Sunday, January 31, 2010

Irish blogger agrees €100,000 settlement for libel

The Sunday Times has details of the settlement which was obliquely mentioned in Forbes last week:
A blogger has agreed a €100,000 settlement after libelling Niall Ó Donnchú, a senior civil servant, and his girlfriend Laura Barnes. It is the first time in Ireland that defamatory material on a blog has resulted in a pay-out.

Barnes, an American book dealer, made a profit of up to €800,000 in 2005 from selling a cache of James Joyce papers to the state. One year later she began a relationship with Ó Donnchú, an assistant secretary in the Department of Arts, Sports and Tourism.

In December 1, 2006, a blogger who styles himself as Ardmayle posted a comment about the couple and the sale of the Joycean manuscripts under the headline “Barnes and Noble”. Following a legal complaint, he took down the blog and in February 2007 he posted an apology which had been supplied by Ó Donnchú’s and Barnes’ lawyer, Ivor Fitzpatrick solicitors.

“I subsequently discovered that these remarks were inaccurate,” Ardmayle said. “I unreservedly apologise to both Laura Barnes and Niall Ó Donnchú in respect of this post.”

However, the pair subsequently issued separate proceedings. It is understood that the €100,000 settlement was agreed shortly before the case was due before the High Court. A full defamation trial before a jury can cost €700,000-€800,000 in legal costs for both parties.

The blog, still active at, is in the form of a personal diary with observations on the arts, literature and sport. The author is not identified, and the litigants may have got his details through his internet server provider (ISP).

The settlement was subject to a confidentiality agreement, which forbids the blogger from speaking about it publicly. Neither Ó Donnchú nor Barnes responded to invitations to comment.
The Independent has more on the case from 2007 when proceedings were issued, and Sean Murphy has also produced a summary of the issues involved.

One interesting aspect of this case, as Mark points out, is the fact that the damages appeared to be quite high given that the blog in question was very low profile:
John Burns’s piece in today’s Sunday Times on the blogger who paid out €100,000 for libeling someone is interesting, and not just for bloggers. The blog which is the subject of the story is so obscure that Google finds zero – repeat zero – inward links. This is despite it having been operational since May 2005 (contrast that with TheStory; we’ve only been going since October or so, yet there are over 800 inward link results to the front-page alone). Additionally, the writer’s profile has only been viewed 3,000 times since the blog opened – or less than once per day.

So it’s a little-known, to say the least, blog.
Leaving aside the specifics of the case, perhaps this illustrates a more general point highlighting the importance of keeping good server logs.

The level of damages in defamation reflects the extent of publication – i.e. the extent to which the defamatory material was actually read. This is not (despite the best efforts of plaintiffs’ lawyers) the same as the extent to which it might have been read. Consequently (leaving aside other factors such as the gravity of the allegations) damages should be greatly reduced where the audience can be shown to be negligible. Potential readability worldwide notwithstanding.

Unfortunately, in the absence of server logs, it is going to be very difficult to rebut a plaintiff who claims that the material appeared quite high in search engine rankings, may have been read worldwide, etc. Consequently a defendant in that position is likely to be on the back foot, especially where a judge assumes that availability online automatically equals a mass audience.

Friday, January 29, 2010

Net Neutrality book now out

I've been looking forward to reading Chris Marsden's new book Net Neutrality and am glad to see that it's now been released by Bloomsbury - with a free download (PDF) under a CC licence being the icing on the cake. This passage gives a sense of the perspective he takes:
The network neutrality debate is only in part about economics and technology, despite what you might surmise from various pro-competitive statements by academics and the shape of the US and European debates. The extent to which even lawyers have been drawn into an open-ended debate regarding the merits of duopoly versus inset competition in telecoms, or the relative merits of open interoperable software environments versus proprietary property rights-based or corporate developments, or the benefits of end to end ‘dumb’ networks versus intelligent networks, displays the capture of the subject by economists and corporate technologists. The issues at stake are more fundamental to society than that. As a lawyer who has written for over a decade in favour of pro-competitive telecoms and media policy, I am not ashamed or abashed to state that I emphasize that communications policy is about fundamental rights of citizens as well as public welfare for consumers, and that it is about educated and informed users as well as optimally priced access networks. [Emphasis mine.]
Strongly recommended.

Saturday, January 16, 2010

Sexting and the law in Ireland

I was quoted in the Daily Mail recently in a story about a supposed increase in sexting by Irish children. The reporter was interested in the possible criminal liability of children who send and receive sexual images - something which featured only to a small extent in the story - and I thought it might be useful to jot down some more observations about the surprisingly complex law in this area.

(i) When will a "sext" amount to child pornography?

The most important legislation on this point is the Child Trafficking and Pornography Act 1998. Consequently, the first question we must ask is whether sexts will amount to child pornography prohibited under that Act.

In relation to particularly explicit images, section 2 makes it clear that images of a child "engaged in explicit sexual activity", or images which focus on the "genital or anal region" will constitute child pornography.

What about less explicit images? Might e.g. a topless photo constitute child pornography? Possibly. Under section 2, child pornography includes images relating to a child that "indicates or implies that the child is available to be used for the purpose of sexual exploitation". Sexual exploitation is in turn defined in section 3 to includes inducing a child to "participate in any sexual activity which is an offence under any enactment". Consequently, even a less explicit image might amount to child pornography if it implies that a child is available for (illegal) sexual activity.

(ii) Is there a "Romeo and Juliet" defence?

Suppose a 16 year old girl takes an explicit picture amounting to child pornography and texts it to her 16 year old boyfriend. Might the boyfriend be liable for the offence of possession of child pornography, contrary to section 6?

Yes. The 1998 Act (in common with other areas of Irish criminal law - consider this case involving a 15 year old boy and a 14 year old girl) doesn't recognise a so-called Romeo and Juliet defence in relation to sexual activities between children of similar ages. One might hope that in this scenario prosecutorial discretion would prevail and no prosecution would be brought - but on the face of it a crime would have been committed.

(iii) Can the person taking and sending the sext be prosecuted?

Maybe. Section 5 of the 1998 Act creates an offence of knowingly producing or distributing child pornography which on the face of it would seem to cover the actions of children who take photos of themselves and then send them to others. Children in other jurisdictions have been charged with offences in this situation.

The Act itself doesn't provide a defence for a child in this position, unlike other legislation dealing with child sexual offences. For example, Section 5 of the Criminal Law (Sexual Offences) Act 2006 provides that "A female child under the age of 17 years shall not be guilty of an offence under this Act by reason only of her engaging in an act of sexual intercourse."

Would it be possible to read such a defence into the law, arguing perhaps that the child is the person intended to be protected by the legislation and as such it would be inappropriate to criminalise their actions? Possibly - but at this point we might be entering uncharted waters.

The common law does recognise a general principle against criminalising the victim, a rule often traced to R v Tyrell (1894) 1 QB 710 where it was held that a girl could not be guilty of aiding and abetting a male to know her carnally. In that case, Lord Coleridge CJ famously said that an Act could not have "intended that the girls for whose protection it was passed, should be punished under it for the offences committed against themselves". This has since been accepted as a wider principle - see e.g. Hallevy's interesting article on this point.

The difficulty with that principle, however, is that it generally applies where there are two or more parties involved in the commission of the criminal act - but I'm not aware of any authority applying it to the case of a single perpetrator who is simultaneously the victim. It should certainly apply where A (a child) consents to B taking explicit pictures - but it may be more difficult to argue that it should apply where A takes and sends the pictures. In that situation, could it be said that A is the victim of their own activity, so that the Tyrell principle should apply?

Any answer to that question might also be influenced by policy considerations. It could be argued, for example, that it is desirable to impose possible criminal liability in order to deter children from doing something which may result in their being further victimised in the future; it might also be said that an effective exemption for "self-produced" child pornography could hamper criminal investigations.

These thoughts merely scratch the surface of this area. Mary Graw Leary has more on the difficult problem of sexting and "self-produced" child pornography in this nuanced article, while Radley Balko has a rather different (and to my mind more convincing) argument at Reason.

Tuesday, January 12, 2010

Why IP addresses are no longer enough to identify internet users

Richard Clayton has an excellent post explaining (in terms even a lawyer can understand) why the traditional formula of IP address plus timestamp is increasingly inadequate as a way of identifying internet users:
The basics are that you record an IP address and a timestamp; use the Regional Internet Registry records (RIPE, ARIN etc) to determine which ISP has been allocated the IP address; and then ask the ISP to use their internal records to determine which customer account was allocated the IP address at the relevant instant. All very simple in concept, but hung about — as the thesis explained — by considerable caveats as to whether the simple assumptions involved are actually true in a particular case.

One of the caveats concerned the use of Network Address Translation (NAT), whereby the IP addresses used by internal machines are mapped back and forth to external IP addresses that are visible on the global Internet. The most familiar NAT arrangement is that used by a great many home broadband users, who have one externally facing IP address, yet run multiple machines within the household.

Companies also use NAT. If they own sufficient IP addresses they may map one-to-one between internal and external addresses (usually for security reasons), or they may only have 4 or 8 external IP addresses, and will use some or all of them in parallel for dozens of internal machines.

Where NAT is in use, as my thesis explained, traceability becomes problematic because it is rare for the NAT equipment to generate logs to record the internal/external mapping, and even rarer for those logs to be preserved for any length of time. Without these logs, it is impossible to work out which internal user was responsible for the event being traced. However, in practice, all is not lost because law enforcement is usually able to use other clues to tell them which member of the household, or which employee, they wish to interview first.

Treating NAT with this degree of equanimity is no longer possible, and that’s because of the way in which the mobile telephone companies are providing Internet access.

The shortage of IPv4 addresses has meant that the mobile telcos have not been able to obtain huge blocks of address space to dish out one IP address per connected customer — the way in which ISPs have always worked. Instead, they are using relatively small address blocks and a NAT system, so that the same IP address is being simultaneously used by a large number of customers; often hundreds at a time.

This means that the only way in which they can offer a traceability service is if they are provided with an IP address and a timestamp AND ALSO with the TCP (or UDP) source port number. Without that source port value, the mobile firm can only narrow down the account being used to the extent that it must be one out of several hundred — and since those several hundred will have nothing in common, apart from their choice of phone company, law enforcement (or anyone else who cares) will be unable to go much further.
Edited to add (14.01.10):

In two follow up posts, Richard explains what this means for data retention rules (arguing that the IP address only approach of the Data Retention Directive is flawed) and considers the practicalities of identifying mobile internet users.

Sunday, January 10, 2010

Children's hospital lost data on 1m patients

In a follow up to his excellent story about Temple Street Children's Hospital storing DNA samples of over 1.5 million people without any legal basis, Mark Tighe has a piece in today's Sunday Times revealing that the hospital also lost two servers full of information about patients in 2007:
Two computer servers containing the records of almost 1m patients were stolen from the Children’s University hospital in Temple Street in 2007 and have never been recovered.

The data were far more than that lost on stolen bank laptops in recent years. The theft was investigated by the data protection commissioner (DPC) and the gardai after being reported by the Dublin hospital in February 2007. The organisations had decided that there was no need to inform the public, believing there was little chance of the thief being able to access the data.

Patients’ details, including names, date of birth and reason for admission are thought to have been included.
Interestingly, there's no mention of the servers having been encrypted, making it unclear on what basis it was decided that the data couldn't be accessed.

There's also an update indicating that there has already been some official interest in accessing the DNA records:
In Australia and New Zealand, hospital databases have been accessed by police using DNA in their investigations.

Asked if it had allowed gardai access to the database, Temple Street said it had “one tentative enquiry” by an agency but this was not followed up.

"Our patient confidentiality policy will continue to dictate the response and no access to samples will be granted," a spokeswoman said.

Tuesday, January 05, 2010

Revenue set up VIP unit (but don't the little people deserve privacy too?)

One recent story which didn't attract as much attention as it should have was the revelation that the Revenue have set up a special VIP unit to minimise leaks of confidential information about public figures. This emerged with the publication of an audit by the Data Protection Commissioner which found significant weaknesses in Revenue controls of data. (Weaknesses which still existed despite promised reforms after high profile scandals in 2005 and again in 2007.)

There's a lot of interesting material in that audit, but the VIP unit might well be the most significant. Although spun as a privacy friendly measure, it reflects a trend whereby in relation to privacy there is one law for them and one law for us. It would be unfortunate if this establishes a precedent for two tier protection in other departments also. Call me a cynic, but I suspect that effective privacy protection will only come about if the political classes find themselves exposed to the same risks as the rest of us.