Digital Rights Ireland Launches

Next Tuesday, December 6th sees the formal launch of Digital Rights Ireland, with a press conference in the Conference Room, Pearse St. Library, Dublin 2 at 11.00am. (Directions). We would like to formally invite to you to come along - we'd welcome your support, and the chance to chat with you about your concerns after the main conference. Please feel free to invite anyone else who you think would be interested in digital rights.

Your personal information is for sale - Motorists edition

The Mail on Sunday headline says it all: "DVLA sells your data to criminals"

The Government is selling the names and home addresses of motorists on its drivers' database to convicted criminals, a Mail on Sunday investigation has revealed.

The Driver and Vehicle Licensing Agency (DVLA) tells would-be wheel-clampers there is "no problem" with them buying drivers' home addresses - even if they have a criminal record.

Indeed, the two bosses of one clamping firm on the list of companies to whom the DVLA is happy to sell drivers' details are currently serving seven years' jail between them for extorting money from motorists.

The Mail on Sunday has now forced the DVLA to hand over its list of 157 firms which can buy personal information about drivers at £2.50 a time. All the companies need do is tap in a registration plate, and back comes the full name and address of the vehicle's owners.

The dossier shows that details of millions of drivers have been made available to bailiffs, credit control companies, debt collection agencies, property management firms, leisure centres, solicitors - and even one of the world's biggest loan and financial services companies.

A number of other companies on the list appear to be dissolved or simply not to exist.

The revelations, which suggest that the DVLA is in flagrant breach of data protection laws, last night caused a storm of protest, with MPs demanding an immediate end to the practice.

In Ireland the bodies which hold this information are the motor tax offices of each local authority. Queries have to be made by letter, and they charge somewhat more per query at €6. The legal basis for disclosure is Regulation 23 of the Road Vehicle (Licensing) Regulations, 2003:

A licensing authority shall, upon application, supply particulars from the licensing records or the joint licensing records:
(1) upon payment of the relevant amount specified in the Third Schedule to these Regulations, to any person who satisfies the licensing authority that he has reasonable cause therefor

The Regulations don't define "reasonable cause", leaving this up to the judgment of the manager in the relevant local authority. There doesn't appear to be any particular system in place to vet applications for release of these details. There may be scope for an enterprising journalist to put in a freedom of information request to see whether any similar abuses have taken place over here.

Introducing Digital Rights Ireland

I've been involved recently in helping to set up Digital Rights Ireland, a civil rights group which will focus on issues such as privacy and freedom of expression online. We're now working towards a launch, and as part of the pre-launch publicity I recently did a podcast interview with Tom Raftery.

The interview covered how DRI came to form, what are our core beliefs and where we'll be taking the campaign for online civil and human rights. You can listen to the mp3 of the podcast here:
http://www.tomrafteryit.net/everything-you-blog-is-false/

Your personal information is for sale - private eye steals information to track down victim of domestic abuse

Via The Register

A private detective was fined this week for unlawfully obtaining information relating to 'vulnerable women' from medical centres. Ray Pearson, a director of North London-based Pearmac Ltd, was prosecuted by the Information Commissioner’s Office.

Pearson also persuaded an employee from Her Majesty’s Revenue and Customs (HMRC) to hand over his Employee Identity Number, and then misrepresented himself in order to find out about a customer of HMRC.

The Office of the Information Commissioner adds details on further offences also committed by Pearson.

Appalling as this report is, the full story behind it is worse. Two of the cases involved will show why.

One of the people whose information was stolen, Ms. X, was a victim of domestic abuse. She had left her husband, taking her daughter with her, to start a new life. The husband hired a private eye to track her down. He, in turn, subcontracted the work to Pearson. Pearson decided to track Ms. X via her father. Knowing that her father was a patient of a particular medical centre, Pearson rang the centre pretending to be from the local health authority and stating that he needed to contact the father in relation to a prescription. The medical centre gave him the father's telephone number, taking him one step closer to tracking down Ms. X on behalf of her abusive husband.

Another victim, Ms. Y, had recently been a prosecution witness in a criminal case. She discovered that her friends and associates were receiving suspicious telephone calls. Her utility company also received suspicious calls, as a result of which some of her personal information was revealed. British Telecom was also called in an attempt to obtain personal information. Most seriously, her GP was contacted by a person pretending to be a psychiatrist, seeking access to her medical file. Inquiries by the Office of the Information Commissioner revealed that these phone calls all came from Pearson's premises.

Why do these cases matter? When we express concern about issues such as data retention the official response is often that "the innocent have nothing to fear". These cases prove the contrary - you do not have to have done anything wrong to have your personal information stolen by unscrupulous criminals. The more information stored on you, the easier it will be for these abuses to take place, and the more risk you may be put in as a result.

(The information on the two cases above was supplied by the Office of the Information Commissioner and is redacted to protect the identities of the victims.)

Your personal information is for sale - Social Welfare edition

The Sunday Times reports that civil servants have been caught snooping through the social welfare files of lottery winner Dolores McNamara:

Officials at the Department of Social and Family Affairs have discovered there were up to 150 hits on McNamara’s welfare files after she scooped the EuroMillions prize. Departmental managers are now asking civil servants to explain why they opened her records.

While a small number of staff may have genuine reasons, it is believed the majority did not and could have broken data protection laws and department rules. Civil servants face disciplinary action or even criminal prosecution if they cannot show good cause for accessing the Limerick woman’s details.

The investigation was ordered after McNamara’s social welfare history was reported in detail by the media. The amount of social welfare payments she supposedly received, including specific dates, were published. The figures and dates, if correct, suggested the information could only have come from someone extremely close to her, or from someone with access to her social welfare records.

Presumably some civil servants were browsing her records for their own curiosity: but obviously some have realised that there's money to be made by selling information to the media. This isn't the first time that this has happened in Ireland, prompting the question: why should we trust the Government on data retention when they are incapable of protecting the personal information which they already have?

Tackling spam - some freedom of expression problems

Wendy McElroy explains that new US anti-spam / child protection laws could criminalise perfectly ordinary email mailing lists, while attempting to comply with the laws will involve handing a list of recipients over to the government for vetting:

Both Utah and Michigan have created a 'child protection registry' for email addresses that belong to children or to which children have access. It functions like a 'no call list.' Spamfo.co explains, 'Once an email address is on the registry, commercial emailers are prohibited from sending it anything containing advertising, or even just linking to advertising, for a product or service that a minor is otherwise legally prohibited from accessing, such as alcohol, tobacco, gambling, prescription drugs, or adult-rated material.' In short, e-newsletters (such as ifeminists.net) are not permitted to send to registered email addresses if those newsletters include URLs to news sites that, in turn, link to child-inappropriate commerical information or products such as casino or viagra ads, tobacco or alcohol for sale.

Many credible news sources -- especially British ones, it seems -- offer links to adult-themed sites or products. These links can change constantly, which means that it is impossible to check a URL and 'clear' it of so-called objectionable links or ads.

Moreover, e-mailing to registered addresses is illegal even if the newsletter was requested, and the legal penalties for doing so are imposed without notifying the offender so that he/she can rectify the situation. What are those penalties? To quote Prof. Mitchell again, 'Under these laws...that email sender faces strict liability which can include up to 3 years in prison, and fines of $30,000 or more. In addition, ISPs and the individuals whose email addresses are on the registry have a right of action against the sender, as does the state attorney general.'

The only protection is for the emailer to make sure that a particular address is not 'illegal' by matching his/her mailing list against the registries. That process requires at least two things that I am unwilling to do: 1) turn my mailing list over to the government; and 2) pay a per-address fee.

There's more on these new laws from Declan McCullagh at News.com.

Linking as copyright infringement?

From ZDNet Australia:

It took almost two years but major record labels in Australia have finally won a legal battle against a Queensland man and his Internet Service Provider for alleged music piracy.

Stephen Cooper, operator of the mp3s4free Web site, was found guilty of copyright infringement by Federal Court Justice Brian Tamberlin.

Although Cooper didn't host pirated recordings per se, the court found he breached the law by creating hyperlinks to sites that had infringing sound recordings.

More analysis at The Register.

Your personal information is for sale - Mobile phones edition

The Washington Post reports on the open sale of mobile phone (cell phone) records in the US. Excerpt:

Think your mate is cheating? For $110, Locatecell.com will provide you with the outgoing calls from his or her cell phone for the last billing cycle, up to 100 calls. All you need to supply is the name, address and the number for the phone you want to trace. Order online, and get results within hours.

Carlos F. Anderson, a licensed private investigator in Florida, offers a similar service for $165, for all major telephone carriers.

"This report provides all the calls with dates, times, and duration on the billing statement," according to Anderson's Web site, which adds, "Incoming Calls and Call Location are provided if available."

[...]

Such records could be used by criminals, such as stalkers or abusive spouses trying to find victims.

[...]

"Information security by carriers to protect customer records is practically nonexistent and is routinely defeated," said Robert Douglas, a former private investigator and now a privacy consultant who has tracked the issue for several years.

Experts say data brokers and private investigators who offer cell phone records for sale probably get them using one of three techniques.

They might have someone on the inside at the carrier who sells the data. Spokesmen for the telephone companies said strict rules prohibiting such activity make this unlikely. But Joel Winston, associate director of the Federal Trade Commission's Financial Practices Division, said other types of data-theft investigations have shown that "finding someone on the inside to bribe is not that difficult."

Another method is "pretexting," in which the data broker or investigator pretends to be the cell phone account holder and persuades the carrier's employees to release the information. The availability of Social Security numbers makes it easier to convince a customer service agent that the caller is the account holder.

Finally, someone seeking call data can try to get access to consumer accounts online.

I've written before about similar problems in Ireland.

Your personal information is for sale - Russian edition

There's a fascinating story in the Globe and Mail about the sale of personal data in Moscow. Excerpt:

"What do you need?" he says. "We have everything."

In Moscow these days, among people who deal in stolen information, the category of everything is surprisingly broad.

This Gorbushka vendor offers a hard drive with cash transfer records from Russia's central bank for $1,500 (Canadian). The information was reportedly stolen by hackers earlier this year and purchased by companies looking for details about their competitors. Such information, the vendor admits, is fairly specialized. A more popular item is tax records, including home addresses and declared incomes. The vendor asks $215.

Russians routinely lie about their earnings to avoid taxes; nonetheless, an increasing number of criminals are relying on pirated tax information to help them choose wealthy targets.

When gunmen broke into the gated home of Mikhail Pogosyan, head of Russian aerospace giant Sukhoi, in a brazen robbery last week, the businessman immediately blamed the proliferation of his personal details on the black market.

"Before, robberies of such people happened very seldom, just by chance," says a Sukhoi spokesman, Alexei Poveschenko. "Criminals preferred not to deal with VIPs, but now it's different. On every corner you can buy a database with all kinds of information: income, telephones, cars, residence registration."

[...]

At the Gorbushka kiosk, sales are so brisk that the vendor excuses himself to help other customers while the foreigner considers his options: $43 for a mobile phone company's list of subscribers? Or $100 for a database of vehicles registered in the Moscow region?

The vehicle database proves irresistible. It appears to contain names, birthdays, passport numbers, addresses, telephone numbers, descriptions of vehicles, and vehicle identification (VIN) numbers for every driver in Moscow.

via Semantic Bits

High Court to hear application for disclosure of filesharer's identities

The application for disclosure will be held this Friday (8th July). The hearing is open to the public, so feel free to come along if you're interested in learning more about the privacy / online anonymity / data protection issues.

The case (2005 2014P EMI RECORDS IRELAND LIMITED V EIRCOM LTD) is in the Commercial List so it should be before Mr Justice Kelly in Court 9 (in the main Four Courts building) at 10.30.

From the Irish Times (subscription only):

The High Court was told yesterday that Eircom and BT are not opposing the "substantive" proceedings by four music companies aimed at securing the names of persons who have uploaded thousands of music tracks onto file-sharing networks.

The proceedings could lead to actions for damages being brought against those persons.

Yesterday, while not opposing the action, John Gordon SC for BT Communications Ireland Limited said he wanted to make submissions as to how the court should exercise its discretion regarding the form of order in the case. It is believed those submissions will relate to how the rights of the music companies should be balanced against consumers.

[...]

Mr Gordon said he proposed to file an affidavit by tomorrow for the purposes of assisting the court as to how its should exercise its discretion in the matter.

His client was not opposing the proceedings, but believed the submissions would assist the court in exercising its discretion in the correct manner in relation to how consumers were affected.

Edited to add: ENN reports on this story also.

Digital search and seizure

There's a grey area around police powers to compel intermediaries such as ISPs to hand over digital evidence. In both Ireland and the UK, though, the issue seldom arises because most ISPs seem to be happy to give voluntary cooperation, avoiding the need for the police to rely on their compulsory powers. However, this strategy falls down when an intermediary decides not to play ball, and the seizure of Bristol Indymedia servers illustrates the problems that result.

An Indymedia press release gives the background:

On Mon 20th June, Bristol Indymedia (IMC Bristol) received an email from the police asking to contact them with reference to a posting on the IMC Bristol newswire. IMC Bristol volunteers appointed a solicitor and started briefing them to contact the police on their behalf. On Tue 21st June, the police contacted an IMC Bristol volunteer asking for IP logs. The subject of the police enquiry was a posting claiming that damage had been done to either some cars on a train transport, the transport itself, or the railway line.

Bristol Indymedia volunteers hid the post (originally posted late in the evening of 17th June) from their main newswire within 24 hours of it being posted - as it violated IMC Bristol editorial policy - and well before the police made initial contact.

When the solicitor contacted CID on the 21st to inform them that they could not have the server, or access to it, the police said that they could go through data protection and legal moves to get the logs or get a search warrant, and that they may arrest somebody for obstructing the course of justice.

At this point, an IMC Bristol volunteer informed IMC UK about the events. IMC Bristol then contacted Liberty, whose legal advisor contacted the police to press them on the issue that this server was considered an item of journalistic equipment and so subject to special provision under the law. The police have yet to confirm this. NUJ and Privacy International have also been contacted.

As of 24th June 2005, IMC Bristol remain in possession of their server. Communications with the police, and between various legal and civil rights organisations continue while technical and legal issues surrounding the case are clarified. Bristol Indymedia is an independent news service. As part of our policy, we will not make non-public information we hold publicly available. We do not permanently store IP addresses. We do not intend to voluntarily hand over information to the police as they have requested, and have informed them of this.

The police response came shortly afterwards and on June 27th the server was seized. From the Register:

Police seized a server used by Indymedia, the independent newsgathering collective, from the Bristol home of a member of the group after issuing a search warrant on Monday. The raid is the second time within the last year that an Indymedia server has been seized in the UK.

Officers also took the unnamed Bristol collective member in for questioning, and seized a PC, in an incident that has already provoked a huge row. The action happened despite the intervention on Indymedia's behalf by justice group Liberty whose lawyers advised police that the server was "considered an item of journalistic equipment and so subject to special provision under the law".

Despite this reference to a person being "taken in for questioning" later reports indicate that the owner of the server has in fact been charged with incitement to criminal damage. Analysis and insightful comment at Spy Blog which points out that:

It is not unheard of for malicious people to post something illegal or controversial to an open discussion forum and then to complain to the authorities that the administrators of the discussion forum are doing something illegal [...] For the British Transport Police or any other UK Police force to ignore the National High Tech Crime Unit's guidlines on "minimal disruption" to multi-user networked computers during legal evidence gathering or investigations, is a disproportionate abuse of power [...] There is no justification for the "collateral damage" caused by the seizure of an onlime server in order to attempt to identify the IP address of a single poster.

It's hard to understand why the owner of the server was arrested, but this comment from Spy Blog seems about right:

Initially the Bristol IMC volunteer was a potential witness, either to incitement to criminal damage (the offending item argued that damaging cars was legitamate political protest), or to the statement made by the poster that they had committed the damage. Now the volunteer is a suspect. Maybe the BTP [British Transport Police] allege that the suspect incited criminal damage by failing to delete (it was hidden from the newswire but not deleted) the offending post when it came to their attention. Or maybe the arrest was an act of spite when Bristol IMC quite reasonably told the police to go away and get a warrant.

London Freelance discusses the journalistic privilege issues:

When the police contacted them. BIM called the NUJ and civil liberties organisation Liberty, who argued that demanding information from Indymedia requires a special warrant to obtain journalistic material under the Police and Criminal Evidence Act 1984. Asked about this, a British Transport Police spokesperson said "A warrant was obtained; I don't know the details. ... Website server - I don't know if you could describe it as journalistic material?" They later clarified that "We obtained a Section 8 [PACE] Warrant after discussing with the Crown Prosecution Service who said we didn't need a Section 9 / Schedule 1 [journalistic material] warrant." Section 8 warrants cover evidence-gathering except where privileged, excluded (that is, confidential or medical) or "special procedure" (that is, other journalistic) material is involved.

Two brief comments. First, there is a specific English law (the Regulation of Investigatory Powers Act - RIPA) on point and this situation seems to fall under Part I, Chapter II of that Act (access to communications data). Objectionable though RIPA might be, it does provide some safeguards. It becomes useless, though, when the police can evade those safeguards by falling back on an ordinary search warrant. Second, it's certainly true that Indymedia is being treated less favourably than other media organisations, perhaps in an attempt to harass or shut down its operations. As commenters on the Indymedia site note:

The point is whether or not the seizure of the server is justified. I really don't think that should a letter be written to the Times about such behaviour the police would seize all copies of the Times, or their computers.

The seizure of the Indymedia Bristol server illuminated deficits in the law. Law protecting journalists were drafted with mainstream news organisations in mind, so it cannot cope with media collectives. Whilst the police might well have had good reason to investigate the claims made on Indymedia Bristol's web site, by effectively shutting down the whole operation the police have acted insensitively and have used rather extreme methods, especially when Bristol IMC have been far from uncooperative.

(Yet) Another argument against ID Cards

From the Independent:

Ministers plan to sell your ID card details to raise cash

Personal details of all 44 million adults living in Britain could be sold to private companies as part of government attempts to arrest spiralling costs for the new national identity card scheme, set to get the go-ahead this week.

The Independent on Sunday can today reveal that ministers have opened talks with private firms to pass on personal details of UK citizens for an initial cost of £750 each.

[...]

The opening of commercial talks contradicts a promise made when the Home Office launched a public consultation on ID cards in April last year, when officials pledged that "unlike electoral registers, the National Identity Register will not be open for any general access or inspection."

[...]

In addition, firms could be charged up to £750 for technology that would allow them instantly to verify customers' identity through iris scanning or finger-printing, according to official documents.

Update: Ministers are denying that personal information will be for sale, but admit that they will establish and charge for a system giving private companies access to the ID card system. From the Telegraph:

Ministers denied a report that personal details of all 44 million adults in the country could be sold to private companies as part of Government efforts to curb the cost.

But the Home Office admitted that there would be a "mechanism" for companies to check that an ID card was genuine and that people were who they said they were.

Officials said the details of the mechanism were still being worked out. There would be a fee but it would be "nowhere near" the £750 claimed by The Independent on Sunday.

Tony McNulty, the immigration minister, said it was nonsense to suggest that the Government intended to sell information on the ID cards register and had opened talks with private companies.

"The Government has no plans whatsoever to sell individuals' details to private companies," he said. "The legislation we have introduced to set up the scheme will ensure that the ID cards database will be secure and confidential. Private companies will not have access to the information held on it and any unauthorised disclosure will be a criminal offence."

Your personal information is for sale - Indian edition

BBC News reports:

Police are investigating reports an Indian call centre worker sold the bank account details of 1,000 UK customers to an undercover reporter.

The Sun claims one of its journalists bought personal details including passwords, addresses and passport data from a Delhi IT worker for £4.25 each.

City of London Police is investigating after receiving files from the paper.

ISPs told "Hand over names if you want to license our content"

Constitutional Code (Rik Lambers) has an interesting post illustrating the incentives facing ISPs asked to disclose customer names:

During a seminar on "online piracy" in the Netherlands last week a representative of Warner Home Entertainment made it clear that Internet Service Providers won't get movie content licensed, unless they provide the identifying information of their customers on demand.

Data Retention Reaches the US - Or Does It?

Orin Kerr is skeptical about the reports that the US Department of Justice has decided to push data retention:

What is the evidence that times have changed, and that now DOJ is "quietly shopping around" this "explosive" idea? As best I can tell from Declan's story, it is this and only this: A few weeks ago, at a Holiday Inn in Alexandria, Virginia, unnamed Department of Justice employees, apparently from DOJ's Child Exploitation and Obscenity Section (CEOS), mentioned the possibility of mandatory data retention requirements in a meeting with some ISP representatives.

Who are these DOJ employees, though? CEOS does not have any high-level policy makers, as far as I know. It is a section consistening entirely of career prosecutors. No one at CEOS has the authority to opine on such a enormous and controversial question except entirely in his personal capacity. And the chances that DOJ would decide to "shop around" such a high-profile proposal using career lawyers meeting at a Holiday Inn seems a bit far-fetched.

If I had to guess, I would imagine all that happened in this meeting was that a random career lawyer at DOJ had been wondering about data retention, and decided to discuss it as a possibility in a meeting despite DOJ policy to the contrary. Or perhaps the lawyer foolishly tried to raise the possibility as a threat to push ISP representatives to think more seriously about voluntary data retention. Either way, DOJ has not changed its policy at all. Is it possible that there is more to the story than that? Yes, but on the whole it is quite unlikely.

He's certainly well placed to make this assessment. From his bio, he was a trial attorney in the Computer Crime and Intellectual Property Section of the Criminal Division at the U.S. Department of Justice, and his publications suggest that he still has good contacts with his former colleagues in the department. Having said that, the story is still of concern until there's an official denial on the table.

Data Retention Reaches the US

Disturbing news from CNET , which reports that the US government has executed an about turn and decided to push data retention:

Justice Department officials endorsed the concept at a private meeting with Internet service providers and the National Center for Missing and Exploited Children, according to interviews with multiple people who were present. The meeting took place on April 27 at the Holiday Inn Select in Alexandria, Va.

'It was raised not once but several times in the meeting, very emphatically,' said Dave McClure, president of the U.S. Internet Industry Association, which represents small to midsize companies. 'We were told, 'You're going to have to start thinking about data retention if you don't want people to think you're soft on child porn.''

McClure said that while the Justice Department representatives argued that Internet service providers should cooperate voluntarily, they also raised the 'possibility that we should create by law a standard period of data retention.' McClure added that 'my sense was that this is something that they've been working on for a long time.'

This represents an abrupt shift in the Justice Department's long-held position that data retention is unnecessary and imposes an unacceptable burden on Internet providers. In 2001, the Bush administration expressed "serious reservations about broad mandatory data retention regimes."

The current proposal appears to originate with the Justice Department's Child Exploitation and Obscenity Section, which enforces federal child pornography laws. But once mandated by law, the logs likely would be mined during terrorism, copyright infringement and even routine criminal investigations. (The Justice Department did not respond to a request for comment on Wednesday.)

It's hard to know where to begin assessing this development. But a few points strike me immediately.

First, the reference to "voluntary" retention coupled with a standard period set by law echoes the UK proposals for voluntary retention, and is likely to be rejected in the industry in exactly the same manner. The UK response made it clear that ISPs shuddered at the commercial implications of voluntary retention, seeing it as hugely expensive and likely to lead to customers defecting to other, more privacy friendly ISPs.

Second, the data retention period sought by the Justice Department is two months. This immediately undercuts the claims by the Council of Justice and Home Affairs ministers that a period of up to three years is essential. Perhaps our representatives would now like to explain to us how they can seek such an extravagant period when the US apparently considers it unnecessary.

Third, the US already has a federal data preservation* law, which allows "a governmental entity" to require an ISP to preserve data in their possession for up to 90 days. To justify a data retention law, it would have to be shown that the data preservation rules were ineffective. Where's that evidence?

Fourth, note the distasteful threat from the DOJ: "You're going to have to start thinking about data retention if you don't want people to think you're soft on child porn". As with other data retention proposals, the justification is essentially emotive, with references to the headline grabbing subjects of child pornography and terrorism. But, as the article correctly points out "once mandated by law, the logs likely would be mined during ... even routine criminal investigations".

Fifth, as with data retention on this side of the Atlantic, policy is being made in secret with the public excluded. If the DOJ is confident in the merits of its proposals, perhaps it might try to sell them to the public rather than trying to strongarm ISPs in private.

Finally, the attempt to obtain "voluntary" cooperation represents a continuation of a worrying trend. The US government, amongst others, has noticed that it can evade pesky constitutional restrictions such as probable cause by "outsourcing" certain activities to private actors who aren't subject to the same restrictions. These data retention proposals have the same air about them. A federal data retention law would face public scrutiny and opposition, a stiff fight through Congress, judicial review, and would likely be found unconstitutional. Hence the attraction of cooperation from ISPs, which would enable the government to achieve indirectly that which it could not do directly, and all without any public fuss. This is good for the government, perhaps, but bad for democracy and the rule of law.

________________________________

*The distinction between data retention and data preservation is explained by the Canadian Department of Justice here:

What is data preservation and how is it different from data retention?

It is important to distinguish between data preservation and data retention. As proposed in the consultation paper, a data preservation order would require a service provider to keep existing data of a specific, identified individual who is identified by the courts as the subject of an investigation and not delete it for a specified period of time. This would ensure that information vital to an investigation is not deleted before the police can obtain a search warrant or production order to access the specific data.

Data retention, on the other hand, involves the collection of data from all users of a communication service - regardless of whether or not they are subject to an investigation.

The curious legal status of .uk and .ie

From The Register:

The company that runs the UK's Internet registry is not officially recognised by the government and as such has no right to decide what should be done with the millions of domains that it sells each year.

That at least is the claim of Ben Cohen, former owner of iTunes.co.uk, who lost ownership of the domain to Apple in March after a ruling by an independent expert hired through Nominet's domain resolution process.

Cohen has been decrying Nominet since the decision and made a variety of legal threats over the decision. However he recently discovered that he was not able to take the actual decision made against him to the High Court for Judicial Review because of Nominet's peculiar status.

Following questions made under the Freedom of Information Act, the government was forced to state that there is "no formal relationship or written agreement" between the UK government and Nominet. As such, it is not a public body and so is subject only to the usual laws covering UK companies.

Cohen argues that this status is misleading since representatives from government bodies have permanent seats on Nominet's Policy Advisory Board (PAB). The government also accepted that this situation does not exist for any other company.

[...]


"At no point has there ever been a statutory or official recognition by the Government of Nominet's position as a the sole issuer of .uk domain names to the public.

"The status of Nominet is important because their dispute resolution service acts in a quasi-Judicial manner in deciding who should lay claim to a domain name when a dispute arises. CyberBritain was planning on taking the decision made on the 10th March to the High Court for Judicial Review. However, this course of action is only open to review decisions made by public bodies.

"Nominet have always claimed to us that they are on the one hand officially recognised by the Government but not a public body, meaning that their decisions would not be subject to Judicial Review. In my mind, this is a paradox as an official or statutory recognition of an organisation to administer what is in effect a public service would generally be subject to Judicial Review. This certainly would be the case with decisions made by Ofcom who regulate telecommunications and television.

"If Nominet have no official recognition (despite civil servants being on their Policy Board) then all domain names issued by them are placed in jeopardy."

Nominet is not impressed with this logic.

"Mr Cohen has continued to threaten legal action in the press and in private, but no proceedings have ever been issued. Nominet has repeatedly explained to Mr Cohen that we believe that he has no basis for suing us and that the particular type of litigation he was threatening (called "Judicial Review") was totally inappropriate because Nominet is not a Government body.

"Nominet is not a Government body and has never claimed to be. We state on our website that we are 'officially recognised' and we explained the meaning of this to Mr Cohen previously.

"The Dispute Resolution Service forms part of the contract we have with registrants of .uk domain names and is enforced as a matter of contract law. We have told Mr Cohen this, and have never tried to suggest that Nominet's Dispute Resolution Service (DRS) is 'quasi-judcial', statutory (i.e. in an Act of Parliament or similar) or Government-backed."

Much the same problem exists in relation to the .ie domain registry which carries out a public function without any legislative or regulatory underpinning. Their FAQ addresses this point, but in a way which raises more questions than it answers:

6. What exactly is the IEDR - is it a statutory body, is it a semi-state, is it part of UCD, is it some kind of public service or is it just a monopoly like, say, the ESB?

6. The IEDR's origins are in UCD but since July 2000 it's been a private company, limited by guarantee. It has no shareholders, the company is owned by its members who are the directors. Surpluses are not distributed, they are added to opening reserves. Directors as per the company's constitution, do not receive fees or emoluments. Only the IEDR can administer .ie - which it does as a public service - but it is not a monopoly in the sense that anybody in Ireland, or elsewhere, can register from a choice of approximately 250 different national and generic TLD names. The IEDR works closely with national and international governments, governing bodies, trade associations and abides by Internet best practice principles while still operating as an independent private company.

The E-Commerce Act 2000 allows (in section 37) the government to regulate the .ie TLD - however this has yet to be done, despite Ministerial promises that the .ie domain will eventually be regulated by ComReg.

You might well ask - so what? As long as the .ie domain functions, why should lawyers nitpick about its legal foundations? The narrow answer is that there have been many complaints about the governance and transparency of the IEDR, including allegations that it is still dominated by UCD (from which it is an offshoot), all of which ultimately have their origins in the lack of a proper legal basis for the registry.

More widely, though, as a matter of principle where a body controls a public asset (the .ie domain), is exercising a public function, and has its origins in the public sector, it should be subject to rules of public oversight (such as the Freedom of Information Act and judicial review). Instead, the IEDR currently exercises a state-sanctioned monopoly without any real oversight.

Update (17/6/05): Ben Cohen has decided to proceed with the judicial review. Stay tuned to see whether the English courts will accept jurisdiction to judicially review decisions of Nominet.

Update (5/8/05): The judicial review application was rejected - but it's not clear whether the court considered whether Nominet was subject to judicial review. According to Out-Law:

the judge noted that the application was flawed in several respects, being both late and unnecessary given the right of appeal which forms part of Nominet's Dispute Resolution Service, which Mr Cohen had failed to use.

This suggests that the application was rejected on a procedural basis (delay and failure to exhaust remedies) rather than on the substantive ground that Nominet was not a public body.

Morris Tribunal learns pitfalls of security through obscurity

The Sunday Times (free reg. required) has an interesting story illustrating official ignorance of basic information security:

Tribunal hacker 'was in press agency building'
Stephen O’Brien

THE Press Association of Ireland was threatened with heavy fines and jail sentences by Justice Frederick Morris last week after revealing that it had gained access to his report on garda corruption in Co Donegal before the official launch.

The wire service, the Irish arm of the London-based Press Association (PA), was suspected of hacking into the tribunal’s website to obtain the report. Michael McDowell, the justice minister, claimed that more than 350 separate attempts were made to overcome internet security measures guarding a web version of the report, forcing the authorities to release it earlier than planned.

McDowell did not say who was responsible, but The Sunday Times has established that the “hacking” was traced to PA’s building in Harcourt Street, central Dublin.

Morris, a former High Court president, told journalists at the wire service that he would prosecute anyone who published his report before its official release for obstructing or hindering the work of the tribunal, an offence carrying up to €12,700 in fines and up to two years in prison.

The judge wrote personally to PA in an urgently faxed letter on Tuesday, after staff at the agency contacted the tribunal to verify the authenticity of the report they had found on the web. PA, Britain and Ireland’s largest news agency, immediately agreed to observe the embargo on publication.

PA declined to comment this weekend, but a source at the agency confirmed that the Dublin office got a phone call from a source who explained how to get the report from the website.

“Personally, I think it was a bit of a security cock-up by the tribunal,” the PA source said. “The web link was morristribunal.ie/ and then a series of numbers.”

A government source, however, said the computer used to attack the web security around the report was in the same Dublin building as the PA office. Rogue computer software known as spyware was attached to the server used to “air” the Morris tribunal website.

This spyware then uncovered the secret web link to the tribunal’s report when it was being stored in a supposedly secure location before the official government release.

The spyware notified the hacker when the report was put on the web at 10am on Tuesday, the source said. Over the 70 minutes, 350 attempts were made to access it.

The release of the report was brought forward several days by McDowell after discussions with the tribunal over the compromised security. No complaint has been made to gardai by the tribunal, although experts were able to trace the unique identification number of the computer used to hack into the tribunal site.

Strip away the breathless talk of "hacking", "internet security measures", "rogue computer software", "spyware" and "secret web links" and we have the mundane reality that somebody messed up by posting the report on a public web site, hoping that nobody would find it. An equivalent would be a person placing a book on the shelves in a library, but believing that it is "secret" because it does not appear in the library catalogue. The talk of "hacking" is a smokescreen.

So did reading the report amount to an offence? Unlikely. Under Irish law, the relevant offence would be access without lawful excuse. However, material published on the public web carries with it an implied permission to access that material. Where a publisher hasn't taken steps to limit that permission, then it will be difficult if not impossible to show, beyond a reasonable doubt, that (a) the reader acted without permission, and (b) the reader knew (or perhaps should have known) that they were acting without permission.

A similar issue arose three years ago when Reuters accessed an earnings report, posted on the public website of Swedish IT group Intentia, before its official release. Intentia filed a complaint with the Swedish police. The public prosecutor, however, found that no crime had been committed:

The prosecutor Mr Hakan Roswall chose to do nothing with Intentia's complaint. Mr Roswall concludes that it is illegal to access information stored in a computer that the proprietor deems to be secret and the proprietor protects. Mr Roswall states that Intentia did not clearly state that the information should be secret and did not protect the information. On the contrary it was very easy to access the information. Intentia stated that the report would be available at a certain time, and you only had to slightly change the URL (web address) from the report of the previous quarter in order to obtain the current report. Hence, Mr Roswall will not initiate proceedings against Reuters or any of its reporters.

Update: I've just found a post by Feargal McKay at the Sigla Blog which beats me to the punch on this issue.

Online Anonymity - Canadian Edition

The Canadian Federal Court of Appeal recently handed down an important decision on online privacy. The case - BMG Canada v. Doe - unsurprisingly involves attempts by the music industry to identify alleged filesharers, using a Norwich Pharmacal analysis.

At first instance, disclosure was refused due to deficiencies in the plaintiffs' evidence, in what was seen as a strongly pro-privacy holding. The Court of Appeal, although it allowed the plaintiffs' appeal in part, accepted that the plaintiffs' evidence was insufficient to order disclosure, and adopted much of the trial judge's reasoning in relation to the privacy issues involved. The key paragraphs of the judgment are:

In cases where plaintiffs show that they have a bona fide claim that unknown persons are infringing their copyright, they have a right to have the identity revealed for the purpose of bringing action. However, caution must be exercised by the courts in ordering such disclosure, to make sure that privacy rights are invaded in the most minimal way.

If there is a lengthy delay between the time the request for the identities is made by the plaintiffs and the time the plaintiffs collect their information, there is a risk that the information as to identity may be inaccurate. Apparently this is because an IP address may not be associated with the same individual for long periods of time. Therefore it is possible that the privacy rights of innocent persons would be infringed and legal proceedings against such persons would be without justification. Thus the greatest care should be taken to avoid delay between the investigation and the request for information. Failure to take such care might well justify a court in refusing to make a disclosure order.

Also, as the intervener, Canadian Internet Policy and Public Interest Clinic, pointed out, plaintiffs should be careful not to extract private information unrelated to copyright infringement, in their investigation. If private information irrelevant to the copyright issues is extracted, and disclosure of the user’s identity is made, the recipient of the information may then be in possession of highly confidential information about the user. If this information is unrelated to copyright infringement, this would be an unjustified intrusion into the rights of the user and might well amount to a breach of PIPEDA by the ISPs, leaving them open to prosecution. Thus in situations where the plaintiffs have failed in their investigation to limit the acquisition of information to the copyright infringement issues, a court might well be justified in declining to grant an order for disclosure of the user’s identity.

In any event, if a disclosure order is granted, specific directions should be given as to the type of information disclosed and the manner in which it can be used. In addition, it must be said that where there exists evidence of copyright infringement, privacy concerns may be met if the court orders that the user only be identified by initials, or makes a confidentiality order.

The court also indicated that disclosure should not be granted if there was some "other improper purpose for seeking the identity of these persons".

Consequently, while the Canadian courts are prepared to grant disclosure on the basis of Norwich Pharmacal, it seems that they will (a) demand a higher standard of evidence before granting a disclosure order; (b) take greater steps to minimise the privacy consequences of a disclosure order; and (c) examine the request to see whether it is pretextual.

Michael Geist has an informative analysis of the decision on his (always interesting) website. He includes a summary, prepared by Alex Cameron (who argued the case), of the test which ISPs must now meet in order to seek disclosure:

Courts shall not order ISPs to disclose the identities of their customers unless the Plaintiff meets its burden of showing each of the following factors. If the Plaintiff fails to show any of the following, then disclosure shall not be made:

1. Plaintiff must show that it has:

(a) targeted the correct IP address by providing clear admissible evidence that it has correctly linked online activities to a specific IP address at a particular time. There should be no risk that innocent people will have their privacy invaded or named as defendants where it is not warranted (para 21); and

(b) "a bona fide claim that unknown persons are infringing their copyright" (para 42), including "i.e., that they really do intend to being an action based on the information they obtain, and that there is no other improper purpose for seeking the identity of these persons". (para.34)

(Note: Even if the plaintiff meets its burden under 1(a), disclosure may be refused where the ISP advises the court that there is a risk of an innocent person having their privacy invaded or named as a defendant where it is not warranted. This might arise if, for example, the ISPs records are incomplete or suggest that the risk is present for another reason)

2. "There should be clear evidence to the effect that the information cannot be obtained from another source such as the operators of the named websites." (para.35)

3. "The public interest in disclosure must outweigh the legitimate privacy concerns of the person sought to be identified if a disclosure order is made" (para.36)

a) the information on which a request for identification is made (eg, IP address) must be timely; no undue delay between investigation and motion for disclosure (para 43)

b) in their investigation, plaintiffs must "limit the acquisition of information to the copyright infringement issue" (para.44)

In cases where the plaintiff has met each of the factors above, "caution must be exercised by the courts in ordering such disclosure, to make sure that privacy rights are invaded in the most minimal way" (para 42). For example, specific directions should be given as to the type of information disclosed and the manner in which it can be used. In addition, the court should consider making a confidentiality order or identifying the defendant by initials only (para.45)

German Court Refuses to Order ISPs to Disclose User Identities

Heise has an article indicating that the Higher Regional Court in Hamburg has declined to order ISPs to disclose the identities of users alleged to be infringing copyright by running FTP servers. The court held that, as ISPs were not joint wrongdoers, their obligations were limited to blocking and removing infringing material:

In its highly detailed opinion the court concludes that the obligation in piracy cases to provide information on the creation and/or distribution of pirated items - created by the right to information specified by the Copyright Act - only applied to those parties themselves involved in the said illegal acts. The access provider was not a party of this kind, the court ruled, as it merely provided access to the Web. Contrary to the opinion of the District Court a provider could also not be held accountable as a so-called "Mitstörer" (co-troublemaker) in breach of the law on the grounds of having providing access to the Internet. The legislation of paragraph 8 subsection 2 of the Tele Services Act (TDG), according to which access providers in line with the laws in general and despite a certain privileged position as to liability are enjoined to "remove and block" illegal content, had not change this state of affairs, the Higher Regional Court concluded. After all, "remove" and "block" specifically did not imply the divulging of information, thus the OLG. With its decision the OLG Hamburg has taken the same line as the OLG in Frankfurt-on-the-Main. The judges in the federal state of Hesse hence also disputed that there was a right to demand information from access providers, as such a right to demand information served to discover and drain the sources and distribution channels of pirated items and only such parties as committed or participated in such violations of copyright were obliged to provide information, they concluded.

It'll be interesting to see whether this approach will survive the implementation of the IP Enforcement Directive. Article 8 of this draconian Directive creates a "right of information" - i.e. a right to compel third parties to disclose information, including the identity of an alleged infringer. (Effectively transplanting the Norwich Pharmacal order into EU law.) The Directive itself, after much lobbying, was amended to limit this to "acts carried out on a commercial scale" i.e. "those carried out for direct or indirect economic or commercial advantage; this would normally exclude acts carried out by end consumers acting in good faith" (see recital 14). However, this definition is opaque. What's meant by "indirect economic advantage"? Would it include savings made by downloading music from others? What's the significance of the reference to "acting in good faith"? If A has a large music collection, and shares that via a p2p network, is he acting on a commercial scale? Does it make a difference whether he knows that what he's doing is illegal?

Also, even if Article 8 itself doesn't cover this situation, nothing in the Directive precludes member states from choosing to extend it to non-commercial situations (see recital 14), and we can expect the music / film industry lobbies to push at national level for the directive to be extended to cover all alleged infringements - commercial or otherwise.

Via The Register