Australia to mandate ISP level filtering

The Sydney Morning Herald reports:

INTERNET service providers will be forced to filter web content at the request of parents, under a $189 million Federal Government crackdown on online bad language, pornography and child sex predators.

The Prime Minister, John Howard, said that the Government would increase funding for the federal police online child sex exploitation team by $40 million, helping investigators to track those who prey on children through chat rooms and sites such as MySpace and Facebook.

In a separate development, convicted sex offenders in NSW will have to register their email address with police as part of State Government efforts to stop them using the internet to prey on children.

Mr Howard will also confirm a previous announcement that the Government will pay $90 million to provide every household that wants it with software to filter internet content.

Those unable to install the software or who have concerns about their children's internet use will be able to get advice by phone, another proposal previously suggested by the Government.

The more efficient compulsory filtering of internet service providers (ISPs) was proposed in March last year by the then Labor leader, Kim Beazley. At the time, the Communications Minister, Helen Coonan, and ISPs criticised his idea as expensive.

Three months later Senator Coonan announced the Government's Net Alert policy, which promised free filtering software for every home that wanted it. She also announced an ISP filtering trial to be conducted in Tasmania. That trial was scrapped.

Today Mr Howard will hail the ISP filtering measure as a world first by any Government, and is expected to offer funding to help cover the cost. Parents will be able to request the ISP filter option when they sign up with an ISP. It will be compulsory to provide it.

This is a remarkable about face from the Australian government's previous position. No details yet on how the filtering systems will operate or be funded, but presumably the filtering categories will be based on the existing system under which the Australian Communications & Media Authority (ACMA) classifies content and issues takedown notices / notices to filtering software makers. Electronic Frontiers Australia has detailed criticism of the plan.

Computer generated evidence and defence access to source code

Today's Irish Times reports on an interesting clash between the rights of an accused person to a fair trial and what breathalyser manufacturers see as their commercial interests:

A solicitor from Co. Louth is seeking a judicial review of a drink driving conviction...

Paul Moore, a solicitor in Monaghan, is arguing that because the manufacturers of the Lion Intoxilyzer breath testing machine did not provide him with a hard copy of the software it uses that a conviction was made in the absence of full disclosure and therefore the constitutional rights of the accused person were not upheld...

At an earlier court hearing Judge Flann Brennan had made an order of disclosure. When pressed on why the software was not disclosed pursuant to that order, Mr. Blythe [a senior manager with the manufacturers] told Alan Doherty, defending, that "the company is adamant that it does not disclose software documentation". He also said he believed that this was for commercial reasons.

This is the first Irish case that I'm aware of where disclosure of source code has been sought in the context of a criminal prosecution, though there has been a good deal of litigation on this point in the United States, where companies have also refused to turn over source code with the result that many cases have been dismissed.

This is certainly the correct result - if a person may lose their liberty based on a number generated by a machine, they must be able to challenge the accuracy of that number - which they cannot do unless they know how that machine operates. The manufacturer's failure to comply with a court order on the basis of "commercial reasons" is astonishing - if they believe that their commercial interests are superior to the right of an accused person to a fair trial and are unwilling to comply with the order of the court then they should not be manufacturing this equipment nor should our justice system be purchasing it.

Ethan Zimmerman of the EFF has some insightful comments on the US cases, and draws an analogy with electronic voting:

Matt Zimmerman, a staff attorney for the Electronic Frontier Foundation (EFF), said it is just as important for people to know that products like breathalyzers or voting machines work correctly as it is for companies to protect their trade secrets.

"It's one of the few cases that we've seen recently where a court has come out and said it really is appropriate, if you're going to be making important decisions that affect someone's liberty, then you should be able to understand what's going on with these technologies that are helping make these decisions," Zimmerman said.

He said that in addition to various fears over losing proprietary advantages, companies may also fear that public examination of software would let the public know "there may be some flaws in the design, in the coding, that otherwise they wouldn't have to reveal."

"The government is outsourcing a governmental process," Zimmerman said of both e-voting and the breathalyzer questions. "It's not a case where you're alleging that a certain harm has been done to a specific person. You're making the allegation that the technology doesn't do its work quite as well as it could."

The key to both concerns is the potential for these devices to affect people's liberty and freedom, while the manufacturers do not provide the public with the information to know what is going on, Zimmerman said. Both cases, he said, should tell the government that the public has a right to know how technologies actually work when they have to do with individual liberty.

Update (10/8/07): Declan McCullagh has details of a recent Minnesota decision ordering disclosure.
Update (5/9/07): The code of one US breathalyser has now been analysed and found to be extremely sloppy:

1. The Alcotest Software Would Not Pass U.S. Industry Standards for Software Development and Testing: The program presented shows ample evidence of incomplete design, incomplete verification of design, and incomplete “white box” and “black box” testing. Therefore the software has to be considered unreliable and untested, and in several cases it does not meet stated requirements. The planning and documentation of the design is haphazard. Sections of the original code and modified code show evidence of using an experimental approach to coding, or use what is best described as the “trial and error” method. Several sections are marked as “temporary, for now”. Other sections were added to existing modules or inserted in a code stream, leading to a patchwork design and coding style…

It is clear that, as submitted, the Alcotest software would not pass development standards and testing for the U.S. Government or Military. It would fail software standards for the Federal Aviation Administration (FAA) and Food and Drug Administration (FDA), as well as commercial standards used in devices for public safety…If the FAA imposed mandatory alcohol testing for all commercial pilots, the Alcotest would be rejected based upon the FAA safety and software standards…

4. Catastrophic Error Detection Is Disabled: An interrupt that detects that the microprocessor is trying to execute an illegal instruction is disabled, meaning that the Alcotest software could appear to run correctly while executing wild branches or invalid code for a period of time. Other interrupts ignored are the Computer Operating Property (a watchdog timer), and the Software Interrupt.

6. Diagnostics Adjust/Substitute Data Readings: The diagnostic routines for the Analog to Digital (A/D) Converters will substitute arbitrary, favorable readings for the measured device if the measurement is out of range, either too high or too low. The values will be forced to a high or low limit, respectively. This error condition is suppressed unless it occurs frequently enough…

7. Flow Measurements Adjusted/Substituted: The software takes an airflow measurement at power-up, and presumes this value is the “zero line” or baseline measurement for subsequent calculations. No quality check or reasonableness test is done on this measurement…

10. Error Detection Logic: The software design detects measurement errors, but ignores these errors unless they occur a consecutive total number of times. For example, in the airflow measuring logic, if a flow measurement is above the prescribed maximum value, it is called an error, but this error must occur 32 consecutive times for the error to be handled and displayed. This means that the error could occur 31 times, then appear within range once, then appear 31 times, etc., and never be reported…

Data protection roundup

New guidance on meaning of "personal data"

The Article 29 Working Group has given a very comprehensive and helpful opinion on the meaning of personal data. It goes much further than the narrow approach in Durant v. Financial Services Authority, and specifically rejects the view that information must "have the data subject as its focus" before it can constitute personal data.

Data Retention Directive implemented in UK - but only for telephone data

The UK has now implemented the Data Retention Directive in respect of telephone records, choosing a one year retention period. The implementation of the Directive in respect of internet activity has been deferred pending further consultation.

Manual data to be treated in the same way as computerised data

The Data Protection Acts will apply in full to manual data from 24 October 2007. When the 2003 Act extended the data protection principles from computerised data to include manual data (such as paper files) it provided for a four year transitional period in which existing manual data would be exempt from sections 2, 2A and 2B of the Acts (dealing with the collection, processing, keeping and use of personal data and sensitive personal data). That transitional period ends on 24 October, which may cause problems for organisations which have older files which are not compliant with the new law.

Australian judges - uncut

The Australian outlines what some of Australia's most senior judges said about their roles when promised anonymity:

[S]ome judges are committed activists who believe those who criticise their approach are "vociferous red-neck people"...

"Perhaps it's illegitimate to pull the rabbit out of the hat, but it's nice to see it emerging," said one High Court judge...

While some judges see judicial activism as their duty, others are still seething over what they see as the High Court's illegitimate law-making under former chief justice Anthony Mason.

"Madness let loose," is how one judge described the Mason court. The Mason court, which recognised Aboriginal native title and implied constitutional rights, was also denounced for cooking up "some pretty funny menus".

Its decisions on implied rights were "silly", "sneaky" and "the worst single feature of Australian constitutional law in the last 20 years", the judge said.

The court's Mabo decision on native title received particular criticism. Another judge said the Mason court's development of implied constitutional rights had created a "looseleaf constitution". "We've said bugger the constitution. We'll tell you what should be there. It's very distressing," one judge said.

The story is based on research carried out by political scientist Jason L. Pierce for his PhD, which was ultimately published as Inside the Mason Court Revolution: The High Court of Australia Transformed. [The full PhD thesis is available online.] The central theme is summarised in this review:

Orthodoxy expects certainty in judicial decisions that narrowly apply the law to the resolution of disputes between private parties. Politics and the law occupy separate realms where judges serve as caretakers guarding the boundaries between the two. Without a bill of rights and given the federal structure of Australia, orthodoxy presumed the High Court’s responsibility dealt almost exclusively with the division of powers between the states and federal government. Legal reasoning was declaratory in nature, closely bound by the text of the law, and governed by precedent. Evolution in legal rules occurred interstitially according to common law tradition as existing rules were applied to novel situations. The “politicized” role turned orthodoxy on its head. Uncertainty was acknowledged. New rationales for decisions besides text and precedent were put forward. A “public model” of High Court litigation encouraging a wider range of participants emerged. The High Court stretched its jurisprudential horizons to include public policy questions of justice and personal rights that parliament had failed to address. MABO and implied rights naturally followed. And so did political challenges and eventually the High Court’s retreat from this politicized role.

I'll be reading this with interest, bearing in mind possible parallels with what Keane CJ described as Ireland's own "tide of judicial lawmaking", albeit one that has "receded somewhat in recent years". And, I confess, I'll also be enjoying the candour of the Australian judges:

Q: What impact did the retirement of Justices Brennan, Dawson, and Toohey have on the High Court?
Judge: A slight swing to the right. Toohey was a terrible communist. Brennan wasn’t much better.
Q: What do you mean by ‘communist’?
Judge: [Toohey] is always dripping with sympathy for the underdog, whether it was deserved or not. He always thought that the employee should win against the employers. He was a ghastly mistake.
Q: What impact will the retirement of Chief Justice Brennan and appointment of Chief Justice Gleeson have, in your mind?
Judge: Well, we’ll get back to law and not sociology. Gleeson’s a very good lawyer and since he hasn’t got a heart, there’s no danger of him being sort of over muffling to anyone. He’ll just apply strict rules. Bang, bang, bang. That’s it. [p.73 of the Thesis PDF]

Mobile phone registration: Of limited benefit, will not solve problems and not practical

The Independent reports:

ALL mobile phones will have to be registered as part of a Government plan to improve surveillance on drug dealers.

Currently, any person can buy a pay-as-you-go mobile phone anonymously, which makes it harder for the gardai to track those involved in the drugs trade.

In an interview with the Irish Independent, new Drugs Minister Pat Carey said registry would help to tackle the "rampant use" of mobile phones in prisons, as well as small-time dealers working in the "shopping-centre carpark, the church car park or the local football field".

"If you've nothing to hide, you've nothing to fear. There may well be confidentiality or civil liberties issues but there are lives of people at stake as well, which I believe overrides any of those."

This policy is a nonsense. But don't take my word for it. Here's an email which Antoin received from the Department of Communications, Marine and Natural Resources in January of this year:

The idea for a Register of mobile phones was extensively reviewed by officials in the Department. There were many complex legal, technical, data protection and practical issues to be considered. In theory, a Register of mobile phones might seem like a good idea. However, having looked at the situation in other administrations, considered the ease with which an unregistered foreign or stolen SIM card can be used and the difficulties that would be posed in verifying identity in the absence of a national identification card system, and having consulted with the Office of the Attorney General and other interested parties, it was concluded that the proposal would be of limited benefit, in that it would not solve the illegal and inappropriate use of pre-paid mobile phones and was not practical.

Incidentally, I'd be intrigued to know how this will stop the "rampant use of mobile phones in prisons". Perhaps Pat Carey might think about preventing prisoners from having mobile phones in the first place?

Can ISPs be required to block file-sharing?

EDRI has a very good summary of the remarkable decision in SABAM vs SA Scarlet which requires a Belgian ISP to monitor its network so as to block the sharing of copyrighted files over peer to peer networks:

In an unprecedented decision, the Court of First Instance in Bruxelles has ordered Scarlet, a Belgium ISP, to implement technical measures in order to prohibit its users to illegally download music files.

The decision comes after a complaint initiated in 2004 by Sabam (Belgian Society of Authors, Composers and Publishers) against the Belgium ISP Tiscali, now renamed as Scarlet. A first intermediary ruling of 26 November 2004 accepted the possibility for an ISP to disconnect customers if they violate copyrights, and block the access for all customers to websites offering file-sharing programs. But further technical clarifications were needed, so an expert was appointed in order to present its opinions.

In a report published on 3 January 2007, the expert presented 11 solutions that could be applied in order to block or filter the file-sharing, and seven of them could be applied by Scarlet.

The court has decided that Scarlet need now to implement one or more technical measures in order to stop the copyright infringement, by making it impossible for its subscribers to send or receive music files from the repertoire of Sabam via p2p software. Scarlet also needs to inform Sabam on the technical measures that will be implemented. The decision needs to be implemented in 6 months, or the ISP must pay 2 500 euros /day as damages for non-compliance.

The decision did not consider the issues regarding privacy, freedom of expression or the right to the secrecy of the correspondence. Scarlet also claimed that the duty imposed by the court is a general obligation to monitor the network, that is contrary to the EU E-commerce Directive. But the court stated that the decision was not an obligation to monitor the network and that the solutions identified by the expert were just technical measures allowing blocking or filtering certain information sent through the Scarlet's network.

There is a tension here between different aspects of European law. Copyright law requires member states to give copyright holders effective remedies against infringement - including injunctions against intermediaries who facilitate infringement. On the other hand, the E-Commerce Directive recognises that it would be impossible to operate a regime where ISPs were responsible for the activities of their users, and establishes protections for ISPs including a provision which prevents member states from imposing a general duty on ISPs to monitor their networks for illegal activity. This decision appears to privilege copyright law over the safeguards of the E-Commerce Directive, privacy of users, and freedom of expression and, if upheld, will result in ISPs become privatised censors (at their own cost, no less). Once the technology is put in place to prevent one type of material being distributed, we can expect function creep as other interest groups seek to censor other material also.

Australian challenge to Google advertising practices - implications for Ireland?

Silicon Republic reports that the Australian Competition and Consumer Commission has launched a challenge to how Google (and, by implication, other search engines) serve up advertising with search results:

Search giant Google, including named subsidiaries in Ireland and Australia, is being taken to court by the Australian Competition and Consumer Commission over the way it sells and displays its sponsored links.

Google is being sued by an Australian body over the practice of buying adverts next to search terms.

The Australian Competition and Consumer Commission (ACCC) is alleging that Google and one of its advertisers, the Australian shopping portal Trading Post, purchased ads next to the search terms “Kloster Ford” and “Charlestown Toyota”, two of its leading competitors.

The nub of the issue is that Google failed to make it clear that these words were not “organic” search results.

“This is the first action of its type globally,” the ACCC said in a statement. “Whilst Google has faced court action overseas, particularly in the United States, France and Belgium, this generally has been in relation to trademark use.

“Although the US anti-trust authority the Federal Trade Commission has examined similar issues, the ACCC understands that it is the first regulatory body to seek legal clarification of Google's conduct from a trade practices perspective.”

The ACCC says it has instituted legal proceedings in the Federal Court, Sydney, against Trading Post Australia Pty Ltd, Google Inc, Google Ireland Limited and Google Australia Pty Ltd alleging misleading and deceptive conduct in relation to sponsored links that appeared on the Google website.

“The ACCC is alleging that Trading Post contravened sections 52 and 53(d) of the Trade Practices Act 1974 in 2005 when the business names ‘Kloster Ford’ and ‘Charlestown Toyota’ appeared in the title of Google-sponsored links to Trading Post's website. Kloster Ford and Charlestown Toyota are Newcastle car dealerships who compete against Trading Post in automotive sales.”

The ACCC is alleging that Google, by causing the Kloster Ford and Charlestown Toyota links to be published on its website, engaged in misleading and deceptive conduct in breach of section 52 of the Act.

It is also alleging that Google, by failing to adequately distinguish sponsored links from “organic” search results has engaged and continues to engage in misleading and deceptive conduct that breaches Australian law.

Google Australia has described the lawsuit as an attack on all search engines and vowed to defend itself.

Google has won similar cases in the US courts brought by car insurance company Geico and IT support company Rescue.com.

The search giant lost a case in France whereby a fashion company accused the company of running links to counterfeit goods alongside legitimate results.

A US home furniture company, American Blind & Wallpaper Factory, is currently embroiled in a legal battle with Google alleging searches for the company brought up sponsored links brought by competitors.

While the ACCC press release and the stories about it aren't entirely clear, it seems that three separate issues are involved - (a) the use of competitors' names / trademarks as keywords to trigger advertising; (b) the use of those names / trademarks in the advertisement itself; and (c) whether the search results make clear the distinction between paid advertisements and "organic" search results.

How significant is this challenge from an Irish law perspective? Issues (a) and (b) have already been heavily litigated elsewhere, and I've discussed them in an article on keywords and metatags (with Paul Lambert). In that article we point out that in Europe the courts have leaned against the use of competitors' trademarks in the text of advertisements and have generally prohibited the use of competitors' trademarks as keywords. Consequently search engine policies here already refuse to allow the use of competitors' trademarks in the text of advertisements, and either refuse to sell trademarks as keywords or impose restrictions on so doing. To that extent it's unlikely that this ACCC action will have any great effect here. It is true that the majority of cases to date have been taken from a different legal perspective (trademark infringement or passing off rather than trade practices) but the issue is essentially the same regardless of the legal theory - have consumers been deceived as to the affiliation of the result?

Issue (c) may be more interesting. What does a search engine have to do to distinguish paid from organic search results? As the ACCC points out, the industry norm is developed from a 2002 recommendation of the US Federal Trade Commission which arose from this complaint against Altavista and others. That recommendation has led to most search engines using terms such as "sponsored results" or "sponsor results" to distinguish advertising from organic results, usually with either a different colour background or a line separating the advertising from the results. However, it's frequently said that consumers still have difficulty distinguishing between them. (Although one English judge has asserted that "The web-using member of the public knows that all sorts of banners appear when he or she does a search and they are or may be triggered by something in the search. He or she also knows that searches produce fuzzy results – results with much rubbish thrown in.")

If the ACCC can establish consumer confusion between results and advertising, the outcome is likely to be that search engines will be required to take steps to further segregate advertising from results, potentially reducing click through rates and revenue substantially - and this may have knock on effects for other jurisdictions, including Ireland.

Your private information is for sale: Telephone Records ctd.

From the Sunday Independent, still more evidence that your telephone records are for sale to the highest bidder:

IRELAND has become a centre for commercial espionage with Dublin "like Berlin in the Cold War", according to a former top CIA operative.

The claims were made by Robert Baer who began his career as a spy when he became case officer with the CIA Directorate of Operations.

During a 20-year career as a covert operative, he had field assignments in India, Beirut, Tajikstan and northern Iraq .

"Let's say I wanted to know about you. The first thing I want is cell-phone records. Let's say I've got your landline number. From your landline I can do a data search and I can get your cell phone number in Ireland very easily," he said.

Mr Baer claimed that if he wanted to find a list of calls made from any mobile phone in the last six months, he could buy that information from a Dublin-based firm.

Defamation, search engines and the E-Commerce Directive

I'm quoted in the Sunday Tribune on the impact of Irish defamation laws on search engines. Unfortunately I have to quibble slightly with how the law is described in the article, which may be due to a breakdown in communications between myself and the author. Full text and my comments follow:

GOOGLE is facing a landmark defamation suit in Britain that could have repercussions for Ireland's attractiveness as a destination for online businesses.

The search giant has been sued by London businessman Brian Retkin, who claims the US company is responsible for providing links to inaccurate or malicious information about him and his business posted anonymously on the internet.

Irish legal observers, and Google's Dublin based legal eagles at its European headquarters, are watching the case unfold as defamation laws in the Republic are significantly less up-to-date than English laws on online libel.

The main difference is that internet service providers and online product providers such as Google have specific legal devices available to them under British defamation law and the EU's e-commerce directive, whereas in Ireland the laws have not been updated to take account of the information revolution.

"It's ridiculous because we're advertising ourselves as a knowledge economy and aiming to attract more companies like Google and Ebay here, but we're not giving them the legal protection they need in terms of defamation, " says barrister and digital rights campaigner TJ McIntyre.

The law lecturer claims there is a danger of Dublin courts attracting "libel tourism", much as London attracts so-called divorce tourism because of the reputation of English judges in awarding large pay-outs.

"Ireland's defamation laws are rooted in the middle of the last century, and even if [Michael] McDowell's proposed reforms in his defamation bill went through there would still be no mention of specific defences for online publishers."

The Retkin allegations are believed to have originated in America, where it is much more difficult to succeed in a libel claim because US judges have ruled that search engines and other internet service providers are immune from defamation lawsuits.

In Ireland, an online publisher could be treated as a disseminator of libel in much the same way as a newsagent can theoretically be sued for distributing newspapers containing defamatory content.

With Google linking to 11.5 billion web pages, potential financial damages in an Irish court could be staggering.

A spokesman for Google would not comment on the specifics of the case. "The company would reiterate that is has no connection or ability to direct or influence the content of web pages which may be shown as links within any given set of search results."

My quibble is with this passage:

[D]efamation laws in the Republic are significantly less up-to-date than English laws on online libel.

The main difference is that internet service providers and online product providers such as Google have specific legal devices available to them under British defamation law and the EU's e-commerce directive, whereas in Ireland the laws have not been updated to take account of the information revolution.

In fact, Irish and UK laws on intermediary liability are quite similar - both the Irish and UK Regulations adopt a minimalist approach to implementing the E-Commerce Directive (which has been transposed into Irish law, contrary to what the article might suggest). The problem for search engines and other intermediaries is that the E-Commerce Directive does not go far enough. Under the Directive a limited immunity is given to three classes of intermediaries - caches, hosts, and mere conduits. This, however, leaves other internet intermediaries out in the cold. Search engines, providers of hyperlinks and content aggregators are analogous to hosts or mere conduits (they facilitate access to material but do not control it or have knowledge of its content) - but they do not enjoy comparable protection under the Directive.

Several European countries have decided that the Directive is too narrow - Austria, Hungary, Portugal and Spain, amongst others, have created additional protections for search engines. The European Commission has also encouraged Member States to extend protection to other internet intermediaries. The risk for Ireland is that we may become less attractive as a destination for these businesses if Irish law does not follow suit. The Defamation Bill 2006 should have provided an opportunity to consider this issue - but that Bill would not have changed the law in this area had it been enacted.

On the libel tourism point, possibly the best Irish example is USA Rugby Football Union Limited v. Ivan Calhoun. In that case, although the plaintiffs ultimately failed to have the Irish courts accept their case, they succeeded in subjecting the defendant to two years of litigation (in both the Circuit Court and High Court) despite the lack of any real connection to Ireland, and despite the fact that the material published would not have been actionable in the United States.

First computer game banned in Ireland

Manhunt 2 has achieved the dubious honour of becoming the first game to be banned in Ireland. From the Irish Film Censors Office:

MANHUNT 2 VIDEO GAME PROHIBITED

A prohibition order has been made by IFCO in relation to the video game Manhunt 2. The Order was made on 18th June 2007 under Sec 7 (1) (b) of the Video Recordings Act 1989 which refers to ‘acts of gross violence or cruelty (including mutilation and torture)’.

IFCO recognizes that in certain films, DVDs and video games, strong graphic violence may be a justifiable element within the overall context of the work. However, in the case of Manhunt 2, IFCO believes that there is no such context, and the level of gross, unrelenting and gratuitous violence is unacceptable.

The Irish Times points out that this parallels a ban by the British Board of Film Classification:

Manhunt 2 has also been banned by the British Board of Film Classification, which has made it illegal for the game to be supplied anywhere in the UK.

A statement from the board yesterday said: "Rejecting a work is a very serious action and one which we do not take lightly. Where possible we try to consider cuts or, in the case of games, modifications which remove the material which contravenes the board's published guidelines.

"In the case of Manhunt 2 this has not been possible. Manhunt 2 is distinguishable from recent high-end video games by its unremitting bleakness and callousness of tone in an overall game context which constantly encourages visceral killing with exceptionally little alleviation or distancing.

"There is sustained and cumulative casual sadism in the way in which these killings are committed, and encouraged, in the game."

The system for censoring / self-classification of games in Ireland is a curious one - in part statutory, and in part based on voluntary cooperation between the games industry and the Film Censor. Marie McGonagle has outlined the system in detail here (PDF, pp. 23-30). The ban reflects a worrying worldwide trend towards greater censorship of games, in many cases whether or not aimed at adults.

Sharing out online liability: sharing files, sharing risks

My colleague Bob Clark has just published a very interesting article on legal implications of filesharing in the Journal of Intellectual Property Law & Practice. In comments that will be of particular interest to the 23 filesharers recently identified by the High Court, he suggests that the methods used by the music industry to monitor p2p networks might themselves be illegal:

The privacy interest
When the issue of a rightholder's ability to compel disclosure of the details of the person standing behind an IP address arises, personal privacy arguments have not succeeded in either the Irish or Canadian courts. In contrast, it is widely reported that the French Data Protection Authority has ruled that the automated monitoring of users of P2P filesharing systems may not be permitted since it results in the accumulation of ‘a massive collection of personal data’, on the basis of exhaustive and continuous surveillance' of P2P sites that goes ‘beyond that which is necessary for the fight against piracy’. While the impact of the new French Copyright law remains to be assessed, the IFPI is optimistic that data protection law does not bar discovery of identity orders in French courts. The view of the English and Irish courts is that, because data protection legislation in each jurisdiction permits personal data to be obtained following court orders, as long as the rightholder uses a Norwich Pharmacal or similar civil procedure the ISP will be able to disclose personal data about suspected filesharers. In EMI v Eircom Kelly J said, of the rights of privacy:

"the statutory entitlements, whether they arise under the Data Protection legislation of the Postal and telecommunications legislation are subject to a provision which permits the confidentiality to be legitimately breached by an order of the Court."

While he conceded that the law did not prescribe the conditions under which an order may be made, the ‘necessity’ test vis-à-vis Norwich Pharmacal is flexible enough to afford a basis for such an order.

What may remain unexplored is the difficulty rightholders may have in some jurisdictions in collecting evidence. Case-law suggests that the standard methodology is to engage a US agency, MediaSentry, to monitor volume uses of MP3 files, taking a 10 minute snapshot of real time users in order to identify potentially infringing filesharers on a high volume basis. In BREIN, the collection of personal data by MediaSentry on behalf of BREIN was held unlawful, MediaSentry not having signed up to the EU/US Safe Harbor Agreement. The Utrecht Court's ruling was upheld on appeal on the basis of infringement of privacy by MediaSentry and because MediaSentry's software was not sophisticated enough to identify users or acts of infringement correctly. This manner in which information is collected was also considered in Sharman, when Wilcox J put it to the MediaSentry witness: ‘so what you are doing is, you are in effect spying on a person who is in the act of downloading’.

In the context of Irish law, intrusive methods of collecting data may be challengeable under the privacy provisions in the EU Telecommunications Data Protection Directive, as well as under the constitutional guarantee of privacy in respect of the communication of messages. It is also uncertain whether rightholders are illegally using telecommunications technology to intercept communications as MediaSentry, at the time of the interception, clearly had no authority to do this. Thus, one may need to distinguish between activities that employ privacy intrusive techniques to collect evidence (no legal process having yet taken place) and a subsequent court application to complete the chain of evidence, to secure the names and addresses of persons behind the IP address. In the former case, serious statutory and constitutional law issues may need to be addressed. Until more light is cast on the methods of data collection used initially to identify suspects by organizations such as MediaSentry, this uncertainty will remain.

Rightholders may be aware that some collection techniques are legally suspect. In November 2005, the Creative and Media Business Alliance attempted to persuade the members of the European Parliament to extend the draft Data Protection Directive to cover offences that arise from copyright infringement. This attempt failed, the lobbying being attacked as both an infringement of civil liberties and an attempt to transfer the cost of protecting copyright from well-funded industries to European taxpayers and telecoms subscribers.

Copyright in custom code: Who owns commissioned software?

Commissioned or bespoke software can raise difficult issues of ownership if there is no clear agreement in place between the client and the developer. Who will own the copyright? Can the developer reuse code written for a particular client? Is the client entitled to modify or update the code? Can the client resell the software? Might the client be limited to using the code in a particular market sector or in a particular jurisdiction? Who owns any database rights in bespoke software? Does it matter whether the client is given the source code? Does it matter how much the client has paid for the software? Can a client claim joint authorship on the basis of their role in providing detailed specifications and taking part in beta testing? Might the moral rights of the developer limit what the client can do with the software?

I discuss the legal issues involved in this article which has just been published in the Journal of Intellectual Property Law & Practice.

Update: Out-Law have a report of a recent case exactly on point.

SMS spammers forced to delete database

Another interesting case from the Data Protection Commissioner's 2006 Annual Report involves spam SMS sent by Opera Telecom to people who had texted support for the "Global Call Against Poverty Campaign". In this case the Commissioner used the enforcement powers to require Opera to delete that database in its entirety:

I received a complaint from an individual regarding the receipt of an unsolicited text message in November 2005. The message, sent by Opera Telecom, was a promotional message for a subscription service.

When my Office investigated the matter it was discovered that the complainant had attended a major music concert in Croke Park in June 2005. During the concert, those attending were encouraged to text support for the Global Call Against Poverty Campaign. The complainant did so. The information collected from these texts was stored in a database held by Opera Telecom and was subsequently used by the company for the purpose of sending unsolicited direct marketing SMS messages.

In October 2005 Opera Telecom sent a direct marketing text message to the complainant. Regulation 13 of Statutory Instrument 535 of 2003 refers to unsolicited communications, making it an offence in certain circumstances to send direct marketing messages. The message the complainant received was contrary to this Regulation. It also contravened Section 2 of the Data Protection Acts as the personal data in question had not been obtained and processed fairly and was further processed in a manner which was incompatible with the purpose for which it was originally collected.

During our investigation, my Office discovered that 16,000 concert goers had used their mobile phones to text support for the Global Call Against Poverty Campaign. My Office recognised the potential risk of all of these people being subjected to direct marketing in the same way as the complainant had been. Conscious of this risk, I initially requested in a letter to Opera Telecom that they delete the related Database. When it did not comply with this request, I used my powers under Section 10 of the Data Protection Act and issued an Enforcement Notice. An Enforcement Notice is a legal document and it is an offence not to comply with this. Opera Telecom complied with the Enforcement Notice and deleted the database.

This case highlights an important commercial point - customer and marketing databases may make up a great deal of the value in a business. Abuse those databases and you run the risk of destroying that value.

Meanwhile, if you're on the receiving end you might be interested in the Digital Rights Ireland guide to dealing with SMS spam.

Your personal information is for sale, episode 8,634: Using marketing data to defraud the vulnerable

The New York Times has a story today showing how US crooks are using marketing data to identify and defraud vulnerable older people. One image says it all:

New developments in applying data protection law to the media

One aspect of the Data Protection Commissioner's 2006 Annual Report that will be of acute interest to media lawyers is its application of data protection principles to media coverage of the glitterati and in particular the children of celebrities.

There is an inevitable tension between privacy rights in general (including data protection law) and the interests of the media - particularly when it comes to the insatiable public desire for information about celebrities. Section 22A(1) of the Data Protection Act attempts to resolve this tension by providing a limited exemption from the Act for certain media activities:

Personal data that are processed only for journalistic, artistic or literary purposes shall be exempt from compliance with any provision of this Act specified in subsection (2) of this section if—

(a) the processing is undertaken solely with a view to the publication of any journalistic, literary or artistic material,

(b) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, such publication would be in the public interest, and

(c) the data controller reasonably believes that, in all the circumstances, compliance with that provision would be incompatible with journalistic, artistic or literary purposes.

This exemption incorporates a balancing test - the person publishing the information must reasonably believe that publication is "in the public interest" and that complying with the data protection principle at stake would not be compatible with their "journalistic, artistic or literary purposes".

The 2005 Annual Report indicated that the Data Protection Commissioner would not simply defer to an editor's decision that something was in the public interest:

While this section refers to the reasonable belief’ of the data controller, it does not, in my opinion, give a newspaper editor the sole discretion to judge if something is in the public interest. This point is perhaps more clearly expressed in Article 9 of the Data Protection Directive (95/46/EC) on which section 22A is based. This states that “Member States shall provide for exemptions or derogations from the provisions of (the Directive) for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.”[emphasis added]

In the case of a complaint received by me, I must therefore judge if the data controller properly balanced the right to privacy with the public interest in disclosure. I must have regard to the nature of the facts, including whether the data relates to a public figure or a relative of a public figure, the age of the data subject and whether sensitive data within the meaning of the Acts is involved.

The 2005 Annual Report went on to say that this balancing exercise would be carried out in light of the European Court of Human Rights decision in Von Hannover and the relevant media codes of conduct, and that particular scrutiny would be applied in matters involving children under 16 where editors "should demonstrate the existence of an exceptional public interest in order to over-ride the normally paramount interest of the child."

These principles were applied in the 2006 Report to make two separate findings of a breach of the Data Protection Acts against the News of the World and the Sunday World. The facts of the News of the World case are typical:

I received a complaint on behalf of a data subject, a well-known individual, arising from material published in the News of the World (Irish edition) in 2005. The complaint related to the subject matter of the material published and the manner in which it was obtained. The material published consisted of a photograph of the data subject and child while shopping, together with related text expressly identifying the data subject's child by name and age, and referring to a third party's perception as to how parent and child were getting along. The complainant alleged that consent was neither sought nor obtained prior to the taking of the photograph. The complainant further alleged that consent was not sought nor obtained prior to the publication of the material subsequently in the News of the World newspaper. In particular, the complainant alleged that the publication contravened Sections 2(1), 2A (1) and 22 of the Data Protection Acts. The complainant considered that their right to privacy outweighed any purported journalistic purpose or public interest in the publication of their photograph and accompanying text which was the subject of the complaint.

The News of the World argued that the parent had, in the past, invited this attention and therefore there was a public interest in publishing. This was rejected, however, with the Data Protection Commissioner applying Von Hannover to find that there was no public interest in this case:

I am obliged by Section 3 of the European Convention on Human Rights Act, 2003, to perform my functions in a manner compatible with the State's obligations under the Convention's provisions. Accordingly, in arriving at my conclusion on the applicability of the Section 22A exemption to the facts of the case, I had regard to the provisions of Articles 8 and 10 of the European Convention on Human Rights and any guidance that the European Court of Human Rights (ECtHR) had provided on how the rights to privacy and freedom of expression should be balanced - the same balance that was at issue in relation to the applicability of Section 22A of the Acts.

In this regard, I noted the Decision of the ECtHR in the case of Von Hannover v. Germany (Application No. 59320/00) - the Princess Caroline case. The Court held that the German courts, in refusing to grant Princess Caroline of Monaco injunctions against newspapers taking and publishing photographs of her, had infringed her rights under Article 8 of the Convention. The photographs in question had shown Princess Caroline engaged in various activities such as shopping, playing sport and at the beach. The Court, noting that the material related exclusively to details of the applicant's private life, considered that "the publication of the photos and articles in question, of which the sole purpose was to satisfy the curiosity of a particular readership regarding the details of the applicant's private life, cannot be deemed to contribute to any debate of general interest to society despite the applicant being known to the public." In that case, the Court considered that “anyone, even if they are known to the general public, must be able to enjoy a "legitimate expectation" of protection and of respect for their private life."

While data protection law is not specifically dealt with in the Von Hannover Decision, this case was of assistance in helping me to come to a decision as to the appropriate balance between the public interest in freedom of expression and the individual's right to protection of their personal data, as required by Section 22A of the Acts.

Section 22A(3) of the Acts provides that, in evaluating whether a publication would be in the public interest, regard may be had to codes of practice approved by the Data Protection Commissioner pursuant to the Acts. While no such code has been approved, it seemed appropriate, in reaching a determination, to take note of the newspapers' own codes of practice. In making my assessment, I therefore took account of the National Newspapers of Ireland Code of Practice. In relation to children, the Code provides that they should not be identified unless there is a clear public interest in doing so. Relevant factors are identified as the age of the child, whether there is parental permission, and whether there are circumstances that make the story one of public interest, "or, if the person is a public figure or child of a public figure, whether or how the matter relates to his/her public person or office." I also noted that the UK Press Complaints Commission Code of Practice provides that editors must not use the fame of a parent as sole justification for publishing details of a child's private life and that "in cases involving children under 16, editors must demonstrate an exceptional public interest to over-ride the normally paramount interest of the child”. I was of the view that these provisions represent a fair expression of how the principles of data protection legislation ought to be applied in relation to children and minors.

In coming to my decision, I also noted the allegation, which was not refuted by the data controller, that the photograph was taken without the consent of the data subject. I issued a Decision on this case under Section 10(1) (b) (ii) of the Acts. Among other things, I found that it did not appear to me that the public interest claimed by the data controller in publication of the material in question could be such as to justify setting aside the right to respect for a person's private and family life.

This decision is significant in a number of regards. From a practical point of view it creates a low cost and effective route for a complainant to allege an invasion of their privacy. It makes life significantly more difficult for the media - notably it goes much further than the UK Press Complaints Commission Elle McPherson decision. But it also changes the privacy landscape more generally. Until recently it seemed that privacy issues in the media would primarily be governed by the regulatory package to be implemented by the Privacy Bill 2006 and the new Press Council of Ireland. With the lapse of that Bill (and its uncertain prospects in the new Oireachtas) the Data Protection Commissioner may end up assuming, by default, a role which that Bill had envisaged for the courts. A great deal will depend on whether the Commissioner is willing to leave these complaints to be dealt with by the Press Council - and that in turn will probably depend on how effective the Press Council proves itself to be.

Creative Commons Ireland goes live

Darius Whelan and Louise Crowley at UCC have been working hard on localising the Creative Commons licences for Ireland, and they've now launched a Creative Commons Ireland site with a draft Irish licence. Eoin O'Dell has more on why this matters.

Private use of public information - using public records for marketing

Suppose you are a direct marketer. You learn that all sorts of interesting and lucrative personal data must be made public by State bodies. (For example, the Companies Registration Office must provide details of company directors.) Can you use that information for marketing purposes? Can you package and resell that information to others?

The 2006 Annual Report of the Data Protection Commissioner includes a guidance note which goes into this in detail. The crucial point is that although the Data Protection Acts don't apply to disclosure by state bodies of information which must be made available to the public, they do apply once that information passes into the hands of a third party (such as a marketer). Consequently, if you wish to reuse that information, you must notify the individuals concerned in advance and you must give them a cost free opportunity to opt-out from having that information used for direct marketing.

Full guidance note:

Guidance Note on the Use of Publicly Available Data for Direct Marketing

Last year my Office was contacted by a number of people who had received direct marketing material by post as a result of the publication of their names and addresses on various lists and registers. The authors of these lists and registers were obliged to make them available to the public under law. For example, the Companies Registration Office must make its Register publicly available. Similarly, planning authorities must publish a weekly list of planning applications and planning decisions. All of these documents contain personal data. Section 1(4)(b) of the Data Protection Acts provides that the Acts do not apply to personal data consisting of information that the person keeping the data is required by law to make available to the public. A key point here is that the exemption from data protection requirements only relates to the information in the hands of those public bodies that are obliged to make it available. Any other entity seeking to use such information once in the public domain must comply with the standard requirements of data protection.This is a point that my Office needed to highlight on a number of occasions and I am glad to say it was readily accepted in all instances by those entities in receipt of the advice.

As a result of the level of complaints made to my Office on this issue, I was asked to provide guidance on the re-use of personal data contained in publicly available documents. Set out below, as an example, is the text of an information note which I provided as guidance to the Companies Registration Office:

This information note sets out the position of the Office of the Data Protection Commissioner on the re-use of personal data contained in information in the CRO Register which the CRO is obliged by law to make available to the public. The published information contains "personal data" and each living individual is a "data subject" within the meaning of the Data Protection Acts, 1988 & 2003. Accordingly, the recipients of this information are "data controllers" within the meaning of those Acts. If those data controllers intend to use or further process this personal data in any way, they should be aware of the following Data Protection requirements:

Personal data must be processed fairly. Section 2D (1) (b) of the Data Protection Acts obliges a data controller to ensure, as far as practicable, that the data subject has, is provided with, or has made readily available to him or her, at least the following information not later than the time when the data controller first processes the data or, if disclosure of the data to a third party is envisaged, no later than the time of such disclosure:

● the identity of the data controller
● if he/she has nominated a representative for the purposes of the Act, the identity of the representative
● the purpose(s) for which the data are intended to be processed
● any other information which is necessary to enable processing in respect of the data to be fair to the data subject
● the categories of data concerned
● the name of the original data controller.

The Office of the Data Protection Commissioner considers that it would be reasonable for data controllers to meet these requirements as the information in their possession contains the contact addresses of the data subjects concerned.

In addition, in accordance with Section 2(8) of the Data Protection Acts, a data controller who anticipates that the personal data within the CRO published information, for which they are now the data controller, will be processed for the purposes of direct marketing must offer those persons whose data will be so processed a cost free opportunity to object in advance to receiving direct marketing. This applies both to data controllers who intend to use the personal data for direct marketing potential customers and to data controllers who intend to process the personal data for distribution to third parties for direct marketing by the third parties.

The Office of the Data Protection Commissioner considers that there is no scope for data controllers to target for direct marketing purposes those individuals whose personal data has come into their possession in this way without first having applied this procedure.

Furthermore, data controllers who may have intentions of processing the personal data by placing it on a website (in any format) should be aware that such processing does not meet any of the conditions set down in Section 2A of the Data Protection Acts (processing of personal data) as there is no consent from the data subjects for such processing of their personal data.

The Office of the Data Protection Commissioner holds a strong position on this matter. The Office cannot envisage any case where the processing of personal data obtained in this way is necessary for the purposes of the legitimate interests pursued by the data controller. Such legitimate interests must be balanced with the fundamental rights and freedoms of the data subjects themselves. The Office considers that this balance is not reflected in the posting of such personal information on a website.

Data Controllers who fail to comply with all of the requirements set out above may be deemed to have breached the Data Protection Acts. Breaches of Data Protection legislation may be reported to, and investigated by, the Data Protection Commissioner. Where the Commissioner forms the opinion that a data controller has contravened or is contravening a provision of the Acts, he may use the enforcement powers conferred on him under the Acts. This includes the power to require a data controller to destroy the database concerned.

A day in the life of the surveillance society

The Data Protection Commissioner's Annual Report, following the lead of his English counterpart, has a very interesting account of a day in the life of our surveillance society and how we can expect it to make terrorist suspects of law abiding individuals:

A Day in the Life

07:00 Annie Wun wakes up and turns on her computer to access the internet. She begins by checking the news using her account on an on-line news source. She had checked the privacy policy of the website before registering and was satisfied with the uses made of her data.

07:15 Annie searches for some personal items online. The searches together with her IP address (a unique address assigned to Annie's PC by her internet service provider (ISP)) are recorded and retained by the ISP for an unknown period of time and without a specified purpose. Searches made by Annie are also retained by the search engine and sometimes clearly used for targeted marketing purposes.

07:30 Annie phones her father to talk about a story on the news. The record of her call to her father is retained by her phone provider for a period of 3 years as required by law. It will be available to An Garda Síochána (and hopefully nobody else) should the need arise as part of any criminal investigation.

08:00 Annie leaves her house and drives to work. She passes through a toll booth using her easy travel card. Information is stored about the time her car passes through the booth and other booths along the journey each time. Again this information is retained and may be accessed for law enforcement or other purposes.

09:00 Annie reaches her workplace. CCTV cameras record her arrival as her employers are concerned about the security of the workplace. The use of CCTV was communicated to employees in advance of implementing the system and it was made clear to them that images from the system would only be used for security purposes and would be kept safe and secure.

Annie's employers were also concerned about their ability to properly track their employees in terms of time worked in the workplace so, after considering many options, they introduced a biometric thumb print clock-in system which records each employee each time they enter and leave the workplace. Annie was concerned that such a system was a bit intrusive into her personal space but most of her colleagues seemed unconcerned so she went along with it. There are no details available to Annie as to what other uses her employer might make of the information or indeed what security is in place to protect her personal data stored in the system.

09:15 Annie logs onto her email to check for any emails received. She has received a number of work related emails which require her attention and one personal email. Her employer has an email and internet usage policy in the workplace stating that some limited personal use of these facilities is permitted but that inappropriate usage is not permitted. Annie understands that this means that her employer may check her emails and internet usage from time to time or in response to a genuine suspicion of inappropriate usage. However, her employer may not check her mail or internet usage on an ongoing basis since this would intrude on her legitimate, limited personal use of these systems.

11:15 Annie uses her coffee break to check her bank balance using her bank's on-line service. Her bank knows how much use she makes of her account and has credit-profiled her based on this use for a €10,000 loan which is offered to her upon log-in. She doesn't accept.

Annie had spoken to her younger brother the previous evening and agreed to send him some additional funds. He is back-packing around Europe. Annie chooses the fund transfer option. Her bank, in common with all other major financial institutions, uses the SWIFT exchange system for such transfers. It is not made clear to Annie that details of the transfer may be accessed by the US Government as part of its efforts to combat the financing of terrorism.

13:00 Annie pops out for lunch and visits her local supermarket to pick up some things for the house as she is planning a major spring clean at the weekend. She hands in her store card to collect loyalty points as part of the purchase. Her supermarket accesses her information to monitor her buying habits and offers some suitable products in her next mail shot. She doesn't mind as she personally doesn't care what the supermarket knows about her buying habits. She was, of course, recorded on the shop's CCTV system as she entered and exited the shop.

13:20 Annie visits her local library to return a self help book “Male and Female Chemistry” and takes out a book on building self esteem “Love Bomb People”. She uses her library card which stores her usage pattern on the local authority database.

13:45 Using her lunch-break, Annie phones the Revenue Commissioners to query her tax allowances. She gives her personal public service number (PPSN) to the person on the other end of the phone line. They use her PPSN to pull up her name and address and a complete record of her dealings with the Revenue Commissioners for the past number of years. This reveals that she is a member of a Trade Union (a fact that her employer is unaware of), pays her refuse charges and claimed a substantial amount in medical
expenses the previous year.

16:00 Annie has to leave work early today to attend hospital for an appointment with her specialist. Annie still suffers from pain from an accidental shotgun wound in her leg suffered in an accident while on her family farm 3 years ago. Upon arrival, she gives her details. Her full medical file is with her specialist. This is not a concern as she wishes this to be the case. She is also aware that her full medical history is entered on an electronic system in the hospital. She does not mind this either but assumes that her records are only accessed by those persons who need her information to treat her.

18:00 Annie arrives home. She picks up her post which arrived after she left the house in the morning. Her credit card company is offering her another loan and has increased the credit limit on her card (without her asking) based on their analysis of her usage. She has also received direct marketing from a company with which she had no previous dealings offering her services for the property for which she has just made a planning application. She is very surprised at this as the local authority had not informed her that her personal details would be made public as part of the planning process. She has also received an unwanted text message offering her similar services. She is also very surprised by this but remembers that her local authority had asked her for her mobile phone number as a means of contacting her.

19:00 Having eaten dinner, Annie logs onto the internet again and books a flight to New York (she will in fact have minor plastic surgery undertaken). In doing so, a large amount of her personal details, which she was required to make available to book the flight, will be made available to the US authorities, in advance of her travelling, as part of its security procedures. Using this information, an assessment will be made as to whether she poses a threat to US security. The airline, through on-screen information, had provided some details of this but Annie does not normally read all such optional information, so is not aware of this.

20:00 Annie receives a call on her mobile phone. She doesn't recognise the number but answers it in any case. Upon hearing her name the person hangs up and Annie thinks nothing more of it. Unknown to Annie, the person who had phoned her number by accident is suspected of criminal activity by An Garda Síochána. They will shortly make a formal request under the provisions of the Criminal Justice Act 2005 for all records of phone activity by that person. This will highlight that Annie's number was phoned. As a result, An Garda Síochána will also request all details of her mobile phone usage for the past 3 months to ascertain whether she is relevant to their inquiries. This will ultimately reveal that she is not but only after all her mobile phone usage - including her location when she made and received calls - is thoroughly examined. Annie finishes her day by watching Big Brother on television. Her personal data is not made available to anybody else for the rest of the day.

Surveillance Society?

Well, why would law-abiding Annie Wun have anything to worry about? Her daily life has been made easier by the use of modern technology and she has willingly shared her personal information to get these benefits. Then again, perhaps she should worry. What if the information retained about her were pulled together in one place? The profile which emerges, and the conclusions that could be drawn from it, might give her an unpleasant surprise. Step forward Annie Wun, terrorist suspect?

ANNIE WUN:

Internet News Search: Articles of Interest include “London Terrorists Charged” (internet records).
Web searches: Plastic surgery.
Fund Transfer: Made out to a male in Hamburg.
Medical records: Operated on for gunshot wound.
Criminal records/offences committed: Yes. (Two speeding fines)
Local Authority library files: A word search threw up two hits - “chemistry” and “bomb”.
Phone records: Call received from known criminal.
Shopping habits: Large variety of hazardous cleaning materials purchased.
Holiday plans: Travelling on a flight to New York next week.

Just how public should public information be?

There is a conflict between requirements that some personal information should be made public (such as the contents of electoral registers) and the data protection principle that the disclosure of personal information should be minimised. This conflict becomes acute when public files which were previously hard to access are put online. Is there a qualitative difference between personal information available on paper in a local authority office and that same information coming up as the result of a Google search? Does technology disrupt the balance between the competing interests of publicity and privacy?

This issue was dealt with in the Data Protection Commissioner's 2006 Annual Report

Local Authority: Minutes of council meetings
I received a complaint from a member of the public concerning the publication on a local authority's website of the minutes of the Council's monthly meeting. The complainant informed me that his name and address had appeared in the minutes of the meeting in the context of the sale of lands and properties under the Affordable Housing and Shared Housing Schemes. He expressed concern at the publication of his personal data in this way on a local authority website as well as the ensuing exposure of his personal data on search engines.

My Office contacted the local authority on this matter. We pointed to the important principle outlined in the Annual Report in 2003 that, even where there is legislation providing that information must be made available to the public, this may not always mean that it is appropriate to place such information on a website. On foot of my Office's intervention, the local authority took swift remedial action. It removed the document containing the personal data and edited it in such a way that all names and addresses included on it in respect of the Affordable Housing and Shared Housing Schemes were removed. The local authority also contacted one particular search engine that the complainant was concerned about and sought the deletion of the record from its cache. Finally, the Authority undertook to ensure that the website version of its minutes would, in future, be edited to prevent the disclosure of personal data.

This appears to be a sensible compromise in the individual case, but it leaves several issues open for the future. Strictly speaking, the Data Protection Acts have no application in this situation. (Section 1(4)(b) provides that "This Act does not apply to ... personal data consisting of information that the person keeping the data is required by law to make available to the public".) Consequently one might ask - if legislation requires that certain information be made public, is it appropriate that it should only be made public in a way which is particularly difficult to access? Will this create an unfair disparity in access? More sophisticated searchers will still be able to find the information they seek in person, while the general public who don't know of the availability of this information may be cut off. Should the law recognise different degrees of "publicity" in public information? Is there a parallel with developments in the European Court of Human Rights, where in cases such as Peck the Court is increasingly looking at the extent of the disclosure of personal information to see whether there has been an Article 8 violation?

For an interesting take on these issues in a US context, see Givens, Public Records on the Internet: The Privacy Dilemma.

Data Protection Commissioner 2006 Report Published

The Data Protection Commissioner has now published his 2006 Annual Report (Full text (PDF), summary).

There are several very important issues raised in that Report (including direct marketing by email, personal information which must be made public by law, and application of data protection law to the media) and I'll look at some of these in follow up posts.

A good day to bury bad news - Labour attempts to bury spiralling cost of ID cards

BBC News:

ID card cost rises above £5bn

The official cost of the ID card scheme has risen by £400m to £5.31bn, the Home Office says.

The figure was released as Tony Blair announced his departure, leading to claims from the opposition that the government was "burying bad news".

The Tories also say that the actual rise in costs, when expressed in 2007/08 prices, is £640m.

The Home Office say that figure is 'concocted' and the increase was due to staff and anti-fraud expenditure.

Amid the row about the actual rise in the cost of the scheme, the Tories and Lib Dems also say that the Home Office broke the law by releasing the updated costings a month later than they should have.

Under the Identity Card Act, the government must give an update on the costs of the scheme twice a year. The latest update was due on 9 April.

Hopefully the fiasco of UK identity cards will deter attempts to introduce them in Ireland.

"Mumsnet" case shows problems with forum liability for member comments

The Telegraph reports:

The controversial childcare expert Gina Ford today dropped her threat to sue the parenting website Mumsnet after a year-long dispute was settled out of court.

Lawyers for Ms Ford, author of The Contented Little Baby Book, agreed to halt legal action after the popular website agreed to pay a contribution of her costs and prevent “personal attacks” on the site.

The agreement brings to an end a bitter dispute that began more than a year ago.

Some of Mumsnets’ 60,000 members used messageboards to attack Miss Ford’s famously rigorous childcare methods.

A sarcastic comment last August accused her of “strapping babies to rockets and firing them in to south Lebanon”.

Ms Ford, 52, a strong advocate of routine, said the remarks amounted to “serious and offensive libel” and caused her huge distress.

She began legal proceedings against the site, which receives up to 15,000 internet posts a day.

Justine Roberts, the founder of Mumsnet, in turn accused Miss Ford of conducting a “menacing” campaign to stifle negative comment, which Ms Ford strongly denied.

But after a series of legal letters and an eight-week mediation period, both parties announced today that the dispute had been settled.

The exact terms of the agreement are confidential, but it is understood that Mumsnet has apologised and made a contribution to Gina Ford’s substantial legal costs to protect its individual members from legal action.

It has also agreed to abide by its own “personal abuse” policy, preventing members from making unnecessary attacks on individuals. The ban on discussing Miss Ford’s methods has also been lifted.

Cases such as this highlight the draconian nature of English (and Irish!) libel laws, which in effect require bulletin boards and other social sites to police the actions of their users or risk being crippled by the costs (let alone the damages) of a libel action. This is difficult enough on a low-traffic site, let alone one which receives 15,000 posts a day. Quite apart from the chilling effect on freedom of expression, this also presents a competitiveness problem - why set up operations in Dublin or London when you can avail of a much more publisher friendly jurisdiction in the United States?

[Update] The Mumsnet site has now put up its own perspective on these issues:

Like many other website publishers, we have long maintained that libel law has not caught up with the digital age with the result that freedom of expression is being unacceptably curtailed. Now that we have settled our long running dispute with Gina Ford, we intend to campaign energetically for a review of how libel legislation applies to the internet.

Put crudely, the current legal situation is the rough equivalent of trying to use a set of railway signals to control the air traffic over Heathrow – the principles may be fine but different forms of communication, just like different forms of transport, require a different approach. Currently the law regards a bulletin board just as it does a newspaper or a book.

In fact the Law Commission, the body which advises the government on legislation, recognized this problem in 2002, warning that a rethink of defamation law was needed to protect freedom of speech online. At the time Hugh Beale QC, one of the law commissioners, warned: "When a website carries material to which someone objects - rightly or wrongly - it is often easier to complain to the ISP than to the author. The problem is that the law puts ISPs under pressure to remove sites as soon as they are told that the material on them may be defamatory. There is a possible conflict between the pressure to remove material, even if true, and the emphasis placed on freedom of expression by the European Convention of Human Rights."

Since then, however, no changes have been made to the law governing defamation on the internet and we believe website publishers running bulletin boards now find themselves in a similar position to that described by Mr Beale. Faced with any complaint about a bulletin board posting, website publishers, frequently small businesses or individuals with limited resources, find themselves with little choice but to remove the posting, with obvious consequences for freedom of speech.

Mumsnet has this week written to the Department of Constitutional Affairs urging the government to reconsider this area in its forthcoming consultation on defamation.

In particular we have asked to government to address these points:

1. Does holding websites liable for postings by users on their bulletin boards have the effect of unacceptably curtailing freedom of expression?
2. Is a website which swiftly removes material following a complaint protected from liability for the posting? And how swift is swift?
3. Should the different nature of bulletin board communication be taken into account in assessing whether a complainant has been defamed? For instance if a single poster makes a defamatory comment but is immediately rebutted by a large number of users should the resulting thread be considered as defamatory? Or should there be a requirement to consider bulletin board conversations in the whole?

We would stress that we accept that individuals have a right to protect their reputations. However this right always has to be balanced against the rights of others to freedom of expression. At present we believe that this balance is not struck in the right place.

The E-Commerce Directive was intended to make online business easier by removing some of these liability fears. Unfortunately, it was drafted narrowly to apply to mere conduits (telecommunications providers), caching and hosting only. This appears to leave other online intermediaries (such as search engines, bulletin boards and content aggregators) out in the cold, unless they can bring themselves within the hosting defence. Might a bulletin board be able to rely on the hosting defence in respect of user posts? I have been unable to track down any discussion of this precise issue, but Lillian Edwards analyses a related issue in respect of eBay liability for user advertisements here.

UK Interim data retention measures published

The Register reports that the Home Office has published draft regulations to require data retention for the interim period before the data retention directive must be implemented. As with the current Irish law this will cover details of all calls made or texts sent, and also location data in the case of mobile phones. The Home Office proposes a twelve month retention period with discretionary cost reimbursement for affected telcos.

The telescreen: coming soon to a street near you

The Telegraph reports that:

Britain is already one of the most watched nations on earth and now "talking” CCTV cameras are to be installed in 20 areas across the country.

The loudspeakers will allow CCTV operators to bark orders at people committing anti-social behaviour.

As usual, Eric Blair was well ahead of Tony Blair:

'Smith!' screamed the shrewish voice from the telescreen. '6079 Smith W.! Yes, you! Bend lower, please! You can do better than that. You're not trying. Lower, please! That's better, comrade. Now stand at ease, the whole squad, and watch me.'

Eric Blair watched by Tony Blair

This is London takes a look at the pervasive surveillance surrounding George Orwell's former home:

According to the latest studies, Britain has a staggering 4.2million CCTV cameras - one for every 14 people in the country - and 20 per cent of cameras globally. It has been calculated that each person is caught on camera an average of 300 times daily.

Use of spy cameras in modern-day Britain is now a chilling mirror image of Orwell's fictional world, created in the post-war Forties in a fourth-floor flat overlooking Canonbury Square in Islington, North London.

On the wall outside his former residence - flat number 27B - where Orwell lived until his death in 1950, an historical plaque commemorates the anti-authoritarian author. And within 200 yards of the flat, there are 32 CCTV cameras, scanning every move.

Orwell's view of the tree-filled gardens outside the flat is under 24-hour surveillance from two cameras perched on traffic lights.

The flat's rear windows are constantly viewed from two more security cameras outside a conference centre in Canonbury Place.

In a lane, just off the square, close to Orwell's favourite pub, the Compton Arms, a camera at the rear of a car dealership records every person entering or leaving the pub.

Within a 200-yard radius of the flat, there are another 28 CCTV cameras, together with hundreds of private, remote-controlled security cameras used to scrutinise visitors to homes, shops and offices.

The message is reminiscent of a 1949 poster to mark the launch of Orwell's 1984: 'Big Brother is Watching You'.

Zooomr - Free pro photo hosting for bloggers

Zooomr are offering a free pro account to bloggers who host their images with them.

The only condition - you must host one of your blog photos with them. This is mine.

Up up and away Hosted on Zooomr

I'm very interested to see how Zooomr stacks up against Flickr. Unfortunately both have an annoying problem - try giving the url to somebody who isn't already familiar with the fun world of Web 2.0 naming. Chances are they'll end up at flicker.com, zoomr.com or zoomer.com - all of which are (now very valuable because of all the misdirected traffic) parked domains. In effect, Flickr and Zooomr have a self-inflicted typosquatting problem.

Blogger beware: Blog libel and privacy action settled for £150,000

The Guardian reports that an action by Martin Sorrell and Daniela Weber for libel and breach of privacy by way of email and blog has settled without admission of liability for a total of £150,000 - £120,000 to him, £30,000 to her. The level of the settlement (which included a nominal sum for the plaintiffs' costs) appears to reflect the plaintiffs' difficulty in linking the anonymous material to the defendants.

Background to the case:

Two former business partners of advertising boss Sir Martin Sorrell launched a "vicious" campaign against him on blogs and emails, a court heard today.

One of his former associates referred in a private email to the WPP boss as a "mad dwarf" and described the company's former chief operating officer in Italy as a "nympho schizo", the High Court in London was told.

Marco Benatti, WPP's former manager in Italy, and his lieutenant Marco Tinelli, were spurred to publish defamatory remarks after Sir Martin sacked Mr Benatti over allegations of financial irregularities at WPP's Italian business, Sir Martin's barrister said.

Opening his case at a libel and invasion of privacy trial, Desmond Browne QC said the two men had taken "countermeasures" against Sir Martin and WPP's chief operating officer in Italy, Daniela Weber. ...

The "counter-measures" against Sir Martin included a blog that appeared in March last year containing a "host of libels" against the WPP boss, Mr Browne said.

Although the blog was taken down after three days, another one appeared a month later, he said.

"The day that Sir Martin managed to get the blog taken down, Mr Benatti emailed his friends saying that blogs were like mushrooms, they sometimes pop up again the next time it rains," Mr Browne said.

"What could be a stronger pointer to Mr Benatti's knowledge of what was going on and his being the architect of the whole exercise than that email shortly after the blogs had been taken down suggested that blogs were like mushrooms?"

Mr Browne said the other "countermeasure" was a series of emails that included a "vicious Jpeg image grossly intruding into the privacy of Sir Martin and Ms Weber".

"Naturally it would be to intrude further to even start to describe them. We say Mr Tinelli was directly involved in the dissemination of that vicious image.

"There is no doubt that he felt just as bitterly towards Sir Martin and Ms Weber as did his boss, Mr Benatti. I say 'no doubt' because on the very morning of the day the images were sent out by email he referred to them as the mad dwarf and the nympho schizo."

Mr Browne said that the two men had taken "elaborate steps to cover their tracks" but that computer evidence implicated them.

Data Protection Commissioner Guidance on CCTV in the Workplace and Biometrics in Schools

The Data Protection Commissioner has given two important guidance notes on the use of cctv in business premises and the use of biometrics in schools. In both case the guidance is very protective of privacy rights.

Significantly, the biometrics guidance takes a different approach to that recently adopted in England. The English approach has been to accept that once a minor is mature enough to give an informed consent to the use of biometrics in schools, parental consent is no longer required. Under this guidance, however, parental consent will always be necessary in the case of a minor, and if the minor is aged twelve or above they must also consent:

In the context of students attending a place of education, the Data Protection Commissioner would stipulate that the obtaining of consent is of paramount importance when consideration is being given to the introduction of a biometric system. It is the Commissioner’s view that when dealing with personal data relating to minors, the standards of fairness in the obtaining and use of data, required by the Data Protection Acts, are much more onerous than when dealing with adults. Section 2A(1)(a) of the Data Protection Acts states that personal data shall not be processed by a data controller unless the data subject has given his/her consent to the processing, or if the data subject by reason of his/her physical or mental incapacity or age, is or is likely to be unable to appreciate the nature and effect of such consent, it is given by a parent or guardian etc. While the Data Protection Acts are not specific on what age a subject will be able to consent on their own behalf, it would be prudent to interpret the Acts in accordance with the Constitution. As a matter of Constitutional and family law a parent has rights and duties in relation to a child. The Commissioner considers that use of a minor’s personal data cannot be legitimate unless accompanied by the clear signed consent of the child and of the child’s parents or guardian.

As a general guide, a student aged eighteen or older should give consent themselves. A student aged from twelve up to and including seventeen should give consent themselves and, in addition, consent should also be obtained from the student’s parent or guardian. In the case of children under the age of twelve, consent of a parent or guardian will suffice. All students (and/or their parents or guardians as set out above) should, therefore, be given a clear and unambiguous right to opt out of a biometric system without penalty. Furthermore, provision must be made for the withdrawal of consent which had previously been given.

Two aspects of this guidance may be significant in the future - in requiring a double lock (both parental and child consent) is there a possibility of a knock on effect in the area of marketing to children? (Where previously the consent of a child mature enough to give an informed consent would have sufficed.) Also, in imposing a strict test for determining when the use of biometrics is proportionate or necessary in education, will there be an impact on the use of biometrics in other sectors?

The Register has a good discussion of the biometrics guidance note here. I've previously blogged about this issue here.

Blogger beware - legal issues facing Irish bloggers

Many thanks to the IIA and Fleishman-Hillard for hosting a session on Blogging, New Media, Business and the Law. My presentation on issues such as defamation, contempt of court, copyright and privacy (ppt file) is available here and Brian Greene has podcast the event here. Tom Murphy gave a very interesting presentation on online marketing, and he's blogged about the event here.