significant in showing that privacy issues should be of much wider concern:
In its annual report for 2009, to be released today, the charity has noted an increase in disclosures of women being abused, controlled and stalked through technology.

Director of the charity Margaret Martin said it was very concerned at the development.

She said callers disclosed that current or former boyfriends, husbands and partners were using many forms of technology to control, coerce and intimidate them.

Women had disclosed that home and mobile phone calls were monitored, as well as their texts. Some women also found cameras secretly installed to monitor them in their own homes.

Abusers tracked and scrutinised online use and demanded access to private e-mail and social networking accounts.

Some women said their partners and ex-partners had placed lies about them on internet sites. Others had been photographed and filmed without their consent, sometimes having sex, and the images were uploaded to the internet...

“Quite often it prevents women from seeking help as they fear their partner will see that they have rung a helpline, looked at a domestic violence website or spoken of the abuse to their friends, family or colleagues in an e-mail or text.”
This story also reflects a significant wider trend not just in online privacy but in digital rights generally - slowly but surely these rights are being recognised as important by mainstream civil society groups. For example, earlier this week in the UK the National Union of Journalists agreed to support legal challenges to the Digital Economy Act while in Europe the consumers' group BEUC recently adopted a specific strategy on consumer rights in the digital environment. This trend is important in that it promises to enlist greater support for digital rights - but presents a new challenge for digital rights groups to liaise with and educate other civil society groups.

Friday, June 18, 2010

May newspapers publish the whereabouts of released rapists? Murray v. Newsgroup Newspapers interlocutory decision handed down

The High Court (Irvine J.) today gave an interlocutory judgment in the important case of convicted rapist Michael Murray who is seeking to restrain newspapers from publishing his photograph or details of his whereabouts. The case follows extensive publicity given to him post-release (e.g.) which he claims is threatening his safety and jeopardising his rehabilitation.

Today's judgment refuses to grant an interlocutory injunction which would restrain the newspapers pending a full trial - significantly noting that there is a "public interest in being informed of the identity and whereabouts of a convicted criminal who may pose a risk to the community" (p.59). The Northern Irish decision in the similar case of Callaghan v. Independent News and Media was distinguished as involving a criminal who posed a lesser threat to the community and who faced a greater risk of being physically attacked once his identity was known.

Full text of judgment:

Murray v. Newsgroup Newspapers and others

Monday, May 17, 2010

Book review: Bound by Law

I've written a short review of the superb Bound by Law? Tales from the Public Domain for the film studies journal Scope. Here's an excerpt:
You seldom find lawyers writing comic books. It's not that we have anything against them. We're happy to litigate about them (as fans of Alan Moore's Watchmen can testify, having seen Zack Snyder's film adaptation delayed by litigation between Twentieth Century Fox and Warner Brothers). We're even sometimes their subject (just consider the central role of Harvey Dent / Two-Face in the Batman canon). But writing comic books? What might the clients think? Or the tenure committee? And how might a profession known for its verbosity cope with the tight constraints of the speech bubble?

This makes Bound by Law? a rare beast indeed – a comic book written (and drawn) by lawyers which also manages to be a clear and entertaining introduction to the legal issues faced by filmmakers in the minefield that is intellectual property law. The authors are academics at UC Davis School of Law (Aoki) and Duke University Law School (Boyle and Jenkins) with a track record of innovative research at the point where law, creativity and the public domain intersect. In this book they set out to look at the position of documentary makers and how intellectual property law constrains what they do, with a view to illustrating the wider argument that the law has become imbalanced and is in need of reform.

The focus of their work is neatly set out by this example:

A cell phone happened to ring during the filming of Marilyn Agrelo and Amy Sewell's Mad Hot Ballroom, a documentary about New York City kids in a ballroom dancing competition. The ring tone was the Rocky theme song … EMI, which owns the rights to the Rocky song asked for – guess how much? $10,000. In another scene, they were filming a foosball game and one of the players spontaneously yelled "Everybody dance now" – a line from the C&C Music Factory hit. Warner Chappell demanded $5,000 for the use of the line (14).

This demonstrates an ongoing problem for documentary film makers -- the problem of documenting the world when certain aspects of the world (music playing in the background, artwork on the walls, even trademarks appearing on products) may be off limits. This book is full of examples of situations where documentary makers have found their work stifled as a result. But how did we arrive at a situation where rights holders demand payment of large sums for transient and incidental excerpts of their works? And what should we do about it?
Full review.

Saturday, May 01, 2010

For a safer and cleaner internet

I was extremely impressed with this cynical but accurate video about EU internet blocking proposals. Enjoy:

For more, see the Cleanternet website.

Tuesday, April 27, 2010

Music Industry says "Child Pornography is Great"

”Child pornography is great,” the speaker at the podium declared enthusiastically. ”It is great because politicians understand child pornography. By playing that card, we can get them to act, and start blocking sites. And once they have done that, we can get them to start blocking file sharing sites”.

The venue was a seminar organized by the American Chamber of Commerce in Stockholm on May 27, 2007, under the title ”Sweden — A Safe Haven for Pirates?”. The speaker was Johan Schlüter from the Danish Anti-Piracy Group, a lobby organization for the music and film industry associations, like IFPI and others...

”One day we will have a giant filter that we develop in close cooperation with IFPI and MPA. We continuously monitor the child porn on the net, to show the politicians that filtering works. Child porn is an issue they understand,” Johan Schlüter said with a grin, his whole being radiating pride and enthusiasm from the podium.

And seen from the perspective of IFPI and the rest of the copyright lobby, he of course had every reason to feel both proud and enthusiastic, after the success he had had with this strategy in Denmark.

Today, the file sharing site The Pirate Bay is blocked by all major Internet service providers in Denmark. The strategy explained by Mr. Schlüter worked like clockwork.
Christian Engström MEP has more.

Sunday, March 21, 2010

Update on Eircom, IRMA and "three strikes" in Ireland

In all the excitement surrounding St. Patrick's day this week the fact that Eircom and the music industry were back in court on Tuesday didn't really receive the attention it deserves.

The background to Tuesday's hearing lies in last January's settlement under which Eircom agreed to introduce a "three strikes" system to disconnect users accused of filesharing by the music industry. Under that agreement (which has never been made public, but details of which have leaked) the record companies seem to have been required to show that they - and Eircom - would be acting in compliance with data protection law.

The Data Protection Commissioner, however, threw a spanner in the works, as summarised by the Sunday Times:
As part of the agreement, Irma said it would use piracy-tracking software to trace IP addresses, which can identify the location of an internet user, and pass this information to Eircom. The company would then use the details to identify its customer, and take action.

But the office of the Data Protection Commissioner (DPC) has indicated that using customers’ IP addresses to cut off their internet connection as a punishment for illegal downloading [presumably this should be uploading] does not constitute "fair use" of personal information. Irma and Eircom have asked the High Court to rule on whether these data-protection concerns mean the 2009 settlement cannot be enforced...

The Eircom case was reopened in the High Court last month and Judge Peter Charleton will hear submissions from both sides on March 16. The record companies asked for the DPC to be joined to the High Court action, but it refused on the basis that no one would guarantee to pay its legal costs.

Charleton will first have to decide whether an IP address constitutes "personal information" under data protection law. If it does, then data controllers are required to "get and use the data fairly". They are also required to use that data for "only one or more clearly stated purposes". The DPC does not think this includes cutting off their internet service.

"The EU telecoms directive indicated people have a fundamental right to an internet connection," said a source involved in the case. "So the judge must decide whether processing a person’s IP address to cut them off is a proportionate response to discovering they have downloaded pirated music."
Consequently, arguments on these issues were heard on Tuesday, throwing up some interesting new information. (It emerged for example that Eircom has agreed to throttle user traffic after strike two, and that Eircom will have three staff devoted to running the three strikes procedure.)

Unfortunately, that hearing seems to have been something of a case of Hamlet without the Prince. With the Data Protection Commissioner not represented, the court was hearing only from parties with a vested interest in the three strikes procedure and was deprived of an independent and impartial perspective.

I don't yet have a full transcript of the hearing, but I understand that the court was asked to rule on three broad questions:

1. Do IP addresses (in the hands of the music industry) constitute personal data?
2. Is the settlement agreement itself compatible with the Data Protection Acts?
3. If IP addresses are personal data, are they "sensitive personal data" in a context where they might reveal the commission of a criminal offence?

Other issues that arose included the fundamental rights implications of disconnecting users, whether users waived those rights by agreeing to Eircom's terms of use, and whether the Eircom/IRMA agreement was compatible with the new Telecoms Package rules on disconnecting users in relation to proportionality, necessity and procedural safeguards (including judicial review). Judgment is expected next week.

Friday, March 05, 2010

Cloud computing controversy won't clear

It seems as though the controversy caused by the Chief State Solicitor's advice about purchasing cloud computing just won't go away. John Collins has an update in today's Irish Times. Here's an excerpt:
ON A Thursday afternoon early last month an e-mail with the subject line "eTenders – Cloud Computing Warning" began to arrive in the inbox of public servants.

Sent by the National Public Procurement Operations Unit, which operates the Government’s electronic tendering website, eTenders, the brief communication said the Chief State Solicitor’s Office had advised "that issues such as data protection, confidentiality and security and liability are not necessarily dealt with in a manner that would be necessary for public-sector responsibilities" by cloud services.

The e-mail was quickly forwarded around Ireland’s technology industry. Not only are companies such as Microsoft, IBM and HP investing millions into research centres and data centres here to support the new model of delivering software and other services over the internet, but Minister for Communications Eamon Ryan last year identified cloud computing as one of six "pillars" that would drive the creation of a smart economy.

In fact, Ryan is understood to have been extremely annoyed at the message being sent out, and his advisers have moved to soothe the nerves of some of the major technology multinationals based here.

While not renowned for its technology expertise, one of the roles of the Chief State Solicitor’s Office is to review commercial agreements for public bodies before they sign them.

"They must have reviewed a contract which wasn’t up to scratch and now they have concluded all cloud contracts are like this," says Philip Nolan, a partner in legal firm Mason Hayes + Curran who specialises in technology contracts. "It’s a totally disproportionate reaction and the IT industry is recoiling in shock."

Nolan equates the advice given by the Chief State Solicitor’s Office to someone saying 12 years ago "don’t buy anything using e-commerce because it’s not secure".

Describing the e-mail as "damaging", Ed Byrne, general manager of Hosting365, a local firm that provides a platform to support cloud computing, says eTenders should have instead "outlined the questions that need to be asked before buying a cloud service".

According to Byrne, this would have included questions such as where is the service based, who is the supplier, how much money can it save and what levels of support can be expected.
Previously on this blog: 1|2

Tuesday, March 02, 2010

Ryanair v. - Full decision now available

I've just received a copy of the decision of Hanna J. in Ryanair v. and uploaded it to Scribd. At first glance it appears to represent a significant win for site owners who wish to control screenscraping, indexing and other uses of their content:

Ryanair v.                                                            

Monday, March 01, 2010

Ryanair screenscraping: Irish court accepts jurisdiction, rules on enforceability of website terms of use

You might have noticed that Ryanair has an ongoing legal campaign to stop sites from scraping its content and then reselling flights. (Blogged previously by me: 1|2|3.)

Until now, however, Ryanair found itself stymied by jurisdictional problems, and in two separate decisions the Irish High Court held that it did not have jurisdiction to hear its claims. (The first decision saw Ryanair thwarted by its own terms of use which provided for the English courts to have jurisdiction; the second involved prior Swiss proceedings which caused the Irish court to decline jurisdiction in favour of the Swiss court.)

In the most recent development in this saga, Ryanair has now amended its terms of use to provide for the exclusive jurisdiction of the Irish courts, and has succeeded in establishing jurisdiction in Dublin in an action against Billigfluege and Ticket Point. According to the Irish Times Hanna J. held as follows:
The exclusive jurisdiction clause contained in [Ryanair’s] website’s terms of use was binding on [Billigfluege and Ticket Point] in circumstances where those terms were at all times available for inspection by [Billigfluege and Ticket Point] as users of or visitors to the website, [Ryanair] having taken appropriate steps to ensure that the terms were brought to the user’s attention through their inclusion on the website via a clearly visible hyperlink.

If you use the site, you agree not to breach its terms and if you do so, the exclusive jurisdiction clause set out in the Terms of Use makes it clear that Ireland is the appropriate jurisdiction for the purposes of litigating any disputes that may arise as a result.
The full decision isn't available online yet, but from this excerpt it may be very significant indeed.

This appears to be the first time an Irish court has ruled on whether site terms of use are enforceable, and the passage quoted seems to adopt a very wide browsewrap theory whereby visitors to a website will be bound by terms of use without any positive act on their part, provided that a hyperlink to the terms is "clearly visible". I'm not entirely sure that this result is correct - as Andres Guadamuz notes in a similar context, there are issues of acceptance and consideration in these cases - and it will be interesting to read the full decision to see whether and how these issues are considered.

The potential implications of this decision are also important. If the broad approach above is followed it would appear to have the potential to eliminate screenscraping entirely, and to enable site owners to assert exclusivity over information which is not protected by copyright or database right - in effect creating a new quasi intellectual property right and upsetting the balance created by statute. (Just witness the Dublin Bikes iPhone app case.) Hopefully if this case goes to a full hearing we will see these points raised and considered in detail.

Friday, February 19, 2010

Government departments not up in the clouds

After last week's story about the Department of Finance issuing warnings about the use of cloud computing, Sean Sherlock TD followed up by asking whether the warnings stemmed from any particular incident; whether government departments are already using cloud computing; and if so what safeguards are in place. The results are interesting: the Finance warnings don't appear to be the result of any mishap in central government as not one department is yet using cloud computing. (Though the Minister for Communications, Eamon Ryan, did say that his Department is actively promoting its use.)

Thursday, February 18, 2010

Alternative routes to identifying "anonymous" online users

David Robinson and Harlan Yu have posted a superb series of posts on Freedom to Tinker (1,2,3) about tactics which might be used to identify anonymous internet posters, even in cases where IP addresses might not have been logged by the site which hosts the comment. The key insight is that sites typically embed multiple external services (such as advertising, stats counters and video hosting) which may either individually or in combination enable the identity of particular users to be pinned down:
[P]laintiffs' lawyers in online defamation suits will typically issue a sequence of two "John Doe" subpoenas to try to unmask the identity of anonymous online speakers. The first subpoena goes to the website or content provider where the allegedly defamatory remarks were posted, and the second subpoena is sent to the speaker's ISP. Both entities—the content provider and the ISP—are natural targets for civil discovery. Their logs together will often contain enough information to trace the remarks back to the speaker's real identity. But when this isn't enough to identify the speaker, the discovery process traditionally fails.

Are plaintiffs in these cases out of luck? Not if their lawyers know where else to look.

There are numerous third party web services that may hold just enough clues to reidentify the speaker, even without the help of the content provider or the ISP. The vast majority of websites today depend on third parties to deliver valuable services that would otherwise be too expensive or time-consuming to develop in-house. Services such as online advertising, content distribution and web analytics are almost always handled by specialized servers from third party businesses. As such, a third party can embed its service into a wide variety of sites across the web, allowing it to track users across all the sites where it maintains a presence.
The traceability of any given site visitor will still depend on context: the number of third party services used by the site, the popularity of each third party service across the web, the types of identifying data that these parties collect and store, whether the speaker used any online anonymity tools, and many other site-specific factors.

Despite the variability in third party tracing capabilities, the nearly simultaneous connections to a few third party services means that the results of tracing can be combined. By sleuthing through information held in third party dossiers, logs and databases, plaintiffs in John Doe lawsuits will have many more discovery options than they had ever previously imagined.
Of course, these tactics are likely to be expensive. Also, in an Irish context the uncertainty as to whether a result will be achieved may mean that a court will be less willing to grant a Norwich Pharmacal order (which is a discretionary remedy (PDF) - not something which is available as of right). But nevertheless, the research is important - particularly as it illustrates that traditional methods of ensuring online anonymity (such as TOR routing) may be vulnerable to indirect attack.

Wednesday, February 10, 2010

Banned in Turkey: Turkish internet filtering and blocking

Banned in turkey

 Yaman Akdeniz has recently published a superb report for the OSCE on Turkey and Internet Censorship (press release | full text pdf).
Ironically, Yaman Akdeniz and his co-author Kerem Altıparmak have themselves been the subject of legal threats aiming to silence their criticism of Turkish internet censorship. Fortunately their book Restricted Access: A Critical Assessment of Internet Content Regulation and Censorship in Turkey (2008) is still available.

The image above is from Richard Dawkins' website, which has been blocked in Turkey since September 2008.

(Via Chris Marsden.)

Tuesday, February 09, 2010

Home Office terrorist material reporting site - some thoughts

The Home Office launched a new Directgov site last week, which "provides members of the public with information about what they can do if they come across violent extremist, terrorist and hate content online" (press release). The site takes reports and forwards them to a specialist unit within Association of Chief Police Officers (ACPO), which will take action if the material is illegal. Unsurprisingly there has been a good deal of media coverage (e.g. The Register | The Inquirer | BBC News).  So far, though, there doesn't seem to have been any assessment of how this fits into the broader matrix of internet regulation in the UK. This post asks what effect it might have.
Reducing the role of the IWF?

One of the more significant aspects of this story is that it appears to be the first time that the UK government has set up a specific site to which internet content can be reported. Until now, the government has effectively devolved that function to the Internet Watch Foundation (IWF). Although this is a private body, official policy has been to designate the IWF as the first port of call for online content. The Surrey Police website is typical:
If you come across offensive or illegal material, please DO NOT contact Surrey Police directly.
Instead, you can make a report on the Internet Watch Foundation (IWF) web site.
If they decide any action is needed, they will contact the ISP or the police, who can take appropriate action. (It's worth remembering that evidence of illegal or offensive material can be detected even after it has been deleted from a computer.)
The Internet Watch Foundation are qualified to judge the illegality of material and will report matters to the relevant police force. They are the only authorised organisation in the UK that provides an Internet hotline for the public to report their exposure to illegal content online.
Despite this, however, the IWF has never had a remit to receive complaints in relation to all illegal material online. For example, while there have been proposals from the Home Office that the IWF's remit should be extended to cover extremist websites, these have never come to fruition. Similarly, when the Terrorism Act 2006 created a system of notifying ISPs to take down terrorist material, that system bypassed the IWF entirely and required that notices be given via the police.

Consequently, the setting up of this site may be significant - does it indicate a trend which moves away from government reliance on the IWF and towards the use of separate (and public) reporting mechanisms?

Content control as a means of protecting vulnerable people?

The rhetoric used in announcing the site is also interesting. According to Lord West:
We want to protect people who may be vulnerable to violent extremist content and will seek to remove any unlawful material.
If this sounds familiar, that's because it echoes the justifications for introducing the Cleanfeed child abuse image blocking system and later for criminalising extreme pornography - in each case, a central component was the argument that harm would be caused to the viewer (by simply viewing the material, or by predisposing them to commit crimes). Is this approach - focusing on harm to the viewer - becoming more common in controlling content in the UK?

Using consumer pressure as a regulatory tool?

Quite apart from illegal content, the site also sets out to encourage users to challenge content which is  legal. According to Lord West:
This is also about empowering individuals to tell them how they can make a civic challenge against material that they find offensive, even if it is not illegal.

The internet is not a lawless forum and should reflect the legal and accepted boundaries of society.
Consequently, the site provides information on how to make complaints:
What you can do about online hate or violence that is not illegal

Most hateful or violent website content is not illegal. While you may come across a lot of things on the internet that offend you, very little of it is actually illegal.

UK laws are written to make sure that people can speak, and write, freely without being sent to prison for their views.

To be illegal, the content must match the descriptions at the top of this page.

Still, even if what you’ve seen does not seem to be illegal, you can take the steps below to have it removed if it upsets, scares or offends you.

Report it to the website administrator

Most websites have rules known as ‘acceptable use policies’ that set out what cannot be put on their website. Most do not allow comments, videos and photos that offend or hurt people...

If what you’ve seen is on a site with a good complaints system, you should report it to the website’s owners. Look out for their ‘contact us’ page, which should be clearly linked...

Report it to the hosting company

If the website itself is hateful or supports violence or terrorism let the website’s hosting company know. Hosting companies provide a place where the website sits, and often have rules about what they are willing to host.

Let the hosting company know they are hosting a website that breaks their rules, and ask them to stop.

You can find out which company hosts a website by entering their web address on the ‘Who is hosting this?’ website.
This approach - by encouraging community pressure to force ISPs to change their behaviour - matches policy in relation to blocking, where the Home Office has abandoned plans to legislate and has instead stated its intention to rely on public pressure instead:
For the first time the IWF will publish the list of ISPs who are certified as having implemented its blacklist. "Hopefully consumer and public pressure will encourage the ISPs who aren't on the list to comply," said Carr. A Home Office spokesman said: "We will continue to urge ISPs to implement blocking, and ask consumers to check with their suppliers that they have done so."
Does this mark the start of a trend towards greater use of consumer pressure by the UK government as a means of regulating what ISPs do?

Monday, February 08, 2010

Cloud computing complications

Not too long ago the Taoiseach and the Green Party were telling us that cloud computing is the way of the future for Irish business. Now it emerges that the Department of Finance has emailed government departments and public bodies warning about the risks of cloud computing. Is this a case (as some amused observers are saying) of the left hand not knowing what the right hand is doing? Or, as some sectors of the Irish technology industry are putting it, simple technical ignorance?
A Microsoft spokeswoman said that Ireland should "embrace the cloud across all aspects of public services".

"Microsoft’s software plus services offering provides enhanced security for data over and above what has traditionally been available for private and public organisations, and this is one of the primary reasons why so many public and private organisations across the globe are beginning to deploy solutions in the cloud."

Ed Byrne, general manager of Hosting 365, which provides cloud computing services, described the e-mail as "damaging" and showed a "lack of knowledge" of what the technology involves.

The technology is "mature and not nascent" said Philip Nolan, a partner in legal firm Mason Hayes + Curran. He said any contractual issues were surmountable, and he has large clients who use cloud computing for their core systems.
So are these criticisms justified? While it's understandable that providers might be defensive, these responses seem out of place given the very moderate tone of the original email, which is not a blanket ban on the use of cloud computing but simply a reminder to take legal advice before buying these services:
The Department of Finance has warned Government departments and public sector bodies that they should not purchase cloud computing services without obtaining legal advice.

The warning e-mail, which carries the subject "cloud computing warning", says that the Chief State Solicitor’s Office has "advised that issues such as data protection, confidentiality and security and liability are not necessarily dealt with in a manner that would be necessary for public sector responsibilities".
Far from being ignorant of the nature of cloud computing, this seems to show a good awareness of the challenges it can present. As Simon McGarr points out in today's Irish Times, unless properly thought out in advance cloud computing may result in the transfer of personal information outside the EU and in inadequate security measures being put in place by data processors. Suitable contracts can deal with these risks - but not all cloud computing providers (particularly those headquartered outside the EU) seem to be fully aware of their responsibilities under European data protection law, making detailed legal advice essential in all cases.

In addition, public sector storage of data presents further problems which are distinct from those faced in private sector use of cloud computing. For example, how will the public body ensure that data held in the cloud is available to meet a Freedom of Information Act request? How will departmental records held in the cloud be preserved and archived as required by the National Archives Act 1986? Will data in the cloud be sufficiently searchable as required by the Reuse of Public Sector Information Regulations? These and other complications make the advice from the Department of Finance seem eminently reasonable.

Update (27.02.10) - Microsoft's new secure cloud product for the US government shows some of the ways in which cloud computing products may have to be tailored for public sector use.

Friday, February 05, 2010

Please forgive the technical problems...

As you might have noticed, I'm changing the look and feel of the blog at the moment: something that requires migration from FTP to hosting with Google; updating the zone file for the domain; and all sorts of other technical shenanigans. Apologies in advance for the inevitable glitches. Normal service should be resumed shortly.

Sunday, January 31, 2010

Irish blogger agrees €100,000 settlement for libel

The Sunday Times has details of the settlement which was obliquely mentioned in Forbes last week:
A blogger has agreed a €100,000 settlement after libelling Niall Ó Donnchú, a senior civil servant, and his girlfriend Laura Barnes. It is the first time in Ireland that defamatory material on a blog has resulted in a pay-out.

Barnes, an American book dealer, made a profit of up to €800,000 in 2005 from selling a cache of James Joyce papers to the state. One year later she began a relationship with Ó Donnchú, an assistant secretary in the Department of Arts, Sports and Tourism.

In December 1, 2006, a blogger who styles himself as Ardmayle posted a comment about the couple and the sale of the Joycean manuscripts under the headline “Barnes and Noble”. Following a legal complaint, he took down the blog and in February 2007 he posted an apology which had been supplied by Ó Donnchú’s and Barnes’ lawyer, Ivor Fitzpatrick solicitors.

“I subsequently discovered that these remarks were inaccurate,” Ardmayle said. “I unreservedly apologise to both Laura Barnes and Niall Ó Donnchú in respect of this post.”

However, the pair subsequently issued separate proceedings. It is understood that the €100,000 settlement was agreed shortly before the case was due before the High Court. A full defamation trial before a jury can cost €700,000-€800,000 in legal costs for both parties.

The blog, still active at, is in the form of a personal diary with observations on the arts, literature and sport. The author is not identified, and the litigants may have got his details through his internet server provider (ISP).

The settlement was subject to a confidentiality agreement, which forbids the blogger from speaking about it publicly. Neither Ó Donnchú nor Barnes responded to invitations to comment.
The Independent has more on the case from 2007 when proceedings were issued, and Sean Murphy has also produced a summary of the issues involved.

One interesting aspect of this case, as Mark points out, is the fact that the damages appeared to be quite high given that the blog in question was very low profile:
John Burns’s piece in today’s Sunday Times on the blogger who paid out €100,000 for libeling someone is interesting, and not just for bloggers. The blog which is the subject of the story is so obscure that Google finds zero – repeat zero – inward links. This is despite it having been operational since May 2005 (contrast that with TheStory; we’ve only been going since October or so, yet there are over 800 inward link results to the front-page alone). Additionally, the writer’s profile has only been viewed 3,000 times since the blog opened – or less than once per day.

So it’s a little-known, to say the least, blog.
Leaving aside the specifics of the case, perhaps this illustrates a more general point highlighting the importance of keeping good server logs.

The level of damages in defamation reflects the extent of publication – i.e. the extent to which the defamatory material was actually read. This is not (despite the best efforts of plaintiffs’ lawyers) the same as the extent to which it might have been read. Consequently (leaving aside other factors such as the gravity of the allegations) damages should be greatly reduced where the audience can be shown to be negligible. Potential readability worldwide notwithstanding.

Unfortunately, in the absence of server logs, it is going to be very difficult to rebut a plaintiff who claims that the material appeared quite high in search engine rankings, may have been read worldwide, etc. Consequently a defendant in that position is likely to be on the back foot, especially where a judge assumes that availability online automatically equals a mass audience.

Friday, January 29, 2010

Net Neutrality book now out

I've been looking forward to reading Chris Marsden's new book Net Neutrality and am glad to see that it's now been released by Bloomsbury - with a free download (PDF) under a CC licence being the icing on the cake. This passage gives a sense of the perspective he takes:
The network neutrality debate is only in part about economics and technology, despite what you might surmise from various pro-competitive statements by academics and the shape of the US and European debates. The extent to which even lawyers have been drawn into an open-ended debate regarding the merits of duopoly versus inset competition in telecoms, or the relative merits of open interoperable software environments versus proprietary property rights-based or corporate developments, or the benefits of end to end ‘dumb’ networks versus intelligent networks, displays the capture of the subject by economists and corporate technologists. The issues at stake are more fundamental to society than that. As a lawyer who has written for over a decade in favour of pro-competitive telecoms and media policy, I am not ashamed or abashed to state that I emphasize that communications policy is about fundamental rights of citizens as well as public welfare for consumers, and that it is about educated and informed users as well as optimally priced access networks. [Emphasis mine.]
Strongly recommended.

Saturday, January 16, 2010

Sexting and the law in Ireland

I was quoted in the Daily Mail recently in a story about a supposed increase in sexting by Irish children. The reporter was interested in the possible criminal liability of children who send and receive sexual images - something which featured only to a small extent in the story - and I thought it might be useful to jot down some more observations about the surprisingly complex law in this area.

(i) When will a "sext" amount to child pornography?

The most important legislation on this point is the Child Trafficking and Pornography Act 1998. Consequently, the first question we must ask is whether sexts will amount to child pornography prohibited under that Act.

In relation to particularly explicit images, section 2 makes it clear that images of a child "engaged in explicit sexual activity", or images which focus on the "genital or anal region" will constitute child pornography.

What about less explicit images? Might e.g. a topless photo constitute child pornography? Possibly. Under section 2, child pornography includes images relating to a child that "indicates or implies that the child is available to be used for the purpose of sexual exploitation". Sexual exploitation is in turn defined in section 3 to includes inducing a child to "participate in any sexual activity which is an offence under any enactment". Consequently, even a less explicit image might amount to child pornography if it implies that a child is available for (illegal) sexual activity.

(ii) Is there a "Romeo and Juliet" defence?

Suppose a 16 year old girl takes an explicit picture amounting to child pornography and texts it to her 16 year old boyfriend. Might the boyfriend be liable for the offence of possession of child pornography, contrary to section 6?

Yes. The 1998 Act (in common with other areas of Irish criminal law - consider this case involving a 15 year old boy and a 14 year old girl) doesn't recognise a so-called Romeo and Juliet defence in relation to sexual activities between children of similar ages. One might hope that in this scenario prosecutorial discretion would prevail and no prosecution would be brought - but on the face of it a crime would have been committed.

(iii) Can the person taking and sending the sext be prosecuted?

Maybe. Section 5 of the 1998 Act creates an offence of knowingly producing or distributing child pornography which on the face of it would seem to cover the actions of children who take photos of themselves and then send them to others. Children in other jurisdictions have been charged with offences in this situation.

The Act itself doesn't provide a defence for a child in this position, unlike other legislation dealing with child sexual offences. For example, Section 5 of the Criminal Law (Sexual Offences) Act 2006 provides that "A female child under the age of 17 years shall not be guilty of an offence under this Act by reason only of her engaging in an act of sexual intercourse."

Would it be possible to read such a defence into the law, arguing perhaps that the child is the person intended to be protected by the legislation and as such it would be inappropriate to criminalise their actions? Possibly - but at this point we might be entering uncharted waters.

The common law does recognise a general principle against criminalising the victim, a rule often traced to R v Tyrell (1894) 1 QB 710 where it was held that a girl could not be guilty of aiding and abetting a male to know her carnally. In that case, Lord Coleridge CJ famously said that an Act could not have "intended that the girls for whose protection it was passed, should be punished under it for the offences committed against themselves". This has since been accepted as a wider principle - see e.g. Hallevy's interesting article on this point.

The difficulty with that principle, however, is that it generally applies where there are two or more parties involved in the commission of the criminal act - but I'm not aware of any authority applying it to the case of a single perpetrator who is simultaneously the victim. It should certainly apply where A (a child) consents to B taking explicit pictures - but it may be more difficult to argue that it should apply where A takes and sends the pictures. In that situation, could it be said that A is the victim of their own activity, so that the Tyrell principle should apply?

Any answer to that question might also be influenced by policy considerations. It could be argued, for example, that it is desirable to impose possible criminal liability in order to deter children from doing something which may result in their being further victimised in the future; it might also be said that an effective exemption for "self-produced" child pornography could hamper criminal investigations.

These thoughts merely scratch the surface of this area. Mary Graw Leary has more on the difficult problem of sexting and "self-produced" child pornography in this nuanced article, while Radley Balko has a rather different (and to my mind more convincing) argument at Reason.