A public service announcement about public surveillance

This animated short by David Scharf is one of the best explanations I've seen as to why we should be worried about sleepwalking into a surveillance society, not to mention a beautifully crafted piece of visual art in its own right.



You can see larger, better quality versions of the video at http://www.huesforalice.com/bbs/.

Domain Name Registrars - The New Points of Control?

Jonathan Zittrain has pointed out that regulation of the internet has tended to proceed - whether by way of litigation or legislation - by identifying particular intermediaries and compelling them to act as points of control over user behaviour. The intermediaries targeted have included hosts, ISPs, search engines, hyperlinkers and financial intermediaries (which have been compelled, for example, to stop credit card payments to gambling sites). Some relatively recent developments suggest that domain name registrars are joining them in the firing line - and that this may result in some interesting cross-border legal issues.

An early example took place in the Rate Your Solicitor saga, where the plaintiff in an Irish defamation action succeeded in 2006 in persuading US registrar Godaddy to disable the rateyoursolicitor.com domain (apparently for false WHOIS data) notwithstanding that Godaddy would appear to have enjoyed immunity under section 230 CDA. (Not that this deterred the critics of Irish lawyers, who promptly moved to rate-your-solicitor.com where they remain today.)

At around the same time, the plaintiffs in the Spamhaus litigation set out to persuade an Illinois court to order ICANN (rather than the Canadian registrar!) to suspend the Spamhaus domain name - on the basis that Spamhaus (located in the UK) could not otherwise be made to comply with that court's order. (Ultimately, however, the court accepted that ICANN and the registrar were not involved in the defendant's actions nor able to control them, and consequently an order should not be directed towards them.)

The Spamhaus case didn't, however, deter the lawyers acting for Bank Julius Baer in its attempt to silence Wikileaks.org, who succeeded (albeit temporarily) last month in persuading the Californian courts to issue an interim order requiring the registrar (Dynadot) to disable the Wikileaks.org domain name and remove all DNS hosting records. (This despite the lack of any obvious role for the Californian courts in adjudicating on a dispute between a Cayman Islands bank, its Swiss parent company, a Swiss former employee, and the various individuals around the world responsible for Wikileaks, and despite the lack of any full hearing.) Daithi has a particularly good post on why this amounted, in effect, to an internet death penalty and was a disproportionate prior restraint on speech.

Now the New York Times reports that the US government has ordered domain name registrars to disable domain names which it alleges breach its ban on trade with Cuba:

Steve Marshall is an English travel agent. He lives in Spain, and he sells trips to Europeans who want to go to sunny places, including Cuba. In October, about 80 of his Web sites stopped working, thanks to the United States government.

The sites, in English, French and Spanish, had been online since 1998. Some, like www.cuba-hemingway.com, were literary. Others, like www.cuba-havanacity.com, discussed Cuban history and culture. Still others — www.ciaocuba.com and www.bonjourcuba.com — were purely commercial sites aimed at Italian and French tourists.

“I came to work in the morning, and we had no reservations at all,” Mr. Marshall said on the phone from the Canary Islands. “We thought it was a technical problem.”

It turned out, though, that Mr. Marshall’s Web sites had been put on a Treasury Department blacklist and, as a consequence, his American domain name registrar, eNom Inc., had disabled them. Mr. Marshall said eNom told him it did so after a call from the Treasury Department; the company, based in Bellevue, Wash., says it learned that the sites were on the blacklist through a blog.

Either way, there is no dispute that eNom shut down Mr. Marshall’s sites without notifying him and has refused to release the domain names to him. In effect, Mr. Marshall said, eNom has taken his property and interfered with his business. He has slowly rebuilt his Web business over the last several months, and now many of the same sites operate with the suffix .net rather than .com, through a European registrar. His servers, he said, have been in the Bahamas all along.

What's the significance of this? As in some of the other cases, it means that internet speech may be shut down without any prior notice to a party, and without any hearing. It also means that disputes which have no underlying connection with a particular jurisdiction may end up subject to the law of that jurisdiction:

Susan Crawford, a visiting law professor at Yale and a leading authority on Internet law, said the fact that many large domain name registrars are based in the United States gives the Treasury’s Office of Foreign Assets Control, or OFAC, control "over a great deal of speech — none of which may be actually hosted in the U.S., about the U.S. or conflicting with any U.S. rights."

"OFAC apparently has the power to order that this speech disappear," Professor Crawford said.

There's also a very important practical point here. Website owners are already acutely aware that hosting liability varies from jurisdiction to jurisdiction - and for that reason many chose to host in the US where section 230 CDA makes it less likely that a host will take down a site based on vague and unjustified threats. These cases illustrate that domain owners should be equally cautious in deciding which registrar to use - pick a registrar located in the wrong jurisdiction, or one which (as Dynadot appeared to do in the Wikileaks case) caves in too easily and you may find your domain name vanishes.

German Constitutional Court recognises a new right of "Confidentiality and Integrity of Computer Systems"

On 27 February the German Constitutional Court issued what's being described as a landmark ruling which recognises a new fundamental right of privacy, confidentiality and integrity in computer systems. The case was brought to challenge a law which, amongst other things, permitted government agencies to hack into computer systems, for example by using a Trojan Horse to monitor suspects' internet use. The reasoning of the Court was based on its finding that computer systems will often contain information presenting a complete picture of a person's most private life:

[Computer systems] alone or in their technical interconnectedness can contain personal data of the affected person in a scope and multiplicity such that access to the system makes it possible to get insight into relevant parts of the conduct of life of a person or even gather a meaningful picture of the personality.

Ralf Bendrath has detailed analysis of the decision and its background. Meanwhile, the IPKat suggests that this may have implications for the use of privacy invasive DRM and for disclosure of information held by ISPs in civil cases.

'Cause I'm the Taxman: Facebook and the Revenue

Now my advice for those who die,
Declare the pennies on your eyes.
'Cause I’m the taxman,
Yeah, I’m the taxman. - The Beatles

There's been a good deal of media coverage of the revelation by Evert Bopp that the Revenue is gathering information from Facebook and other social networking sites as part of its audits of individuals. There has been a tendency to present this as a privacy issue, leading to discussion of whether information on social networking sites should be treated as essentially in the public domain. This seems to me, however, to be the wrong way of looking at this question, not least because a definition of privacy remains elusive. Leaving privacy per se aside, are there other reasons why this sort of material should not be used?

There are, for me, at least two reasons. First, this material is often unreliable. As one Irish blogger demonstrated recently, it's quite easy to fake profiles in the name of others and to do so in a convincing way (Google cache). Consequently government agencies should be slow to use information derived in this way. Where they do so they should inform the individual concerned and offer an opportunity for that person to correct or challenge the material. (Something which would in any event be required by the Data Protection Rules.)

Secondly, and perhaps more importantly, this may lead to irrelevant criteria being used in a way which harms individuals. The legitimacy of bureaucracy is based, at least in part, on the impersonal application of general rules. Bureaucrats are not allowed to take other factors - such as the sexual orientation of the individual - into account, and indeed are expressly prohibited from inquiring about these factors. But where social networking profiles are being searched, it is likely that this principle may be undermined. For example, suppose that Blogger X is openly out on their blog. That is no business of the Revenue (for example) in dealing with him. But if an official is influenced by their search, we may find him being discriminated against in a way which would not have been likely otherwise.

Daniel Solove has considered some of the issues arising from what he describes as the "self exposure problem" in his fascinating new book The Future of Reputation: Gossip, Rumor and Privacy on the Internet - the full text of which is now available online under a non-commercial CC licence. It's required reading for anyone interested in this area.

Here comes another bubble...

Especially for those people who say that Web 2.0 equals Bubble 2.0:

An overview of ISP Voluntary / Mandatory Filtering

Irene Graham of Electronic Frontiers Australia has compiled an invaluable overview of ISP level filtering systems as part of the EFA campaign against mandatory filtering in Australia. What's most striking about her survey is that unlike much previous work which focused on countries such as China or Saudi Arabia, she looks at the systems put in place in various democracies (including Canada, the United Kingdom and Finland) but still finds the same problems - a lack of democratic legitimacy, opaque systems, overblocking, and indications of function creep.

Full Disclosure and the Law - a European Survey

Full disclosure - the practice of making security vulnerabilities public - is an area of uncertain legality. The companies whose products are shown to be insecure would like to suppress this information. In addition, new laws criminalising so-called hacking tools have caused security researchers to worry that simply possessing the tools of their trade or publishing their research may expose them to criminal liability. Legal certainty isn't helped by the fact that the laws on this point differ greatly from jurisdiction to jurisdiction. Federico Biancuzzi has now produced a very helpful survey of European laws in this area by interviewing lawyers (including myself) from twelve EU countries on their national laws. Most seem to agree that the law is unsettled. But some common themes do emerge. In particular, full disclosure is not being regulated by any specific law - instead, the consequences of full disclosure tend to be considered in a rather ad hoc way under a variety of different legal regimes. In addition, civil liability (imposed by general copyright law or by specific contractual or licensing restrictions) appears to be just as much a deterrent to research and publication as newer laws criminalising hacking tools.

Sabam v. Tiscali (Scarlet) - English translation now available

The recent Belgian decision in SABAM v. Tiscali (Scarlet) appears to be the first time in Europe a court has considered whether ISPs can be required to monitor or filter the activities of their users in order to stop filesharing on peer to peer networks. The Cardozo Arts & Entertainment Law Journal has now provided an English translation of the decision. The decision deserves to be read in full, but here are some of the most important passages:

the issue of future potential encryption cannot today be an obstacle to injunctive measures since this one is currently and technically possible and capable of producing a result, as it is in the case before this court; that the internet sector is constantly evolving; that in crafting injunctive relief, the judge cannot consider speculations about potential future technical developments, especially if these might also be subject to parallel adaptations concerning blocking and filtering measures

the average cost of implementing these measures does not appear excessive; that, according to the expert, this estimated cost over a 3 year period (the time of amortization) and on the basis of the number of users on the order of 150,000 persons should not exceed 0.5 each month for each user

these measures could also have as secondary consequence to block certain authorized exchanges; that this circumstance that an injunctive measure affects a group of information [exchanges], of which some are not infringing (such as film, book, CD. . ..) does not prevent, nevertheless, it [the court] from enforcing the injunction

SA Scarlet Extended disputes, nonetheless, this court’s power to order an injunction by arguing that:
* the technical measures requested would lead to impose upon it [Scarlet] a general monitoring obligation for the totality of all “peer-to-peer” traffic, which would constitute an on-going obligation contrary to the legislation on electronic commerce (Directive 2000/31 ...,
* the installation of filtering measures may lead to the loss of the safe harbor from liability for mere conduit activities that technical intermediaries enjoy by virtue of Article 12 of Directive 2000/31,
* the technical measures requested in so far as they lead to “installing in a permanent and systematic way listening devices” will violate fundamental rights and, in particular, the rights to privacy, confidentiality of correspondence, and freedom of expression;

Directive 2000/31 of 8 June 2000, related to certain legal aspects of information society services, and in particular electronic commerce in the internal market, states, in its Article15, that “. . .Member states shall not impose a general obligation on providers . . . to monitor the information which they transmit or store” ...
Article 15, which is part of Section 4 of the Directive related to “Liability of intermediary service providers,” aims to prevent a national judge from imposing liability for breach by the service provider of a general monitoring obligation due only to the presence on its networks of illegal material ... this provision that thus governs the issue of provider liability is, however, exclusively addressed to the judge of liability and has no impact on the present litigation since injunctive relief does not require any prior finding of negligence by the intermediary

Scarlet wrongfully considers that this injunction would result in its loss of the safe harbor from liability contained in Article 12 of Directive 2000/31 ... that benefits a provider of mere conduit or access to the internet conditioned upon it neither selecting nor modifying the information being transmitted;

That in accordance with “whereas” clause 45 of Directive 2000/31, “the limitations of the liability of intermediary service providers established in this Directive do not affect the possibility of injunctions of different kinds; such injunctions can in particular consist of orders by court . . . requiring the termination or prevention of any infringement, including the removal of illegal information or the disabling of access to it.”

That the only fact that the filtering technical instrument would not filter some infringing works belonging to the SABAM repertoire does not imply in any way that those works would have been selected by Scarlet; that indeed the fact that one does not succeed in blocking some content does not imply that this content has been selected by the intermediary as long as this intermediary does not target the information to be provided to his clients; the filtering measure is purely technical and automatic, the intermediary having no role in the filtering;

That, furthermore, even assuming that Scarlet would lose the benefit exemption of liability, it does not necessarily follow that it would be found liable; it would still have to be proven that it was negligent; that such litigation would nevertheless fall within the sole competence of a judge of liability;

filtering and blocking software applications do not as such process any personal information; that, like anti-virus or anti-spam software, they are simple technical instruments which today do not involve any activity implicating identification of internet user

Government databases - Why "the innocent have nothing to fear" simply isn't true

The Times has a very sad story:

A pensioner was killed after a couple used a policeman friend to trace him and then attacked his home in a dispute over a supermarket parking space, a jury was told yesterday.

Bernard Gilbert, 79, died of a heart attack after a brick was thrown through his window.

The former Rolls-Royce worker became a target when he shouted at Zoe Forbes, 26, because she parked her car in a space he had earmarked for himself at a branch of Asda, Nottingham Crown Court was told.

Mrs Forbes was upset and called her husband Mark, who told her to note down Mr Gilbert’s numberplate. He then asked a policeman friend to check Mr Gilbert’s address on the police national computer, using the car registration number.

Mr Forbes sent his wife a text message reading: “We’ll smash his car to bits and then his hire car and then whatever he gets after that until he dies.”

The couple deny manslaughter.

Samizdata puts it well: "The innocent have nothing to fear - so long as they have not annoyed anyone who knows a copper who can be persuaded to look up an address."

Leaked documents show UK government plans to "coerce" take up of "voluntary" ID Cards

Details have trickled out during the last week or so of the UK Government's plans to compel people to use what has been promised to be a "voluntary" ID card. These have been based on leaked government documents. The NO2ID campaign has now published a full version of the most important document, with its own annotations. This is available here (locally hosted copy). One of the most important passages is this:

Various forms of coercion, such as designation of the application process for identity documents issued by UK ministers (eg passports) are an option to stimulate applications in a manageable way.

There are advantages to designation of documents associated with particular target groups, eg young people who may be applying for their first driving licence.

The Register has an insightful analysis:

"Various forms of coercion" could be used to accelerate the rollout of ID cards, the idea being that ID cards will remain 'voluntary' for as long as possible, while not having an ID card will become more and more uncomfortable. This, precisely what the government has intended to do all along, is stated baldly in an Identity & Passport Service leak cited by the Sunday People.

The IPS gives designation of a document under the ID Cards Act as an example of "coercion", and suggests driving licence applications as an area where this approach could be used. Effectively, this would mean that new applicants for licences would be forced to get an ID card...

'Coercion' could therefore be applied here via the delivery of a speedier service online with the aid of a digital passport or ID card, or (heavy coercion) by abandoning the post office end of the service for 'reasons of security.' Similarly, speed of processing can and has been used to illustrate how ID cards can 'help' people working with children and vulnerable groups get their CRB check processed faster. Next stop, compulsory ID cards for teachers? But as it won't be "universal compulsion", they're still not compulsory, right?

Data retention - "The innocent have nothing to fear" edition

The Economic Times of India has this worrying report:

MUMBAI: The wrongful arrest and the 50-day incarceration of an innocent software professional on charges he uploaded offensive pictures of Shivaji on Orkut were probably the result of a wrong internet timestamp and has raised concern over the over-dependence of police on Internet Protocol (IP) addresses as evidence in online crime, cyber experts said.

A couple of months ago, Lakshmana Kailash K was arrested, denied bail and given a taste of harsh prison life at Yerawada as the IP details given to police by his internet service provider, Bharti Airtel, matched his user identity. It later emerged that they had the wrong man. Police confirmed the faux pas and Mr Kailash was released. Now, the professional has sent legal notices to Bharti, police and government officials claiming damages for the agony he went through.

Sunil Phulari, the DCP with the cyber crime cell Pune said: "Nothing went wrong in the investigation. It was carried out according to the legal procedures. I cannot speak for Airtel."

The case against data retention

I've written a piece for today's Irish Examiner on the Government's data retention proposals, which it published under the headline (not chosen by me!) "Big brother will be watching... everyone". Full text:

How would you feel if someone followed you every day, writing down your movements, making a note of everyone you talked to, jotting down the address of every letter you post, and then storing that information for three years? What would you think if that system of surveillance was extended to every single person in the country? While this might sound like the stuff of science fiction, since 2002 the Government has required telephone companies to track the movements of all their users, to log details of every telephone call made and every text message sent and to store that information for three years. The Department of Justice now proposes to extend this further, to require ISPs to monitor everyone’s internet use, including details of every email or instant message we send, and every time we log on or off, and to store that information for up to two years. What’s more, it intends to do this by the stroke of a ministerial pen, with no debate before the Dáil or the Seanad.

The rather dull name for this surveillance is “data retention”. But it might be more informative to talk of “digital footprints”. As technology comes to be more and more part of our everyday lives, we leave a trail of digital footprints recording almost everything we do. Activities which once would have been private (posting a letter) may now leave a record (sending an email). Data retention laws – by storing these digital footprints – mean that the rights to privacy and freedom of expression we take for granted in the offline world might be lost in the digital age.

Of course, it is legitimate that police should have access to some call or internet data. This information can help in investigations and prosecutions. But the information stored and access to that information must be reasonable and proportionate. In particular, information should not be stored on everyone, but only on a targeted basis. Access should be granted only on the basis of a warrant, and only in respect of terrorism or serious crime. And the information should be stored for as short a period as possible, and certainly for no more than six months except in exceptional circumstances.

Indeed, in 2001 the Government accepted the need for safeguards by signing up to the Convention on Cybercrime, which achieved international agreement on a far less intrusive “data preservation” system, which would preserve evidence in individual cases without the blanket storage of information on all citizens. But the Government has since ignored that system and instead put in place laws which contain almost none of these safeguards.

Laws requiring monitoring of the entire population are astonishing in a democracy. Yet so far there has been very little public debate. One reason might be that this surveillance happens invisibly in the background. But compared to traditional surveillance it is potentially far more intrusive, and carries much greater risks of abuse. In the United Kingdom we have seen the loss of data on many millions of individuals. Here officials in the Department of Social Welfare have been found to be engaged in the systematic leaking and selling of personal information from government databases. There is no reason to think that this information will be treated any differently.

Public awareness has also been stifled by the tactics adopted by the Government. In 2002 data retention was initially brought in by a secret ministerial order, which the telephone companies were forbidden to reveal. Only after pressure from the Data Protection Commissioner was it made public. In 2005, the Minister for Justice again avoided public scrutiny by changing the law using a last minute amendment to an unrelated Bill – breaking a promise that there would be full consultation and a separate Bill for the Oireachtas to debate. Now the Department of Justice is proposing to implement a European Directive on data retention using a statutory instrument – again excluding the Dáil and the Seanad. They claim that the matter is urgent and that there is no time for legislation. But that Directive was passed in February 2006. The Department has had nearly two years to prepare a Bill and cannot now rely on its own delay to justify sidelining democratic scrutiny.

Digital Rights Ireland has brought a High Court challenge to these Irish and European data retention laws, which will ultimately decide whether surveillance of the entire population can be compatible with the rights to privacy and freedom of expression under our Constitution and the European Convention on Human Rights. Until then, however, there should at a minimum be full public awareness and discussion. And in the case of the Department of Justice proposals, at the very least any extension of these laws to the Internet should be by primary legislation and following a debate in the Oireachtas.

Supreme Court ruling on electronic discovery - Orders may extend to extracting and analysing data

In an important decision - Dome Telecom v. Eircom - the Supreme Court has held that the courts, as part of the discovery process, have the power to order a litigant to carry out data analysis to extract, collate and analyse records from a database and to produce a report containing that information. While this is not the first case on this point (the High Court made a similar order in 2006 in Used Car Importers of Ireland v. Minister for Finance) this is the first case to consider the issue in detail and the first time that the matter has been ruled on by the Supreme Court.

By way of background, Irish law on discovery is contained in Order 31 of the Rules of the Superior Courts, which gives the courts power to order parties to disclose to the other side those "documents" which are relevant and necessary to the case. This rule has been applied without difficulty to situations where what is sought is a specific document stored in electronic format - cases such as Clifford v. Minister for Justice have accepted that computer files should be regarded as "documents", and electronic discovery is now common.

What presented a problem in Dome Telecom was the traditional understanding of discovery as being limited to disclosure of existing documents. As Fennelly J. put it:

"a court will only order discovery of documents or records which exist. If no record has been made of a relevant conversation, meeting or event, a court will not, for the purpose of discovery, require a party to make one."

Here Dome Telecom alleged that Eircom had damaged its call card business by charging on a discriminatory basis for calls made from mobile phones to its 1800 freephone number. To put a figure on the damage suffered, Dome Telecom sought discovery of the total number of minutes of calls made to specific 1800 freephone numbers operated by its competitors. This was granted by the High Court, notwithstanding Eircom's claims that this would go beyond merely disclosing an existing document, but would require it to engage in an expensive analysis and filtering process to create an entirely new document. Eircom appealed, claiming:

1. That the power of the High Court to order discovery of documents does not extend to directing a party to create documents for the purposes of the action.

2. That the power of the High Court to order discovery of documents does not extend to directing a party to create documents that do not exist at the time that the order for discovery is made.

3. That the creation of the documents directed by the High Court imposes a disproportionate burden on the appellant where an order to comply with that order it would be required

(a) to extract in excess of 20 billion call data records from the tapes on which they are currently stored;

(b) to record the said records onto a parallel data base;

(c) to collate and analyse the records on the parallel data base in order to correlate them with the 1800 freephone numbers the subject matter of the order for discovery;

(d) to create therefrom a document containing a report of the total monthly volume of freephone minutes traffic per month from the 1st July 2000 to the 7th April 2005 in respect of each 1800 number by reference to access method by the appellant to international carriers – limited for the time being to those identified and set forth in the Schedule where the volume of minutes trafficked to that international carrier in any given month exceeded 5,000 minutes.

On appeal, the Supreme Court agreed by a majority (Fennelly and Kearns JJ, Geoghegan J dissenting) that the discovery was unnecessary and disproportionate in the particular circumstances of the case. However, on the matter of principle - whether the court could make an order of this type, and whether this amounted to requiring a party to create an entirely new document - the majority (Fennelly and Geoghegan JJ, Kearns J reserving his position) rejected the arguments of Eircom and held that the court could make orders requiring a party to analyse data in their possession and to present it in a certain form. Per Geoghegan J:

The Rules of Court are important and adherence to them is important but if an obvious problem of fair procedures or efficient case management arises in proceedings, the court, if there is no rule in existence precisely covering the situation, has an inherent power to fashion its own procedure and even if there was a rule applicable, the court is not necessarily hidebound by it. It is common knowledge that a vast amount of stored information in the business world which formerly would have been in a documentary form in the traditional sense is now computerised. As a matter of fairness and common sense the courts must adapt themselves to this situation and fashion appropriate analogous orders of discovery. In order to achieve a reasonable parity with traditional documentary discovery it may well be necessary to direct a party "to create documents" within the meaning of the notice of appeal. It may indeed also be necessary to direct a party "to create documents" within the meaning of the notice of appeal even if such "documents" "do not exist at the time the order is made". I am deliberately using quotation marks because I do not intend to adjudicate on the quasi-metaphysical argument of Mr. Paul Anthony McDermott, counsel for the respondent, that the "documents" do in fact "exist". At any rate that matter can probably be argued both ways but I would be firmly of opinion that an order of discovery can be made which involves the creation of documents which do not exist, made in the kind of context in which it is sought in this case. Otherwise, potential litigants could operate their business computers in such a way that they would be able to evade any worthwhile discovery.

This promises to be a very significant decision, and will certainly make electronic discovery more attractive for litigants while at the same time increasing the burden on those from whom discovery is sought.

Time to put up the decorations...

...so here's a picture I took this time last year. Merry Christmas all.

More confusion about the legal status of eBay

New internet services sometimes don't fit neatly into the categories drawn by the law. eBay has been and continues to be a prime example. Is it an auction house? On its user agreement page it goes to some lengths to disclaim this status, for the good reason that it does not want the legal baggage that would go with it:

Although eBay is often referred to as an online auction web site, you acknowledge that we are not a traditional auctioneer. Instead, the Site is a venue to allow anyone to offer, sell, and buy just about anything, at any time, from anywhere, in a variety of pricing formats, which include auction-style and fixed price formats. At no point do we have possession of anything listed or sold through the Site.

But the French authorities don't agree and claim that it is subject to the same obligations as traditional auctioneers:

France's auction watchdog is taking eBay to court, arguing the Internet auctioneer does not do enough to protect consumers.

The regulatory authority, called the Council of Sales, said Monday that eBay's French site should be held to the same standards as France's auction houses, which need a special permit from authorities, partly to ensure consumers are protected.

In a statement, eBay's French branch, eBay.fr, said the legal action was "totally unjust." The French site has argued for years that it should not be subject to the same regulations as France's auctioneers.

eBay.fr says it is merely an intermediary, not a traditional auction house, because customers put objects up for sale themselves, and because the site is not involved in negotiating contracts or in delivery and payment.

"eBay has invented a new way of buying and selling, which has been adopted by 10 million French people, and which is not at all the same as that of auction houses," it said.

The Council of Sales, whose members are state-appointed, said it was not trying to crack down on online auctions.

eBay "has been an extraordinary success, which we recognize," said Ariane Chausson, the Council's spokeswoman. "We recommend that all auctioneers do sales on the Internet, because it's a fabulous tool."

But the regulatory authority hopes a judge will rule that eBay.fr is an auction house like any other. It argues that eBay.fr currently has an unfair advantage because it avoids strict regulations set out in a 2000 law.

Similar issues arise when we ask whether eBay is a "host" within the meaning of the E-Commerce Directive and if so whether it will be liable for the wrongdoing (such as trademark infringement or the sale of illegal goods) of its users. In one UK case the General Optical Council commenced a prosecution of eBay for aiding and abetting the illegal sale of contact lenses - but dropped that action after receiving advice that eBay would benefit from the hosting defence in Article 14 of the Directive. Lilian Edwards has more on this case - and suggests that eBay might lose the hosting defence on the basis that it is in a position to exercise control over its users:

[C]ould it be argued that the EBay sellers of contact lenses were acting "under the authority or the control of" EBay? EBay do contractually allow sellers to sell on its site, and take a cut of the profits for doing so. Is this not "authority"? As I have noted before, they are hardly in the same position as a traditional ISP handling myriads of communications in a hands off way. EBay furthermore do at least present something that looks rather like "control" in that they have various Acceptable Use policies relating to what can and cannot be sold on EBay. Contact lenses are specifically mentioned under the "prohibited" list. EBay do their best to make these warnings look advisory -

"eBay is here to help, but you are ultimately responsible for making sure that buying an item or selling your item(s) is allowed on eBay and is not prohibited in the eyes of the law. Follow these steps to find out whether or not your item can be listed on eBay."

- but such words cannot detract from the fact that it seems a reasonable interpretation that eBay's various "prohibited" policies for buyers and sellers are incorporated by reference as part of the terms of the contract with eBay.

More recently, Lilian has also blogged about a current French case which suggests that eBay (and many Web 2.0 sites) might not qualify as a "host" in any event:

[A] French humorist successfully sued MySpace before the Paris first instance tribunal for infringement of his author’s rights and personality rights, as his name, image and some of his sketches were published on a MySpace webpage without his authorisation.

The court found that MySpace performed the role of an Internet host. However it also did other things: it provided "a presentation structure with frames, which is made available to its members" and significantly, it also "broadcasts advertising upon each visit of the webpage, from which it profits".

As a result MySpace did not benefit from the hosting immunity of the EC Electronic Commerce Directive, Art 14 , implemented in Article 6.I.2 of the French law “on Confidence in the Digital Economy” (dated 21st June 2004) . The French law provides that a hosting provider:

“may not be held civilly liable for the activities or information stored at the request of a recipient of these services if they are effectively unaware of the illegal nature thereof or of the facts and circumstances revealing this illegality or if, as soon as they become aware of them, they have acted promptly to remove these data or make access to them impossible"

MySpace were however deemed not a host but a "publisher". Lacking immunity, MySpace were thus ordered to pay substantial damages.

The legal status of auction sites - along with search engines, content aggregators, hyperlinkers, bulletin boards, and Web 2.0 sites generally - is an area that was largely neglected in the E-Commerce Directive. Hopefully the forthcoming Commission review of the application of the Directive will give more guidance as to how national courts have dealt with these issues.

For more discussion on the legal issues surrounding eBay and similar sites see Andrés Guadamuz González - eBay Law: The legal implications of the C2C electronic commerce model.

Update - 11.02.2008 Lilian has more, this time on eBay's liability for the sale of knives.

Update - 4.07.08 Lilian has still more on the French rulings finding eBay liable for the sale of counterfeit goods by its users.

Copyright Association of Ireland Annual Lecture

The Copyright Association of Ireland Annual Lecture takes place on Monday next (17th December) at 6.30 in the Westin Hotel, Dublin. The lecture will be given by Ronan Deazley with the title "Plagiarist and Prophet: Walter Arthur Copinger and the Anglo-American Copyright Tradition". Ronan Deazley is an expert in the historical development of copyright and the author of the fascinating Rethinking Copyright: History, Theory, Language so this promises to be a very interesting evening. Admission is free and a reception will follow.

Admissibility of recorded telephone conversations?

The Barristers' Professional Conduct has made an interesting ruling on the admissibility of telephone conversations recorded by one party. (The decision was in 2006 but appears not to have attracted much attention then.) From the Sunday Business Post:

The Barristers Professional Conduct Tribunal has ruled that a recording of a phone call by a barrister allegedly racially abusing his Romanian client is admissible in proceedings for professional misconduct...

The Bar Council is investigating claims that the barrister, who was acting for the wife, divulged private information about him in a phone call to his secretary. The woman tape-recorded the remarks...

The barrister’s counsel argued that the tape was inadmissible because it had been made without his consent, so was in breach of the Postal and Telecommunications Services Act 1983.

He also claimed that it violated the barrister’s constitutional right to privacy and breached the European Convention on Human Rights. But the tribunal ruled that the 1983 act had been amended by the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993.

Under that legislation, a telephone conversation can be legally recorded by one of the parties involved, without the other’s consent. Tribunal chairman John Gleeson SC said:

"The fact that one party to a telephone conversation records it does not, in the opinion of the tribunal, give rise to a constitutional difficulty or a breach of the European Convention on Human Rights.

"After all, a party to a telephone conversation is always capable of giving evidence of the contents of that conversation without any recording apparatus, whether by making a contemporaneous note or by simply recalling in evidence what was said during the conversation."

René Rosenstock has more discussion of the legal issues associated with recording telephone calls in Ireland. The Data Protection Commissioner has a case study on the data protection issues involved here.

(Many thanks to Ronan Lupton for pointing out the Sunday Business Post story.)

Privacy law roundup

Garda Code of Practice

The Data Protection Commissioner has announced the launch of a data protection code of practice for the Garda Siochána, which will include random audits of the use of the PULSE system. This is the first code of practice to be approved by the Commissioner. More coverage in the Examiner.

Landlord spied on students

The Irish Times reports that 10 students were awarded a total of €115,000 against their landladies who had installed electronic surveillance equipment to spy on them:

Two Dublin landladies have been ordered to pay damages totalling more than €115,000 to 10 students who were tenants in their house after the Circuit Court found they had kept the students under secret electronic surveillance...

The students became concerned in late 2004 that their conversations and activities were being monitored when the McKennas referred to details the students had discussed in private in the house. When they raised the issue with the McKennas, the students were evicted....

Judge Gerard Griffin yesterday found that the evidence in the case left him "in no doubt whatsoever that the defendants had kept these plaintiffs under electronic surveillance".

The judge said he could not say whether it was audio or video surveillance or both, but he was concerned that yellow wires found in the house were of the international standard used for video recording.

This isn't the first instance of this in Ireland - in 2003 a Galway landlord was found to have installed miniature cameras in the ceilings of his female tenants' bedrooms and bathrooms.

Australian proposals for privacy reform

The Australian Law Reform Commission has published a discussion paper on Australian Privacy Law. This substantial document (stretching to 1995 pages in PDF!) proposes root and branch overhaul of Australian privacy laws and given its scope and ambition is likely to be influential on this side of the world also. Some highlights:

Deceased people
The ALRC proposes that some aspects of privacy protection should apply to personal information concerning deceased persons.

In particular:
• data quality and security requirements should apply, so that organisations that hold information about deceased persons must ensure that it is accurate and protected from misuse, loss, unauthorised access or disclosure; and
• there should be some right of access to information for family members. The ALRC has heard that people who had a relationship to the deceased—such as family members — may sometimes need to access information in order to know about medical conditions, or to document family history. Under the proposed changes, any person would be able to apply for access to information relating to a deceased person.

Before releasing information, the organisation would have to consider whether this would have an unreasonable impact on the privacy of others, including the deceased person.

Sensitive information
The ALRC proposes that the definition of sensitive information be changed to include
certain types of biometric information.

Biometric information—which can include photographs, fingerprints, iris scans or voice recordings—is like some other sensitive information because it is often linked to an individual’s physical characteristics. It also carries greater risks than some other forms of information—such as the risk of revealing an individual’s cultural origins, or providing information that can allow an individual to be impersonated.

For these reasons, the ALRC proposes that biometric information should be given
the same level of protection as other information that is currently treated as sensitive information. This should only apply in certain circumstances, such as where biometric information is collected for purposes of identification.

Email and IP addresses
Technology has changed the types of information that may reveal facts about an
individual. For example, an email address or internet protocol (IP) address may reveal much about an individual, but these categories of information may not be covered by the Privacy Act because they may not specifically identify the individual.

The ALRC proposes that the definitions of ‘personal information’ and ‘record’ in the
Act be broadened to cover information such as email and IP addresses in some
circumstances.

Personal information published on the internet
The internet creates greater opportunity for personal information to be published, sometimes anonymously.

The ALRC is interested in feedback on whether there should be a ‘take down notice’
scheme that would require a website operator to remove information that may constitute an invasion of an individual’s privacy. This could be similar to—or an extension of — a scheme that currently operates for removal of prohibited content, based on decisions of the Classification Board.

Data breach notification
Agencies and organisations are not currently obliged to notify individuals where there has been unauthorised access to their personal information.

The ALRC proposes that individuals be notified where there has been unauthorised access to personal information that could lead to a real risk of harm to any affected individual.

Under this proposal the Privacy Commissioner would oversee the decisions of agencies
and organisations about the level of risk and whether individuals should be notified. If the Privacy Commissioner formed the view that there was a real risk of serious harm, he or she could direct that the agency or organisation notify the affected individuals.

This is why cybersquatters are still in business

According to today's Sunday Business Post, the Berkeley Court, Jury’s Hotel and Jury’s Towers in Ballsbridge are to be reopened under the D4hotels.com brand.

D4hotels.com was registered on Wednesday, but all the other extensions (.ie, .net, etc.) are still free, as are D4hotel.com, .net, etc. Although I'd be more than happy to act for the owners to try to evict the inevitable cybersquatters and typosquatters, it would be substantially cheaper simply to register the other extensions and variants in the first place.

Update: Well, that was quick. D4hotels.net and D4hotels.org were anonymously registered one day later at GoDaddy.com. D4hotel.com was registered on the same day also.

"The New Surveillance" in Ireland

I've written a short piece for the Irish Security Industry Association's Risk Manager magazine about "The New Surveillance" and its growth in Ireland:

The recent trial of Joe O’Reilly for the murder of his wife Rachel attracted huge public interest for a number of reasons – the gruesome nature of the crime and the demeanour of the killer among them. But another cause of this public attention was the way in which the trial revealed the extensive digital footprints we leave behind in our day to day activities. In a first for the Irish courts, the prosecution case was built for the most part on digital evidence – including CCTV footage, mobile phone location data, details of calls and text messages and the content of emails.

Though this was the first case to attract such attention, in the background there has been a move towards greater surveillance of everyday life for some time now. For example: since 2002 Irish law has required that telephone companies log details of every telephone call made, every text message sent, and the movements of every mobile phone and that they store that information for three years. European law will extend this to the internet, requiring ISPs to log details of users’ emails, instant messages and web use. Recent legislation has permitted the random breath testing of drivers as well as random drug testing of employees. Within the last month alone Government plans were announced to roll out extensive CCTV schemes to sixteen additional towns, to introduce a national DNA database, to introduce mandatory registration of pre-pay mobile phones, and to introduce automatic number plate recognition systems which will automatically scan all passing cars to see whether they are reported stolen or untaxed.

What do these developments have in common? US academic Gary Marx has described them as “the new surveillance”. Traditionally we might think of surveillance as being something which is unusual or uncommon, carried out by the State, targeted towards a particular individual or group, labour intensive (and thus expensive), and focused on solving or preventing a particular crime. Technological developments (making surveillance easier and cheaper) and changes in social norms (including greater acquiescence to being monitored) have now turned this on its head.

The new surveillance is pervasive – far from being unusual surveillance has become the norm. It is not necessarily carried out by the State – for example, the obligation to track mobile phone users has been effectively outsourced to the mobile phone companies. This, along with increased automation, means that the cost to the State of surveillance can be minimised, doing away with any incentive to restrict surveillance to those situations where it is essential. It is untargeted – in the new surveillance every driver, web user, mobile phone user or pedestrian passing a CCTV camera is scrutinised as though they were a suspect and irrespective of whether any crime has been or is likely to be committed. The new surveillance is also largely invisible, allowing it to fly under the radar of public inspection and concern.

Should this concern us? The underlying technology is neutral in itself – for example, CCTV can be used to prosecute crime or (as in a recent English case) it can be used by its operators to spy on a woman through her bedroom and bathroom window. What matters is the use to which it is put and the legal controls which are in place. At an absolute minimum we should ensure that surveillance is democratically approved; that it is proportionate (going no further than necessary for a particular purpose); that information gained from surveillance be retained for the minimum period necessary; that it be subject to adequate independent oversight; and that sanctions should be in place for individuals or operators who violate these controls.

Unfortunately, Irish law generally fails these requirements. In 1996 the Law Reform Commission identified a range of deficiencies in Irish law on surveillance and over ten years on those problems remain unaddressed. Instead, official surveillance and technology have developed in what is often a legal vacuum. For example, there is no law governing the interception of emails, no law providing for criminal sanctions for the misuse of CCTV systems and no effective oversight of police surveillance. In short, the new surveillance has not been matched by new legal controls, which must raise doubts as to whether many aspects of the new surveillance are compatible with the right to privacy under the Constitution and under the European Convention on Human Rights.

PDF version here.